FortiOS 7.4.4 - B&B Bezpieczeństwo w biznesie

Producent oprogramowania Fortinet udostępnił najnowszą aktualizację produktu FortiOS do wersji 7.4.4. Dzięki tej aktualizacji poprawiono funkcjonowanie systemu w wielu kluczowych obszarach, eliminując liczne problemy i usprawniając mechanizmy bezpieczeństwa oraz wydajność. Wśród najważniejszych poprawek znalazły się naprawy błędów związanych z tworzeniem profili kontroli aplikacji za pomocą GUI lub CLI, poprawienie działania filtra DNS, który uniemożliwiał łączność internetową przy włączonym przyspieszeniu NPU oraz rozwiązanie problemu z utratą ruchu IPsec na platformie SOC4. Poniżej znajdują się szczegółowe informacje na temat rozwiązanych problemów.

Wspierane urządzenia:

FortiGate	FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-DSL, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100F, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1, FG-6000F, FG-7000E, FG-7000F
FortiWiFi	FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
FortiGate VM	FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-XEN
FortiFirewall	FFFW-1801F, FFW-2600F, FFW-3001F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM

Rozwiązane problemy:

Anti Virus

Bug ID	Description
948197	Large file downloads may intermittently stall when flow-based UTM and SSL deep inspection are enabled.
977634	FortiOS High Security Alert block page reference URL is incorrect.
993785	When logged in as an administrator with Security Fabric access permissions set to none, trying to create a new antivirus profile on the Security Profiles > Antivirus page shows an error.

Application Control

Bug ID	Description
934197	Selected applications will disappear after searching or filtering for other applications in override.
982147	Users cannot create application control profiles using the GUI or CLI.

Data Loss Prevention

Bug ID	Description
977334	Users cannot download files more than 5MB in size using FPX when SSL deep inspection and DLP profiles are enabled.

DNS Filter

Bug ID	Description
804790	SDNS server latency increases by 15 seconds when a request times out. This increase may give a perception that this server is unreachable or has a latency value that doesn’t reflect real-world conditions.
875072	The DNS filter prevents web connectivity with NPU acceleration.

Endpoint Control

Bug ID	Description
937462	The Assets – FortiClient monitor widget still shows online/register vpn entry even the VPN tunnel is down.
979811	The ZTNA channel is not cleaned when overwriting old lls entries.
1007809	On FortiGate, anonpages and active(anon) pages frequently use a high amount of memory, causing FortiGate to enter into conserve mode.

Explicit Proxy

Bug ID	Description
830418	Website content does not load properly when using an explicit proxy.
978473	Explicit proxy policy function issues when matching external-threat feed categories.
980752	Applications on the BOX cannot be started through proxy.
983897	Traffic that should not be matching a policy is incorrectly matching an allow policy or a deny policy.
1001700	If explicit webproxy uses SAML authentication and the PAC file is enabled at the same time, the browser will report a too many redirects error when trying to visit any websites.
1006362	Debug daemon may be blocked while handling client connection and increases the GUI load time.
1020976	Traffic is stuck going through a web proxy policy with NTLM authentication.
1021050	RSSO authentication connection fails in explicit proxy policy.

File Filter

Bug ID	Description
1004198	.exe files in ZIP archives are not blocked by file-filter profiles during CIFS file transfers.

