FortiOS 7.6.3 - B&B Bezpieczeństwo w biznesie

Fortinet opublikował aktualizację FortiOS do wersji 7.6.3 dla FortiGate. Lista poprawek obejmuje kluczowe problemy wpływające na działanie urządzeń. Usprawniono działanie SSL VPN — rozwiązano m.in. problem z nieprawidłowym wygasaniem sesji SAML oraz przypadki, w których FortiGate wysyłał przeterminowany certyfikat. Poprawiono również stabilność działania systemu proxy – problematyczne reguły inspekcji oraz nadmierne zużycie pamięci przez WAD zostały wyeliminowane. Dodatkowo, istotne zmiany objęły funkcjonowanie firewalli w środowiskach HA – zredukowano przypadki rozłączeń i desynchronizacji klastra.

Wspierane urządzenia:

FortiGate	FG-40F, FG-40F-3G4G, FG-60F, FG-61F, FG-70F, FG-71F, FG-80F, FG-80F-BP, FG-80F-DSL, FG-80F-POE, FG-81F, FG-81F-POE, FG-90G, FG-91G, FG-100F, FG-101F, FG-120G, FG-121G, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1, FG-6000F, FG-7000E, FG-7000F
FortiWiFi	FWF-40F, FWF-40F-3G4G, FWF-60F, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
FortiGate Rugged	FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G
FortiFirewall	FFW-1801F, FFW-2600F, FFW-3001F, FFW-3501F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM
FortiGate VM	FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-XEN

FortiGate 6000 and 7000 support

FortiOS 7.6.3 supports the following FG-6000F, FG-7000E, and FG-7000F models:

FG-6000F	FG-6001F, FG-6300F, FG-6301F, FG-6500F, FG-6501F
FG-7000E	FG-7030E, FG-7040E, FG-7060E
FG-7000F	FG-7081F, FG-7121F

Rozwiązane problemy:

Agentless VPN (formerly SSL VPN web mode)

Bug ID	Description
1017304	SSL VPN web mode missing several security headers in the HTTP response.
1058211	Traffic could not go though SSL VPN tunnel when DTLS is enabled with a loopback interface as source address.
1077157	FortiGate sends out expired server certificate for a given SSL VPN realm, even when the certificate configured in `virtual-host-server-cert` has been updated.
1083262	FNBAMD session hangs after a massive authorization request.
1036557, 1091173	Performance degradation occurs in SSL-VPN due to connection/session timeout management issues.
1093580	SSL VPN authentication is triggered even with EMS SN check enabled.
1101837	Insufficient session expiration in SSL VPN using SAML authentication.
1102362	SSL VPN web mode missing HTTP response headers.
1107663	FortiClient 7.2.6 GA Azure auto login cannot connect after upgrade.
1111135	Log additional debug information to aid troubleshooting.
1115510	SAML metadata couldn’t be generated causing SAML authentication to fail.
1126825	SSL VPN stops functioning when ssl.root interface is added to a zone used by at least one policy.

Anti Virus

Bug ID	Description
1054835	Large file downloads take longer than expected due to a WAD process issue.
1100819	SMB traffic fails when the file server uses AES-256-GCM/CCM encryption with FortiOS.
1104189	In TP VDOM, the WAD creates the expectation session for FTP data connection if the firewall is in the proxy mode. This session does not have the outdev info.
1111973	Unable to create an AV profile on devices that have 2 GB RAM.

Application Control

Bug ID	Description
1064413	When using SD-WAN load balancing, some sites are slow or inaccessible when the Application Control action is set to Allow.
1102636	After the first DB update, only signatures in the built-in DB are loaded.

DNS Filter

Bug ID	Description
1025233	Support Encrypted Client Hello (ECH) in flow mode.
1096380	FortiGate in proxy mode sends the cached DNS response when it receives a DNS registration request.
1100282	Chrome flex OS cannot access SharePoint when using FortiGate DNS servers.

