FortiOS 7.4.6 to najnowsza wersja systemu operacyjnego FortiGate, wprowadzająca znaczące ulepszenia. Wśród nowości warto wymienić szereg usprawnień w obszarze SD-WAN, takich jak dynamiczne tunelowanie i sterowanie przepustowością na poziomie aplikacji, co przekłada się na wyższą wydajność sieci. Ponadto, ogólna wydajność systemu została zwiększona o 10%. Aktualizacja zawiera również istotne poprawki bezpieczeństwa oraz wiele innych funkcjonalności. Szczegółowe informacje można znaleźć poniżej.
Wspierane urządzenia:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-DSL, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-90G, FG-91G, FG-100F, FG-101F, FG-120G, FG-121G, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G |
| FortiFirewall | FFW-1801F, FFW-2600F, FFW-3001F, FFW-3501F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM |
| FortiGate VM | FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-XEN |
Rozwiązane problemy:
Anti Spam
| Bug ID | Description |
|---|---|
| 1050805 | When spam mail is received from the server, POP connection times out. |
Anti Virus
| Bug ID | Description |
|---|---|
| 1054835 | Large file downloads take longer than expected due to a WAD process issue. |
| 1058701 | On FortiGate, the av-mem-limit does not work as expected when set av-failopen pass configured due to a memory usage issue. |
| 1078882 | The scanunit tries to scan with no payload, resulting in an error message from FortiNDR and generating an error on FortiGate. |
Data Loss Prevention
| Bug ID | Description |
|---|---|
| 984784 | When a DLP profile is set to MAPI, there is a slow connection between Outlook and the Exchange server. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 1076642 | Unable to load pages with cloudflare protected websites with auth enabled, if Auth scheme is set to Form-Based in explicit proxy. |
Firewall
| Bug ID | Description |
|---|---|
| 1007029 | On FortiGate, connections are disrupted between client email exchange servers and a virtual server when HTTP2 support is enabled. |
| 1007566 | When the FortiGate has thousands of addresses and hundreds address groups, the GUI can take a few minutes to search for a specific address inside the address group dialog. |
| 1059989 | Modifying the shaping profile, whether it is assigned to an interface or not, results in IPsec tunnels going down. |
| 1060452 | FortiGate in policy-based mode showing the incorrect policy ID in forward traffic logs. |
| 1068393 | Incorrect matching of zones and SD-WAN zones occurs where interfaces do not exist. |
FortiGate 6000 and 7000 platforms
| Bug ID | Description |
|---|---|
| 1016439 | Enabling or disabling a vcluster causes some backup routes (proto = 20) to be lost when a routing table has a significant amount of routes (over 10000 routes). |
| 1056894 | On the FortiGate 6000 platform, IPv6 VRF routing tables appear under the new and old FPC primary units when the primary FPC slot is changed. |
| 1081015,
1086953 |
On FortiGate 7000 secondary units, slot 3 (FPM) has no ISDB database and does not update due a filesync connection issue. |
GUI
| Bug ID | Description |
|---|---|
| 1033626 | During a firewall failover, multicast traffic is not forwarded within an appropriate time frame. |
| 1035356 | The WAN interface is accessible in the GUI under certain interface configurations even though it is not allowed in the configuration file. |
HA
| Bug ID | Description |
|---|---|
| 1084662 | FFDB signatures keep flapping on all blades except the master FIM of the primary chassis. |
Hyperscale
| Bug ID | Description |
|---|---|
| 1047362 | The sw session and log2host netflow logs cannot be seen even though template is present. Data packet displays an error saying template not found. |
| 1090234 | FortiGate encounters an interruption in the kernel due to an issue with the hairpin query function. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 1016531 | FortiGate encounters a memory usage issue in the IPS engine when av-failopen is set to pass. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 1018749 | IPsec inserted SA’s are not deleted successfully after flushing all tunnels. |
| 1061925 | IPsec tunnels are flushed when unrelated changes are made in the system. |
| 1073995 | Authentication for native iOS IPsec VPN user with FortiToken 2FA does not work as expected. |
| 1081951 | FortiGate encounters a steadily increasing IKED memory usage issue after upgrading to version 7.4.5. |
Log & Report
| Bug ID | Description |
|---|---|
| 1083537,
1088358 |
The FortiAnalyzer serial number disappears from the FortiGate configuration when an OFTP session is disconnected due to a timestamp caching issue. |
Proxy
| Bug ID | Description |
|---|---|
| 916178 | FortiGate encounters an issue with the WAD daemon when deep inspection and SSL exemption are enabled while visiting a server with an expired certificate. |
| 1018780 | FortiGate encounters a memory usage issue caused by the WAD process after an upgrade. |
| 1020828 | An HTTP2 stream issue causes an error condition in the WAD. |
| 1039006 | Some websites cannot open subpages when the HTTP2 header value exceeds 16MB. |
| 1047441 | On FortiGate, the WAD process may not work as expected with H2 traffic when creating UTM logs. |
| 1048296 | FortiGate experiences an HTTP2 framing error when accessing websites using proxy mode with deep inspection configured due to a frame sizing issue in the WAD process. |
| 1064758 | The Protocol option tcp window size in a proxy policy does not work as expected. |
| 1067942 | An error occurs in the WAD process when DoH traffic is sent to a transparent proxy after enabling HTTP policy redirect, and without having a transparent proxy configured. |
| 1078385 | FortiGate experiences a memory usage issue in the WAD process when sending AVDBs updates from the config daemon to workers. |
REST API
| Bug ID | Description |
|---|---|
| 1084335 | Existing API key may not work as expected with a 403 error wrong vdom displaying after upgrading to FortiOS version 7.4.5.