Firewall

Bug ID	Description
921658	SD-WAN IPsec egress traffic shaping is not working when traffic offloading is enabled on an NP7 unit.
951422	Unable to download files larger than 30MB using FortiGate AWS with AV and IPS enabled in proxy mode.
958311	Firewall address list may show incorrect error for an unresolved FQDN address. This is purely a GUI display issue; the FQDN address can be resolved by the FortiGate and traffic can be matched.
966466	On an FG-3001F NP7 device, packet loss occurs even on local-in traffic.
969255	On the Policy & Objects > Services page, administrators with firewall read-write permission cannot delete service entries.
970179	Unrelated route changes will cause the existing session to be marked dirty.
972473	WAD crashes when using load balancing with SSL offloading.
973388	TCP state of a session was not updated properly.
976651	On the Policy & Objects > Firewall Policy page, adding a global threat feed to a policy displays an error message – Invalid entries – and is not available to select in the Source field.
976713	A Hello Retry Request message is not sent from the FortiGate during an SSL offload by `config firewall ssl-server`.
977641	In transparent mode, multicast packets are not forwarded through the bridge and are dropped.
979802	On the Policy & Objects > Firewall Policy page, changing a policy action hides the NAT toggle, IP pool configuration field, and Security Profiles field in the GUI.
981283	NAT64/46 HTTP virtual server does not work as expected in the policy.
981907	Global Search does not return results for a full or partial IP address search.
985057	The `set holddown-interval` command description in the CLI is incorrect.
985419	On the Policy & Objects > Firewall Policy page, the Log violation traffic checkbox displays as being unchecked when the policy is configured and reopened for editing. This purely a GUI display issue and does impact system operation.
987397	When creating or editing an entry on the Policy & Objects > Virtual IPs page in the GUI, if a subnet source filter is added after an IP range source filter in the Optional Filters section, an error message – Invalid source filter IP address/subnet/range – is shown and the settings cannot be saved.
996876	Adding IPv6 address group memberships to a policy using FortiGate REST API does not work as expected.
1008863	SNAT `type port-block-allocation` does not work as expected in NAT64.
1012239	When creating a new policy using the GUI in TP mode, NAT is automatically enabled.

FortiGate 6000 and 7000 platforms

Bug ID	Description
638799	The DHCPv6 client does not work with vcluster2.
639064	On FortiGate 6000F models, there is no information on FPCs available for traffic matching the firewall policy with `srcaddr-negate` enabled.
787604	Transceiver information in unavailable for FPM/FIM2 ports in the GUI.
887946	UTM traffic is blocked by an FGSP configuration with asymmetric routing.
910883	The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM.
938475	On FortiGate 7000E models, a memory usage issue occurs when multiple threads try to access VLAN group.
940541	A permanent MAC address is used instead of an HA virtual MAC address during automation.
973407	FIM installed NPU session causes the SSE to get stuck.
978241	FortiGate does not honor worker port partition when SNATing connections using a fixed port range IP pool.
983236	Under normal conditions, a FortiGate 6000 or 7000 may generate event log messages due to a known issue with a feature added to FortiOS 7.2 and 7.4. The feature is designed to create event log messages for certain DP channel traffic issues but also generates event log messages when the DP processor detects traffic anomalies that are part of normal traffic processing. This causes the event log messages to detect false positives that don’t affect normal operation. For example, DP channel 15 RX drop detected! messages can be created when a routine problem is detected with a packet that would normally cause the DP processor to drop the packet. Similar discard message may also appear if the DP buffer is full.
994241	On FortiGate 7000F using FGSP and FGCP, when TCP traffic takes an asymmetric path, the TCP ACK and data packets might be dropped in NP7.
1003879	Incorrect SLBC traffic-related statistics may be displayed on the FortiGate 6000 or FortiGate 7000 GUI (for example, in a dashboard widgets). This can occur if an FPC or FPM is not correctly registered for statistic collection during startup. This is purely a GUI display issue and does not impact system operation.
1013046	On FortiGate 6000 and 7000 models, interested traffic cannot trigger the IPsec tunnel.
1025926	After a firmware upgrade, the configuration does not synchronize because the sdn connector password is unmatched.

FortiView

Bug ID	Description
941521	On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI.
945448	On the Asset Vulnerability Monitor page, filtering by FortiClient user does not show any results.
1009287	CPU usage issue caused by ending multiple sessions using the FortiView Sessions page.