Endpoint Control

Bug ID	Description
1066250	Verification of EMS and upgrade of FGT with verified EMS should promote CA to fabric-ca.
1090981	EMS is unable to properly synchronize the FortiGate configuration for non-web ZTNA applications when FortiGate has multiple EMS units.
1093786	Expired FCEM contract generated by FortiFlex is loaded to FortiGate VM.
1098350	Sometimes the GUI >Asset FortiClient cannot display `ems-tag` for VPN user which make „Matched Endpoints” page missed those user.

Explicit Proxy

Bug ID	Description
1114438	Policy test feature not working on FortiProxy 7.4.5 and 7.4.6 when no wad debugs are running in the background.
1115137	Expand the `proxy-auth-timeout` maximum value.
1116555	Deep scanning occurs when accessing subcategories of websites with category-based proxy policies despite disabling subcategory checks.
1134310	SSL exemption not working on proxy policy when partial match occurs.
1103272	Wrong SSL certificate for block page replacement messages returns.
1107762	webproxy is not respecting the over-size limit value when system memory is large.

Firewall

Bug ID	Description
723186	GUI should not filter out mac address type from multicast policy page.
946762	On policy list, the ZTNA Tag and Secondary ZTNA Tag options does not work when multiple tags are used in the policy.
993138	Misleading logs with subtype=”ztna” appear when only virtual-server in a firewall policy.
994986	The By Sequence view in the Firewall policy list may incorrectly show a duplicate implicit deny policy in the middle of the list. This is purely a GUI display issue and does not impact policy operation. The Interface Pair View and Sequence Grouping View do not have this issue.
1025078, 1086315	When using a virtual server, some customers observed issues of memory usage increases and client sessions not disconnecting.
1025969	Policy enforcement fails for wildcard FQDN hosts as destination targets because the address records are not added to the wildcard entry when processing a server response for an FQDN’s domain name.
1038650	On policy list, using the Clear counter and Update statistic options for a single policy should not refresh the whole policy list.
1050906	Under heavy network traffic, the Netflow session cache for sampled traffic quickly reaches the hardcoded RAM limit, causing the sFlow daemon to shut down.
1055898	HTTP/2 post without content-length is not supported in half-ssl virtual server.
1066136	Denied sessions were bidirectional and caused all traffic to be blocked.
1078662	If an interface on an NP7 platform has the `set inbandwidth XXX`, `set outbandwidth XXX`, and `set egress-shaping-profile XX` settings, the following issues may occur: Fragment packet checksum is incorrect. MTU is not honored when sending packets out. QTM hangs and blocks traffic when packet size is larger than 6000 bytes.
1081542	On FortiGate, packets are dropped when UTM and ASIC offloading are enabled.
1088507	ICMP Echo replies sent through local-in-policy with virtual-patch enabled are routed through incorrect interfaces during traffic handling.
1097628	Firewall policy filter does not work well on source and destination columns for „all” and „ems” addresses.
1098208	After FortiGate exits conserve mode, some policies failed to install into the kernel at the same time.
1101865	Unexpected trailing characters in Netflow template 257.
1102471	Unexpected traffic hit policy in forward traffic log.
1103748, 111268	Threat feeds used as source or destination addresses in security policies may not match correctly.
1104208	NAT is incorrectly applied to traffic when a single SYN packet is sent to a VIP without an acknowledgment or reset.
1106112	Small platforms cannot remove FFDB shared memory files.
1107003	The local-in/central-snat/multiple policy dialog page should filter out member interfaces of SD-WAN from omniselect list.
1108540	Search in the Address group dialog box using a partial word match takes more than a minute.
1110135	Policy lookup for UDP protocol with FQDN not working.
1111263	`tcpsock` command missing PID/process name for sessions in established state.
1117165	Leaving the `apn` field empty in a GTP APN traffic shaping policy means that the policy will not match any traffic. Consequently, APN traffic shaping can only be applied to specific APNs. To configure GTP APN traffic shaping: config gtp apn-shaper edit <policy-id> set apn [<apn-name> <apngrp-name> ...] set rate-limit <limit> set action {drop \| reject} set back-off-time <time> next end
1120749	If session is in SYN_SENT or SYN_RECV state, and FortiGate receives a second SYN with different ISN, it will drop the second SYN.
1121944	A firewall policy allows traffic from client to server, but no policy exists for server to client. When traffic is not matched from server to client, a block session forms that blocks traffic in both directions.
1136163	The local-in-policy session TTL does not follow the service session-ttl.
1139282	VIP with `set ldb-method http-host` sends incorrect FQDN in ClientHello to second realserver when using HTTP2.

