Producent zabezpieczeń sieciowych Fortinet udostępnił wersję FortiOS 7.4.12, która koncentruje się na poprawie stabilności i bezpieczeństwa systemu poprzez usunięcie szeregu błędów wpływających na działanie urządzeń. Aktualizacja rozwiązuje między innymi problemy z wysokim użyciem CPU w mechanizmie IPS, błędy powodujące zakłócenia działania tuneli IPsec VPN oraz podatność umożliwiającą pomijanie inspekcji ruchu w trybie NGFW policy-based mode. Szczegółowe informację znajdują sie poniżej w dokumentacji producenta.

Nowe funkcjonalności:

Security Fabric

See Security Fabric in the New Features Guide for more information.

Feature ID	Description
1250003	Introduces a new default automation stitch (Firmware Upgrade Complete), a new automation trigger (Auto Firmware Upgrade Complete), and a new automation action (Auto Upgrade Complete Email Notification); additionally, the firmwareupgrade email notification has been improved for greater clarity, and the previous default automation stitch (Firmware Upgrade Notification) has been disabled.

System

See System in the New Features Guide for more information.

Feature ID	Description
1127168	FortiGate now lets users dismiss specific firmware upgrade prompts for extension devices, reducing unnecessary notifications. Upgrade logs have been improved with distinct IDs to differentiate auto-upgrades from manual ones, and email alerts now include detailed status updates. Additionally, after disabling auto-upgrade and updating, the login GUI prompts users to manually confirm their auto-upgrade preference.
1256067	The FortiGate FortiGuard communication protocol (FCPC) is enhanced to accept a new ForcedUpdate flag as well as the major.minor.patch-build versioning from the FortiGate. When a FortiGate observes its firmware license is invalid, it will send FortiGuard a firmware upgrade message with the ForcedUpdate flag and its versioning. In turn, FortiGuard server will ignore license check for that device and parse its firmware version. If the major and minor version on the upgrade-from and upgrade-to firmware are the same, the upgrade will be allowed. Furthermore, logs, notifications, and automation stitches are improved to provide clearer indication of auto-upgrade and required-upgrade within its messaging.

Rozwiązane problemy:

Application Control

Bug ID	Description
1156066	Communication breaks when application control is used in policy over EMAC VLAN interfaces
1260248	Protocol Enforcement fails to block DNS over TCP traffic when non-DNS TCP traffic uses port 53

DNS Filter

Bug ID	Description
1243152	Incorrect client and server cookies are returned for cached DNS entries when conditional forwarding with EDNS cookies is configured
1254680	DNS-over-TLS fails when configured on FortiGate 201E with FortiOS 7.4.10

Explicit Proxy

Bug ID	Description
1076355	An error condition in WAD occurs when handling multiple responses from an upstream server
1247518	HTTP 303 Redirect Loop occurs when accessing websites with SWG SSO connection
1257127	Unexpected behavior in explicit proxy occurs when video filter is enabled and there are multiple requests to the same video ID
1272260	An error condition in WAD occurs when handling server responses with 100 Continue and 200 OK status codes.
1279480	CPU usage issues caused by SAML authentication with SWG and a large number of users

File Filter

Bug ID	Description
1219051	MSI files are not blocked when downloaded in flow mode

Firewall

Bug ID	Description
1157120	Traffic failure occurs when GRE pass-through has a tunnel key set to zero during offload.
1240706	In NGFW policy-based mode, traffic may be bypassed when the IPS engine is not running such as when FortiGate first boots up, the IPS engine is upgrading or when it is manually stopped with debug commands
1256278	Packet loss occurs when asic-offloading is enabled on FortiGate

FortiGate 6000/7000 Platform

Bug ID	Description
1253034	VLAN interface counters show zero Receive/Transmit Bytes and Packets when fastpath is disabled
1272827	Traffic forwarding fails when FGT7081F Primary FPM does not send GARP to connected switch after HA failover.

GUI

Bug ID	Description
793029	Unexpected behavior occurs on some FortiGate models when a FortiClient lacks a required MAC address attribute.
1191076	Interface bandwidth data is not displayed when LAG is upgraded from 2x40G to 2x100G ports
1249169	Incorrect Japanese translation occurs when prompted for one-time upgrade when critical vulnerability detected
1249302	An error condition in Node.JS occurs when handling undefined properties.
1251014	Incorrect interface stats occur when master FIM miscalculates bandwidth and throughput on SLBC platforms
1278206	HTTPS GUI access fails when using a Low Encryption license after upgrading to FortiOS 7.4.11

HA

Bug ID	Description
1165361	CPU usage issues observed during HA led optimization with child process forking
1216459	Verification failure occurs when BIOS security level is set to High during HA image upgrade
1220647	RX drops occur on HA1 and HA2 ports when upgrading the i40e driver
1221816	Network instability when FIM is rebooted on primary after failover using 'diag sys ha reset-uptime’.
1235313	Traffic disruption occurs when a large number of firewall policies are installed after a failover during an upgrade in a FortiGate cluster
1237317	No Rx packets occur when unicast-hb is enabled on FortiGate-VM64 with SRIOV.
1240288	Packets are sent using the cluster MAC address by the secondary cluster member after failover
1271901	Authentication issues occur when Azure SDN connectors reuse incorrect tenant tokens after HA failover
1274545	Both nodes respond to ARP requests when the HA table is edited in config sys ha.
1275737	License Status: Warning occurs when root VDOM is active on the primary in a FortiGate-VM HA A/P cluster with VDOMs and virtual clustering enabled.