GUI

Bug ID	Description
848660	Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.
896008	The GUI-based CLI widget has display issues on wide resolution screens.
908670	A No language entry found for error message occurs when loading the GUI. This is purely a GUI display issue and does not impact system function.
931486	Unexpected behavior in httpsd when the user has a lot of FQDN addresses.
957441	On the Firmware & Registration page, the GUI displays a Cannot determine mkey for cmdb source entry. error message. This is purely a GUI display issue and does not impact system function.
961796	When administrator GUI access (HTTPS) is enabled on SD-WAN member interfaces, the GUI may not be accessible on the SD-WAN interface due to incorrect routing of the response packet.
961797	In a new page layout, changes made (saves or edits) in the Virtual IP page may produce a warning pop-up message on the screen.
964386	GUI dashboards show all the IPv6 sessions on every VDOM.
970528	The `hsts-max-age` is not enforced as set under `config system global`.
972887	The interface firewall object created automatically is not found by a firewall policy search with IP address.
974988	FortiGate GUI should not show a license expired notification due to an expired device-level FortiManager Cloud license if it still has a valid account-level FortiManager Cloud license (function is not affected).
975403	On the System > Replacement Messages page, the `?` is removed from custom replacement messages.
979508	The Operation Technology category cannot be turned on or off from the GUI. The option to enable/disable the Operational Technology category on application control profiles when hovering the mouse over the category name is missing.
981244	On the FortiGate GUI, IPsec or GRE configurations are missing when using `set type tunnel`.
983422	A GTP profile cannot be applied to policy using the GUI.
996845	When saving a packet capture, the file name saves as a generic file name with no identifiable information.
1006079	When changing administrator account settings, the `trusthost10` setting is duplicated.
1013455	On the FortiGate GUI, inter-VDOM links are not available for packet capture.

HA

Bug ID	Description
956577	For SSL VPN users, some endpoint logs are generated on the secondary HA vcluster VDOM.
962491	Some long lasting TCP established sessions expire on the HA secondary unit earlier than on the primary unit.
962525	In HA mode, FortiGate uses `ha-mgmt-interface` as the portal for the DNS resolver, even if this port may not able to reach the DNS server.
962681	In a three member A-P cluster, the dhcp lease list (`execute dhcp lease-list`) might be empty on secondary units.
964412	The firewall does not detect that the secondary HA unit has been upgraded and returned to the cluster.
964427	There is a session count discrepancy when the firewall is configured without NAT.
964828	Enabling HA direct prevents users from changing the interface as the `set-interface` command is hidden in the CLI.
970334	The vcluster2 on a Secondary HA unit does not use `session-sync-dev` to synchronize sessions to FGSP peer unit.
971075	The last interface belonging to the non-root management VDOM is not visible when accessing the GUI using the HA management interface.
972163	Under heavy traffic, some sessions are not fully synchronized to the FGCP secondary unit.
972896	No configuration error when restoring a configuration with incorrect `config firewall wildcard-fqdn custom` entries, resulting in an `HA-unsync` status.
974749	TCP/SCTP sessions count mismatch in an HA pair in A-P mode.
976024	VXLAN traffic does not pass through after HA cluster failover.
976160	In a FortiGate HA, the unit periodically produces a warning message for a missing sync file.
985237	Output is missing from the `diagnose sys ha vlan-hb-monitor` command.
1000001	A secondary HA unit may go into conserve mode when joining an HA cluster if the FortiGate’s configuration is large.
1004215	Local out traffic from the primary HA unit uses the wrong interface when SNMP points to the secondary HA unit.

Hyperscale

Bug ID	Description
961684	When DoS policies are used and the system is under stress conditions, BGP might go down.
967017	TCP or UDP timer profiles configured using `config-system npu` may not work as intended.
975264	Hyperscale should not support threat feed addresses with the negate option.
976972	New primary can get stuck on failover with HTTP CC sessions.
981918	Hyperscale policy loses the `cgn-log-server-grp` setting with log mode per-mapping when the system reboots.
994019	Harpin traffic may not work due to a rare situation caused by a race condition.
1016478	When modifying existing policies with a BOA loaded configuration, NPD is not working as expected.
1018125	When a service or address is applied in a deny policy, traffic is still allowed to flow to that service or address.
1024313	The template for the netflow v9 log packets is not included in the configuration.