FortiGate 6000 and 7000 platforms

Bug ID	Description
790464	After a failover, ARP entries are removed from all slots when an ARP query of single slot does not respond.
976521	High CPU usage by the node process occurs when loading 7000 policies due to fetching all statistics in one request.
998615	When doing a GUI-packet capture on FortiGate, the through-traffic packets are not captured.
1062080	SNMP query returns an error when there is a large number of BGP routes.
1078334, 1103739	High cmdbsvr CPU usage and FTP hang issues occur during scheduled automation backup executions due to automated backups appending device serial numbers to file names.
1095936	Different sensors appear in the list of FIM1 and FIM2.
1096156	GUI unreachable due to certificates and private keys mismatches in a HA setup.
1097428	The Security Profile menu does not appear in the GUI for Global VDOM on FortiGate 6K/7K devices despite being accessible through CLI.
1102413	Session count for VDOMs incorrect in FortiGate 6K/7K devices.
1102481	Local-in remote access issues due to incorrect destination address.
1105009	The command `execute load-balance slot manage X` fails on FortiGate 6K/7K devices when `admin-telnet` is disabled and then re-enabled.
1108181	Unexpected behavior observed in the confsyncd daemon due to an erroneous memory allocation.
1109415	New SNMP MIB table for chassis sensor.
1109601	Sometimes graceful upgrade failed from 7.4.6/7.4.7 to a later GA release.
1109963	SFF-8472 diagnostic support was not recognized on SFP transceivers in FG-7941F systems.
1112581	On the FortiGate 7000F platform, after upgrading from FortiOS 7.4.7 to 7.6.2, cmdbsvr CPU usage can be at 99% on one or more FPMs for several minutes. During high CPU usage, FortiGuard packets cannot be synchronized to the affected FPM(s).
1115656	FG-6K session filter by source interface doesn’t set correct interface index.
1116862	Graceful upgrade of a FortiGate 7000E chassis to FortiOS 7.6.2 may fail for some configurations.
1118004	On a FortiGate 7000E FGCP cluster, after using the execute ha disconnect command to disconnect a chassis from the cluster, you can’t use the special management ports to connect to the FIM in slot 2 or to any of the FPMs of either chassis. You can still connect to the FIM in slot 1.
1121918	If `ha-mgmt-intf` is enabled, then a newly joined HA slave chassis failed to sync.
1124603	Traffic shaping causes traffic drop on FG-7000F.
1130218	Policies fail when Security Posture Tags are configured on SLBC platforms due to dynamic address sync issues outside HA mode.

FortiView

Bug ID	Description
1125124	When running more than 1 million concurrent HTTP sessions across the firewall, and trying to access session list on FortiView in the GUI, packet loss and loss of a session are observed.