HyperScale

Bug ID	Description
1245165	ICMPv6 type 2 packets are dropped when SIP ALG and Hyperscale are activated

IPsec VPN

Bug ID	Description
1201212	Reply traffic is dropped when anti-spoof check fails
1209759	IKEv2 connection fails with „gw validation failed” error when the peer’s ASN1DN ID contains multiple OU fields
1211532	Traffic drop occurs when anti-spoof check fails due to mismatched source IP and selector range in IPsec VPN
1218530	Error condition occurs when using Duo Proxy LDAP application with MFA
1229448	IKEv2 peer selection fails when using AES256GCM-PRFSHAxxx encryption proposal.
1246635	IPsec tunnel disruption occurs when Phase-2 rekey completes with incorrect CHILD-SA deletion.
1257646	High CPU usage occurs when using IPsec over TCP and receiving an RST packet
1264833	SAML IPSEC VPN connection fails when connected to a WiFi network via Tunnel SSID

Intrusion Prevention

Bug ID	Description
983372	An error condition in IPS engine occurs when accessing safebrowsing.google.com
1157469	Disabling nTurbo acceleration causes traffic outage for existing sessions due to sessions not being marked as dirty
1197659	An error condition in IPS engine occurs when processing HTTP traffic
1249177	High CPU usage occurs when IPSEngine scans SMB traffic
1259235	An error condition in ipsengine occurs during upgrade to 7.4.11
1269354	An error condition in IPS engine occurs when handling unusual TLS 1.3 stacks.
1273729	Error condition in IPS occurs when handling high volumes of application traffic through FortiGate

Log and Report

Bug ID	Description
1240481	IPS log-packet files are not cleaned up when retention time exceeds maximum-log-age
1266492	Secondary unit logs are not received by FortiAnalyzer Cloud when running FortiOS 7.4.9 and above in a FortiGate HA cluster
1272019	An error condition occurs in the GeoIP database during updates

Proxy

Bug ID	Description
1171499	Certificate chain is not sent during SSL inspection after upgrade.
1189141	An error condition in WAD occurs when handling large query responses.
1233546	Intermittent email updates occur when Inline IPS is enabled
1245569	Empty response occurs when pageSize exceeds 105 in FortiGate HTTPS Virtual Server
1257158	An error condition in WAD occurs during Proxy WF SSL stress tests

Routing

Bug ID	Description
1151848	IPv6 BGP flap occurs when FortiGate FGSP cluster connects to Dell Sonic
1243609	Route flapping occurs when external routes are redistributed into BGP

SD-WAN

Bug ID	Description
1203917	SD-WAN interface status becomes Unknown when Health Check SLA is good

SSL-VPN

Bug ID	Description
1214345	High memory usage occurs when multiple VDOMs are configured with SSLVPN.
1216477	Blocked IP addresses are cleared when login-block-time is not reached in multiple VDOMs with different login-block-time settings.
1240901	PCI scan fails when using HTTP/1.0 on the SSLVPN port
1241533	An error condition in sslvpnd occurs when handling firewall policy schedules during peer user authentication.
1272207	Authentication failure occurs when username and OTP are concatenated during SSLVPN login on FortiOS 7.4.11

Security Fabric

Bug ID	Description
1076439	Security fabric Asset Identity Center shows „Failed to load user device store data”
1210303	APIC device overload occurs when FortiGate logs in multiple times without proper logout.

Switch Controller

Bug ID	Description
1232304	FortiSwitches go offline when upgrading FortiGate from 7.2.10 to 7.4.x
1239751	FortiSwitches go offline when upgrading FortiGate from 7.2.10 to 7.4.x
1269920	Firmware download failure occurs when FortiGate makes API calls to FDS.