Intrusion Prevention

Bug ID	Description
782966	IPS sensor GUI shows All Attributes in the filter table when IPS filters with default values are selected in the CLI.
1000223	HTTPS connections to a Virtual IP (VIP) on TCP port 8015 are incorrectly blocked by the firewall, displaying an IPS block page even when no packet from the outside to TCP port 8015 should reach the internal VIP address.

IPsec VPN

Bug ID	Description
564920	IPsec VPN fails to connect if `ftm-push` is configured.
914418	File transfer stops after a while when offloading is enabled.
950012	IPsec traffic may stop for the SOC4 platform due to a rare error condition.
950445	After a third-party router failover, traffic traversing the IPsec tunnel is lost.
965915	After an HA failover, static gateway IPsec routing fails.
966085	IKEv2 authorization with an invalid certificate can cause tunnel status mismatch.
968080	Shortcut negotiation cannot trigger when traffic flows over an existing shortcut unless `auto-discovery-forwarder` is set on the spoke.
968218	When the IPsec tunnel destination MAC address is changed, tunnel traffic may stop.
968376	Changes to the IPsec tunnel type from a static to dialup user on the GUI does not change the actual configuration.
974648	Editing existing IPsec aggregate members does not update in the bundle list.
977486	On FortiGate, a Tunnel Mode IPsec VPN policy cannot be created using the GUI.
978243	Unable to send all prefixes through FortiClient using dial-up IPsec VPN split tunnel to macOS devices.
982599	When a NAT port is changed between two static IPsec endpoints, the new port cannot be applied on the tunnel.
996625	Unable to create a FortiClient dial-up VPN with certificate authentication because a peer CA certificate cannot be selected.
998229	Traffic loss is experienced on inter-region ADVPN tunnels after phase 2 rekey.
999619	The IPsec peer name check process is not working as expected when configuring static and dynamic tunnels in a certain order.
1009732	If there are more than 2000 dialup IPsec tunnel interfaces used in multiple FGT firewall polices, and IKE policy update may not able to complete before IKE watchdog timeout.

Log & Report

Bug ID	Description
872493	Disk logging files are cached in the kernel, causing high memory usage.
954565	Although there is enough disk space for logging, IPS archive full message is shown.
957130	When running version 7.2.3 of FortiGate, log retrieval speed from FortiAnalyzer is slow.
960661	FortiAnalyzer report is not available to view for the secondary unit in the HA cluster on the Log & Report > Reports page.
967692	The received traffic counter is not increasing when the traffic is HTTPS with webfilter.
972087	Logs entries are still visible in General System Events after being excluded from the disk logging filter.
973673	The `monitor-failure-retry-period` is not working as expected when the log daemon restarts the next oftp connection after a connection timeout.
978526	The configuration attribute `cfgattr="password[*]"` does not appear in the log when `password-policy` is enabled.
985508	SYN.ACK traffic is blocked when `set allow-traffic-redirect` is enabled.
987261	In the webfilter content block UTM log in proxy inspection mode, `sentbyte` and `rcvdbyte` are zero.
996551	The UTM Log for blocking `unknown-content-encoding` is shown under the `utm-webfilter` when a web filter profile is not applied.
1005171	After upgrading to version 7.0.14, the system event log generates false positives for individual ports that are not used in any configuration.