Workaround: After upgrading to version 7.4.5, create a new API user and use the new API key. |
Routing
| Bug ID | Description |
|---|---|
| 1057474 | FortiGate does not generate a PIM register after stopping and starting a multicast stream. |
| 1069060 | Routes are not displayed correctly when the BGP configuration is in a specific order. |
| 1085271 | An IGMP membership report with a 0.0.0.0 source does not work as expected in kernel 4.19.13. |
Security Fabric
| Bug ID | Description |
|---|---|
| 1082980 | The AZURE type dynamic firewall address takes longer than normal to resolve itself, even with the correct filter value in the robot test bed. |
SSL VPN
| Bug ID | Description |
|---|---|
| 998219 | Internet services cannot be used (IPv4 and IPv6) as destination in SSL VPN policies with dual stack enabled. |
| 1046374 | An unauthenticated user mismatch occurs with the user. |
Switch Controller
| Bug ID | Description |
|---|---|
| 1077496 | FortiGate encounters a CPU usage issue caused in the flcfgd when receiving multiple messages from the WAD daemon. |
System
| Bug ID | Description |
|---|---|
| 920320,
1029447 |
FortiGate encounters increasing Rx_CRC_Errors on SFP ports on the NP6 platform when an Ethernet frame contains carrier extension symbols to Cisco devices. |
| 960707 | Egress shaping does not work on NP when applied on the WAN interface. |
| 983467 | FortiGate 60F and 61F models may experience a memory usage issue during a FortiGuard update due to the ips-helper process. This can cause the FortiGate to go into conserve mode if there is not enough free memory. |
| 986926 | On the FortiGate 90xG models, the ULL interfaces for x5 – x8 are down after being set to 25G speed. |
| 1013010 | On some FortiGates, 25 GB transceivers are displayed as 10 GB transceivers in the get system interface transceiver command. |
| 1015698 | On FortiGate 601F models, the X5 – X8 interfaces with 25G SFP28 DAC are down after upgrading to version 7.4.4 or later. |
| 1020921 | When configuring an SNMP trusted host that matches the management Admin trusted host subnet, the GUI may give an incorrect warning that the current SNMP trusted host does not match. This is purely a GUI display issue and does not impact the actual SNMP traffic. |
| 1024737 | On FortiGate, when set ull-port-mode is set to 25G, ports x5-x8 show a status of DOWN. |
| 1025114 | Insufficient free memory on entry-level FortiGate devices with 2 GB RAM may cause unexpected behavior in the IPS engine. |
| 1032018 | The SFP+ port LED does not illuminate and displays a speed 10Mbps even though the link status up and speed is set to 1000Mbps. |
| 1032602 | FortiGate encounters a memory usage issue on DNS proxy, resulting in FortiGate going into conserve mode. |
| 1048496 | On FortiGate, the snmp daemon does not work as expected resulting in the SNMP queries timing out. |
| 1050883 | Backing up a configuration using SFTP with the domain username does not work when characters @ and \ are in the username. |
| 1056174 | FortiOS processes packets on a non-active port of a redundant link. |
| 1058256 | On FortiGate, interfaces with DAC cables remain down after upgrading to version 7.4.4. |
| 1068150 | The DHCP relay uses the wrong interface to send DHCP offer packets to the client. |
| 1075032 | On FortiGate, NP7 offloaded traffic does not use the MAC address of a new default gateway to forward traffic using the EMAC-VLAN interface. |
| 1075585 | Shared copper WAN1 and WAN2 ports remain down when the interface speed is set to 100full. |
Upgrade
| Bug ID | Description |
|---|---|
| 1106072 | The image file transfer between FortiManager and FortiGate may not work as expected when transferred by the FGFM tunnel.
Workaround: Enable the Let Device Download Firmware From FortiGuard option on FortiManager. |
User & Authentication
| Bug ID | Description |
|---|---|
| 1072870 | FortiGate initiates LDAPS sessions that do not respect the ssl-min-proto-version option set under the config system global command. |
VM
| Bug ID | Description |
|---|---|
| 972520 | The FortiGate-AWS HA secondary awsd debug result prints raw HTML content. |
| 1072695 | The VLAN interface is not reachable on a FortiGate VM running KVM with Intel 10G NIC (10GB Ethernet card). |
WiFi Controller
| Bug ID | Description |
|---|---|
| 1049471 | On FortiGate 90G and 120G models, traffic is dropped due to the MAC address of the VAP interface being updated with the old MAC address when HA is enabled. |
| 1062730 | On FortiGate, the set max-clients feature does not work as expected and allows more clients to connect than the maximum value configured. |
Notatki producenta: FortiOS 7.4.6 Release Notes
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