GUI

Bug ID	Description
919473	Unable to move/migrate interface using „Interface Integrate” feature if there is an IPsec tunnel bound to it.
1047963	High Node.js memory usage when building FortiManager in Report Runner fails. Occurs when FortiManager has a slow connection, is unreachable from the FortiGate (because FMG is behind NAT), or the IP is incorrect.
1054026	Offline license file cannot be uploaded to FGT by GUI.
1055865	NodeJS errors when event log socket is closed.
1092489	The `config system fortiguard > fortiguard-anycast` setting was changed to automatically disable when the FortiGuard page is shown on GUI.
1097405	Patch schedule minutes are ignored when set through the GUI for automatic upgrades.
1099309	The FortiOS GUI fails to load topology-related pages when temporary files generated during Security Rating operations are mistakenly read by the REST API.
1101932	Phase-2 details not seen in the IPsec Monitor dashboard on FortiGate GUI.
1102404	VDOM search function does not work properly if VDOM has uppercase letters.
1110382	Admin can log in to GUI (HTTPS) with password, even when admin-https-pki-required is enabled.
1110827	GUI shows LAN interfaces that have an IP address in the network ranges 172.31.0.0/16 or 192.168.0.0/16 to be managed by IPAM, even though the feature is globally disabled.
1111113	When launching the GUI console using Jet Stream theme, the character spacing appears wider than usual.
1112716	No log output when running debug flow on GUI.
1114658	Improve Node.js health check from forticron to use IPC server in Node.js rather than HTTP server.
1115684	FortiOS GUI ignores the FortiCare Elite contract.
1118810	In the Asset Identity Center, the tooltip for IoT/OT Vulnerabilities says OT license is inactive even with full license.

HA

Bug ID	Description
982081	After changing the status to down on the ha1 and ha2 ports, setting the status back to up does not bring up the ports.
1068674	PBA logs missing during HA failover.
1073514	In HA cluster, when a FortiToken is aggregated or revoked from a local.user, cluster is out of SYNC.
1085314, 1095879	Firewall policy page takes a long time to load on the HA Primary unit due to a loop condition between BGP and NSM when other protocols’ same route is redistributed to BGP.
1087924	HA secondary unit experiences high CPU usage when frequent changes are made to CMDB on the HA primary unit.
1088956, 1101490	Duplicated logs occur in FAZ during sniffer mode operation in HA active-passive setups because both active and passive FortiGates forward L2 packets to the IPS engine, causing duplicate entries.
1091189	The passive member in an A-A HA sends traffic with the virtual mac.
1091657	SDN connector limits the API traffic flow through root VDOM or HA management VDOM.
1095786	Traffic interruption occurs when performing a manual HA failback after an initial failover in VWP setups.
1098192	Joining a FortiGate with RAID enabled in an existing cluster causes the primary to shut down due to differing RAID statuses.
1100177	In an FGSP setup, on asymmetric TCP flow during SYN/ACK packet on the other member, the TCP MSS value is not adjusted according to the firewall policy.
1101456	In a HA setup, the aggregate interface status remains up after configuring 'status down’ in FortiOS due to a race condition.
1101879	Multiple SCTP expectation sessions are created during resynchronization due to a flag allowing duplication.
1104892	Duplicate IP detected messages are seen from the Secondary Fortigate in a cluster.
1105422	„Detected Tx Unit Hang” error occurrs on the HA secondary, causing it to become out-of-sync.
1107137	The secondary FortiGate with an HA Reserved Management Interface cannot be accessed using HTTPS after upgrading from version 7.4.3.
1108895	In an FGSP cluster, enabling and disabling `standalone-config-sync` results in the local `dev_base` being deleted and synchronized with the peer, which leads to the absence of the `dev_base`.
1108895	In an FGSP cluster, enabling and disabling `standalone-config-sync` results in the local `dev_base` being deleted and synchronized with the peer, which leads to the absence of the `dev_base`.
1109919	Cluster experiences split-brain when EMAC interfaces are disabled within a zone.
1110498	Add IPv6 destination support under HA management interface configuration.
1113842	New LACP interface is not shown under `diagnose sys ha standalone-peers` on both FGSP members.
1115190	The SNMP value of fgVWLHealthCheckLinkState on the secondary unit should always be set to dead(1).
1117725	HA is out of sync with checksum mismatch on CA certificate on all VDOMs.
1121117	When two HA clusters are on the same subnet, the L2 session-sync packets could be received by each other, even if they are from two different HA clusters.
1129088	The sessionsync daemon experiences high CPU usage when syncing expectation sessions under heavy SCTP traffic and FGSP enablement due to inefficiencies in the dump API.
1135866	HA second unit cannot sync firewall ZTNA dynamic address with HA primary unit after primary disables EMS server.
1137565	vSN support was added in 7.2.9, 7.4.6, and 7.6.1. However FG100F/ 101F support was missed by mistake. FG100F/ 101F does not support logical-sn.
1138763	IKE hasync loop and high memory consumption when peer address/port changes.