Proxy

Bug ID	Description
900546	DNS proxy may resolve with an IPv4 address, even when `pref-dns-result` is set to IPv6, if the IPv4 response comes first and there is no DNS cache.
915404	Proxyd did not account for all RFC-compliant SMTP pipelining cases.
922093	CPU usage issue in WAD caused by source port exhaustion when using WAN optimization.
947814	Too many redirects on TWPP after the second KRB keytab is configured.
955990	Captive portal reappears repeatedly in the browser after importing user credentials.
965966	An error condition occurred in WAD due to heavy HTTP video traffic when using a video filter profile with deep inspection enabled.
1000653	The proxy policy does not validate IP addresses in the XFF when an HTTP address is sent by AGW.
1010718	The proxy policy is deleted from the configuration without notification after an upgrade.
1012965	Deep inspection and web filter for an explicit proxy policy do not work if `profile-protocol-options` has additional ports for HTTP.
1016970	High memory usage in WAD causes FortiGate to enter into conserve mode.

REST API

Bug ID	Description
964424	REST API GET `/ips/sensor/{name}` adds extra space to `locations`, `severity`, `protocol`, `os`, and `application` field values.
984499	REST API query `/api/v2/monitor/system/ha-peer` does not return the primary attribute of an HA cluster member.

Routing

Bug ID	Description
792512	The dashboard Session widget cannot display the correct IPv6 session count per VDOM.
924693	On the Network > SD-WAN > SD-WAN Rules page, member interfaces that are down are incorrectly shown as up. The tooltip on the interface shows the correct status.
935886	SD-WAN packet duplication feature in force mode suddenly stops duplicating and starts to duplicate again once the FortiGate is rebooted.
943333	When SD-WAN health-check is configured, the IPv6 interface IP address of shortcut fails to be pinged.
966681	FortiGate cannot ping an IPv6 loopback address.
969671	GRE tunnel, established over a VLAN that has been created on specific interface types, may reference non-existent device indexes due to the reloading of VLANs.
974921	When creating or editing a rule on the Network > Routing Objects page, if the weight is set to 0 the changes are not saved.
977215	SD-WAN health check with state = dead moves between 100% and 0% packet loss while the state stays the same.
977327	DTLS with SSL VPN not working as expected on multiple ports that are within the same SD-WAN zone.
977751	BGP advertisement and Route-Reflector advertisement do not advertise additional routes after first table is announced and encoded.
978204	BFD/BGP dropping when outbandwidth is applied.
978683	The `link-down-failover` command does not bring the BGP peering down when the IPsec tunnel is brought down on the peer FortiGate.
983172	After traffic switching, ingress and egress ports do not follow the correct session.
984478	The SD-WAN Rules GUI page keeps loading.
984612	After upgrading from 7.2.5 and 7.2.6, management access and ZTNA Access Proxy do not work when accessed from external networks
985539	SD-WAN health check logs are not generated for ADVPN shortcuts.
989840	Issue with PIM neighborship over an IPSec tunnel with NP offload.
1000433	The IPv6 route with dynamic gateway enabled cannot be configured after an upgrade and reboot.
1001556	VXLAN does not match SD-WAN rule when a service is specified.
1006703	OSPF logs for neighbor status are not generated when using multiple VRFs.
1009907	The OSPF daemon does not function as expected causing routing to stop working after an HA cluster failover.
1012895	The `set-regexp` command does not function as expected in the `extcommunity-list`.

Security Fabric

Bug ID	Description
789237	Support the use of loopback IP as the source for Security Fabric connections.
941728	Email notifications not working as expected for automation Reboot stitch.
956423	In HA, the primary unit may sometimes show a blank GUI screen.
958429	The webhook request header does not contain `Content-type: application/json` when using the JSON format. This causes Microsoft Teams to reject the request.
966740	On the Security Fabric > Security Rating page, the format of the Unused Policies test Last Used date is incorrect.
967842	Error message Fail to retrieve FortiView data displays when switching from the CSF root summary page to CSF child summary page.
968585	The automation stitch triggered by the FortiAnalyzer event handler does not work as expected.
968621	Erroneous memory allocation resulting in unexpected behavior in csfd after upgrading.
972921	The comments are not working as expected in the threat feed list for the domain threat feed.
984127	FortiGate shows the wrong notification to setup an upstream device that is not a FortiGate to the Security Fabric.
985198	The IP address threat feed connection status indicates an Other Error.
988526	Address object changes from the CLI of the root FortiGate in Security Fabric are not synchronized with downstream devices.
990703	In certain scenarios, dynamic addresses managed by the Azure SDN connector may be removed leading to potential network interruptions.
1003503	Optimizing federated auto-firmware upgrade with FortiGate, FortiSwitch, and FortiAP.