System

Bug ID	Description
1107623	A warning occurs during disk scan when executing a factory reset
1138155	DNS(TCP853) fails until idle timeout when link monitor failover occurs in dual internet connection
1157402	Modem disconnects occur when using Verizon SIM with a strong signal
1160683	Windows Wi-Fi clients unable to obtain DHCP IP due to dropped fragmented CAPWAP packets on virtual switch interface.
1167271	Link LEDs on FortiGate 401F are lit when no cables are attached.
1170933	MTU inconsistency occurs when creating a new LACP interface without a member interface and then adding a member interface later.
1179827	Hardware switch configuration limitations occur when adding Wan1 and Wan2 on FortiGate
1197529	Unable to free memory local user authentication until fnbamd restarted
1198350	MTU inconsistency occurs when using redundant interface with Jumbo MTU
1211374	High memory usage occurs when HTTP2 is enabled on the firewall VIP and the real server only supports HTTP1.1.
1211873	Device connection state is not updated when connected to FortiGate integrated hardware switch on platforms with no logdisk.
1214384	Unexpected behavior in FortiGate occurs when processing IPv6 traffic with invalid destination entries.
1214950	Batch mode configuration of system admin is allowed without specifying admin credentials
1215120	BLE light blinks blue when FortiGate is set up with FortiZTP without CLI login
1217366	Port speed mismatch occurs when setting speed to 1000MB on port1~port8
1217924	Packet size issues occur when 802.1AD interface is based on a LACP interface with MTU set to 9216.
1229804	Unexpected behavior occurs in the system when handling ICMPv6 host unreachable error messages after IPv6 neighbor entry expires
1232383	Unexpected behavior in the kernel occurs when running stressful multicast traffic through VXLAN in switch interface
1239336	Central management configuration issues occur when using FortiGate GUI for Forticare registration
1244037	Limited speed options occur on 1G RJ45 ports of FortiGate 200F and 201F.
1246914	Unexpected behavior in the kernel occurs when forwarding ICMP error messages from NAF devices
1254396	BLE LED continuously blinks Light Blue when using FortiZTP setup without CLI login
1255091	Bluetooth remains active when configured with FortiZTP without CLI login
1260308	High memory usage occurs when SYN FLOOD attack behavior is detected
1263001	IPsec dial-up instability occurs over WWAN interface on FortiGate 51G after upgrading from 7.4.9 to 7.4.11
1264495	Throughput drops to 0 during netperf testing on FGT200G and FGT201G.
1265180	Memory usage issues caused by logging on FortiCarrier-4400F
1267635	An error condition occurs in the system during disk scan execution
1268947	High CPU usage occurs when creating or editing a VLAN interface via the web UI

Upgrade

Bug ID	Description
1135049	An error condition in ips_load_json_gzfile occurs during FortiOS same image upgrade
1252663	On FortiGate D-series devices running older BIOS versions, the serial number changes to FGT0000000000001 after upgrading to FortiOS 7.4.10,7.4.11,7.6.5,7.6.6.
1256067	Required automatic upgrade may not complete successfully when device is unlicensed or end-of-support.

User and Authentication

Bug ID	Description
1215197	An error condition in fnbamd occurs when downloading intermediate CAs through multiple AIA links
1218458	Hardware token activation fails when CMDB write permission is enforced.
1227685	An error condition in fnbamd occurs when FortiGate attempts to download intermediate CAs through multiple AIA links
1228793	Certificate auto-enrollment via CMPv2 fails when using an intermediate CA cert after upgrading
1237504	An error condition in fnbamd occurs when processing DNS responses with multiple IP addresses
1239951	Hardtoken activation fails when CMDB write permission is enforced
1244268	Fnbamd error when downloading intermediate CAs through multiple AIA links
1253914	TACACS+ accounting logs are not generated when setting up a connection to the Tacacs+Accounting server with per VDOM interfaces configured.
1257281	TLS negotiation fails when FortiGate initiates a connection to an OpenLDAP server over LDAPS with TLS 1.3 and PQC parameters.
1259154	Authentication failure occurs when certificate rotation happens on Standalone HA primary FortiGate

VM

Bug ID	Description
1041341	Error condition occurs when using vlink0 with HTTPS on FGT-VM-AZURE
1244347	FGT_VM64_AZURE failed trusted launch on Azure
1245936	FGT-VM failed to validate vm license from FortiManager with ipv6 address
1260183	License validation occurs when FortiGate is connected to FortiManager in an air-gapped AWS environment
1274753	License status warning occurs when secondary FortiGate validates VM License after upgrading to v7.4.11 or v7.4.10

VoIP

Bug ID	Description
1227757	Unexpected RTP stream closure occurs when provisional-invite-expiry-time is reached

Web Filter

Bug ID	Description
1214017	Memory usage issues occur when adding an external threat feed with a large number of similar patterns
1227049	YouTube channel main page cannot be blocked by channel filter when proxy-inline-ips is enabled
1232698	Antiphish fails to block usernames with ’.’ character when enabled.
1261505	Video Filter fails to effectively block videos after YouTube updated its API.
1268027	Video blocking issues occur when accessing YouTube from the main page with channel filters

WiFi Controller

Bug ID	Description
1213368	AP information is missing from forward traffic logs (of captive-portal SSID)
1232763	WiFi clients experience initial connectivty and packet-loss during roaming only on WPA2-Enterprise SSID with External RADIUS
1256821	The class attribute fails to restore when a Wi-Fi client roams between FortiGate access points using 802.11r.
1257588	WiFi clients experience random disconnections on WPA3-Enterprise SSID with External RADIUS
1265860	Reduced Wi-Fi throughput occurs when upgrading from FortiOS 7.4.8 to 7.4.9 or 7.4.10 on FortiGate FWF-50G

ZTNA

Bug ID	Description
1089157	An error condition in WAD occurs when adding a ztna-ems-tag to a proxy policy with an active ZTNA session

Notatki producenta: FortiOS 7.4.12

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

7.4.12 firewall Fortinet Fortinet FortiOS 7.4.12 FortiOS FortiOS 7.4.12 NGFW