SSL VPN

Bug ID	Description
821240	Erroneous memory allocation observed in SSLVPNVD caused by a rare error condition.
905050	Intermittent behavior in samld due to an absent crucial parameter in the SP login response may lead to SSL VPN users experiencing disconnections.
906756	Update SSL VPN host check logic for unsupported OS.
951827	SSL VPN client certificate verification failed after importing the VDOM user peer CA certificate into the global VDOM.
979000	FortiGate does not execute the radius disconnect request from FortiAuthenticator.
979590	On FortiOS, the OS checklist for SSL VPN does not include macOS Monterrey 12.7.x for host check.
981310	SSL VPN Web mode experiences intermittent traffic disruption due to the non-standard response of the users web server.
987501	On FortiGate, the GRE tunnel stops sending traffic after an upgrade.
999378	When the GUI tries to write a QR code for the SSL VPN configuration to the file system to send in an email, it tries to write it in a read-only folder.

Switch Controller

Bug ID	Description
899414	On the WiFi & Switch Controller > WiFi maps page Diagnostics and Tools panel, and on the WiFi & Switch Controller > FortiSwitch Clients page, the status of the LACP interface is incorrectly shown as down when it is up. This is a GUI issue that does not affect the operations of the LACP interface. To view the correct status of the LACP interface, go to the WiFi & Switch Controller > FortiSwitch Ports page, or use the CLI.
911232	Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.
984404	After upgrading the version 7.4.2, the FortiSwitch shows as not registered in the GUI.
988335	If a user’s network has more than 20 MAC addresses in a NAC environment, it is possible for the CAPWAP to come down.
989015	The SWC switch port does not have all of the speed options compared to FortiSwitch.
1000663	The switch-controller managed-switch ports’ configurations are getting removed after each reboot.

System

Bug ID	Description
733096	FG-100F HA secondary’s unused ports flaps from down to up, then to down.
782710	Traffic going through a VLAN over VXLAN is not offloaded to NP7.
811367	Ports 33-35 constantly show suspect messaging in the transceiver output. Affected platforms: FG-2600F and FG-2601F.
820268	VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform.
880271	Aggregate interface (LAG) dropping traffic.
882131	PPPoE interface with SFP does not recover after a connectivity failure.
882187	FortiGate enters conserve mode in a few hours after enabling UTM on the policies.
882862	LAG interface members are not shutting down when the remote end interface (one member in the LAG) is down.
883606	FortiOS allows customers to enable or disable the INDEX extension that appends the VDOM or interface index in RFC tables.
901721	In a certain edge case, traffic directed towards a VLAN interface could trigger an error condition in the kernel.
910364	CPU usage issue in miglogd caused by constant updates to the ZTNA tags.
912092	FortiGate does not send ARP probe for UDP NP-offloaded sessions.
920349	Connectivity was lost after creating new VDOM and NPU_VLINK.
921604	On the FortiGate 601F, the ports (x7) have no cables attached but the link LEDs are green.
924143	Logs for failed login attempt `lock-duration` is not consistent with the configuration.
925554	On the Network > Interfaces page, hardware and software switches show VLAN interfaces as down instead of up. The actual status of the VLAN interface can be verified using the command line.
929896	Unable to configure a 9600 baud-rate on DNP3-Proxy.
930803	Unable to monitor DSL parameters and the `get sys dsl status` command shows errors.
938449	In the 4.19 kernel, when a neighbor’s MAC is changed, the session and IPsec tunnel cannot be flushed from the NPU.
952284	A FortiGate with 2G of memory enters conserve mode when a node uses 20% of the memory.
953140	FG-1801F silently drops forward traffic at the NP7 modules.
954529	The `diagnose npu sniffer stop` command can lead to a traffic outage.
957135	EMAC-VLAN interface uses two MAC addresses when it should only use an internally generated MAC address.
960643	IP addresses with an expired quarantine period might not be removed from quarantine.
960707	Egress shaping does not work on NP when applied on the WAN interface.
962153	A port that uses a copper-transceiver does not update the link status in real-time.
964465	Administrator with read-write permission for WiFi and read permission for network configuration cannot create SSIDs.
964820	Traffic forwarding on Dialup VPN IPSec does not work as expected when `npu-offload` is enabled.
966187	Unable to set a static ARP entry on the EMAC VLAN interface.
968134	FortiGate 200F experiences a performance issue due to Marvell switch HOL mode.
968421	IPsec experiences traffic loss when `inbound-dscp-copy` and `npu-offload` are enabled on FFW-4401F.
971109	FortiGate does not forward requests for some devices causing VoIP devices to not get IP addresses on the network.
971404	Session expiration does not get updated for offloaded traffic between a specific host range.
974740	FortiGate 2600F does not set 10G ports to 100G.
974746	Changing interface settings causes the cluster to reboot and leads to a kernel interruption.
975496	FortiGate 200F slow download and upload speeds when traversing from a 1G to a 10G interface.
975895	FortiGate locks when Configuration save mode is set to Manual and triggers a reboot.
977231	An error condition occurred in fgfm caused by an out-of-band management configuration.
977740	Transparent-mode VDOM system switch-interface and Firewall policies deleted after a power cycle.
981685	On the FortiGate 4400F, high CPU usage by random CPU cores in the system space.
982200	FortiGate enters into conserve mode due to excessive memory usage by Slabs.
982651	Security mode 802.1X authentication happens every hour on a hardware switch with 7.2 code.
983102	FortiGate uses one core causing CPU usage to go to 99%.
984696	Network usage is not accurately reported by the `get system performance status` command.
986698	The NP7 should use the updated MAC address from the ARP table to forward traffic to the destination server.
988528	With NGFW mixed traffic, the CPU usage goes to 99%.
995395	Typo in the `set ipv6-allow-local-in-slient-drop` command.
1001498	On FortiGate, TCP and UDP traffic cannot pass through with `dos-offload` enabled.
1001601	A kernel interruption on FortiGate prevents it from rebooting after an upgrade with a specific configuration.
1002766	FortiGate prevents select interface `a` as an option for traceroute, ssl, and telnet services.
1003349	CPU usage issue in WAD after upgrading from 7.4.1 to 7.4.3 when using address group member.
1008049	The I2C bus become stuck during an upgrade due to an error in the `switch-config-init` command.
1009853	Outgoing traffic from EMAC-VLAN uses default cos tag when traffic is not offloaded.
1012518	Some FortiGate models on NP6/NP6Lite/NP6xLite platforms experience unexpected behavior due to certain traffic conditions after upgrading to 7.2.8. Traffic may be interrupted momentarily.
1015955	On FG-140E models, an interruption occurs in the kernel after an upgrade, preventing the device to properly boot up.
1018787	On FortiGate, a TCAM issue prevents ports from being mapped properly.

Upgrade

Bug ID	Description
925567	When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not respect the recommended upgrade path.
952828	The automatic patch upgrade feature overlooks patch release with the Feature label. Consequently, a FortiGate running 7.4.2 GA does not automatically upgrade to 7.4.3 GA.
955810	Upgrading FortiOS is unsuccessful due to unmount shared data partition failed error.
977281	After the FortiGate in an HA environment is upgraded using the Fabric upgrade feature, the GUI might incorrectly show the status Downgrade to 7.2.X shortly, even though the upgrade has completed. This is only a display issue; the Fabric upgrade will not recur unless it is manually scheduled.
981863	FortiGate encounters an error ftar:215 Unrecognized archive format during a firmware upgrade.
999324	FortiGate Pay-As-You-Go or On-demand VM versions cannot upload firmware using the System > Firmware & Registration > File Upload page.
1017519	Auto firmware-upgrade may run when a FortiGate is added to a FortiManager that is added behind a NAT.

User & Authentication

Bug ID	Description
825561	2FA push for FAC token and FTC will not start the push notification process without user input on the browser.
893475	When using the TACACS test server button in a FortiGate environment with HA-direct interface enabled, the traffic originates from the cluster interface instead of the designated ha-direct interface.
934096	If AD password policy is not met, the password change is not set without a clear message to the user.
934263	After authentication in authorization portal, page loading stalls and the user is not redirected to `set redirect-url`.
960230	After the authentication timeout setting value is reached, the Time Left value on the Firewall User Monitor > Firewall Users > Time Left page increases to thousands of days.

VM

Bug ID	Description
938382	OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected.
954962	The Client Hello packet is delayed connecting to FortiGate proxy-based mode and certificate inspection in an AWS GWLB environment using a GENEVE interface.
967134	An interrupt distribution issue may cause the CPU load to not be balanced on the FG-VM cores.
996389	AWS SDN Connector stops processing caused by the IAM external account role missing the `sts:AssumeRole`value.
998208	The FortiGate-VM system stops after sending an image to the HA secondary during an firmware upgrade due to different Flex-VM CPU license.
1006570	VPN tunnels go down due to IKE authentication loss after a firmware upgrade on the VM.

VoIP

Bug ID	Description
1004894	VOIPD experiences high memory usage and enters into conserve mode.

WAN Optimization

Bug ID	Description
1017543	HTTPS over wanopt traffic cannot pass when using ssl half mode in an ssl server.

Web Filter

Bug ID	Description
983759	User internal IP address is visible on the internet through certificate.
1002266	Web filtering does not update rating servers if there is a FortiGuard DNS change.
1013866	On FortiOS, the category action change is not saved if the category number is the same as the existing entry ID.
1004985	The webfilter cookie override trigger process had no issue observed and an override entry was created in the FortiGate, but client access was kept blocked by the old profile and the client received a replacement message with an override link just like the initial access to trigger the override.

WiFi Controller

Bug ID	Description
883021	Is the FortiGate 100F RFC 2865 compliant and, if yes, why does the FortiGate not always re-authenticated after the Session-Timeout value?
883938	Flooded wireless STA traffic seen in L2 tunneled VLAN (FG-1800F).
915715	On a secondary FortiGate in an HA cluster, `user` and `vlan-id` values do not show up when using the `diagnose wireless-controller wlac -d sta online` command in the CLI.
950379	The diagnostics of online FortiAPs shows Link Down in the trunk port Connected Via field when the FortiAP has an LACP connection to a FortiSwitch.
965695	Join/leave is repeated between FortiAP 421E and FortiGate 100E at multiple sites.
982626	Application httpsd does not work as expected when selecting a MPSK setting in any MPSK enabled VAP using the GUI.
983019	HA synchronization issue with FortiAP causes connectivity flapping when managed by a secondary VM.
994752	Memory usage causes secondary HA note to enter conserve mode.
998578	On FortiGate devices running 7.4.2 or 7.4.3, managed FortiAP-W2 devices might randomly go offline.
1001104	Some FortiAP 231F units show join/leave behavior after the FortiGate is upgraded to 7.2.7.
1003070	On FortiGate, the sta count is not accurate when some wireless clients connect to APs managed by FortiGate.
1018107	Unable to manage FortiAP from FortiGate.

ZTNA

Bug ID	Description
975342	ZTNA TFAP access using a FQDN private server does not work if a ZTNA tag is not set on the policy.
1020565	Users visiting ZTNA SaaS applications on a web browser cannot reach the page and are given an error message.

Notatki producenta: FortiOS 7.4.4 Release Notes

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

Post Views: 578

Fortinet FortiOS FortiOS 7.4.4