Hyperscale

Bug ID	Description
1013892	Unexpected behavior observed in NPD when the threat feed object attempted to update manually in the HA pair.
1055443	Add `ipv4/v6-session-quota` back for software sessions in hyperscale VDOM.
1074547	SNAT session drops occur when kernel sessions become dirty in hyperscale VDOM environments due to inconsistent NAT resource allocation between software and hardware sessions.
1093287	Using fixed-allocation IP Pools may cause NP7 NSS/PRP modules to become stuck, potentially disrupting traffic. Other PBA IP pools do not have this issue.
1094162	The `diag sys npu-session list-brief` command now includes additional values for timeout, duration, and policy-id and an improved filter that includes EIF sessions to enhance its functionality and filtering capabilities.
1108263	HA configurations are lost if `hw-sess-sync-dev` is configured with more interfaces than expected. (The expectation is two times the number of NP7 chips.)
1114113	The `get sys ha status` command does not offer detailed interface statistics for hardware session sync devices.
1115761	When handling very high traffic loads (150M 250M concurrent sessions), the system sometimes fails to free up memory, even after all sessions have been cleared and traffic has stopped.
1121524	Client could not get DHCP IP address with policy-offload-level set to full-offload.

Intrusion Prevention

Bug ID	Description
1040783	FortiGate encounters CPU usage issue due to IPSEngine utilization when using an `app-ctrl utm` profile.
1090616	IPS does not pass channel ID/category ID from the first video in a YouTube playlist to WAD.
1101633	Child process that loads IPS database does not have CMDB permission to write to IPS table.
1107445	Remove IPS diagnose command `diagnose ips cfgscript run`.
1113473	When IPS generates traffic log for tunnel traffic, traffic log should include outer packet details.
1121953	IPSengine processes consume memory and can lead to the conserve mode.

IPsec VPN

Bug ID	Description
1002325	When spoke re-authauthorization is enabled, shortcut tunnel rekey fails and goes down when SA expires. Shortcut tunnel flaps while it re-establishes again.
1042465	VPN interface error counter increases, traffic intermittent when NPU acceleration is enabled globally.
1049015	IPsec performance issue on Intel-based platforms occurs due to FortiOS not enabling all available IPsec drivers.
1054440	Incrementing TX and RX errors on VPN interface occur when NPU offload is disabled, busy CPU cores, or high burst traffic cause packet drops due to full queues on SoC3/Soc4 platforms.
1057558	Dialup and `loopback-asymroute disable` with multiple paths for IKE/IPsec traffic are configured. When the incoming ESP traffic changes path because of a routing change, reply traffic still egresses on the old interface, and traffic is dropped.
1059778	IPsec does not work as expected when the traffic path is from spoke dial-up to hub1, and then from hub1 to another site through a site-to-site tunnel.
1060048	Throughput is limited in Site to Site VPN connections between the FW1kF and the FWVM Google Cloud platform.
1064078	Egress shaper fails to enforce bandwidth limits on VPN ID with IPIP encapsulation IPsec interfaces due to incorrect handling of traffic forwarding across multiple network processing units.
1071769	L2TP/IPsec connection FortiGate-Windows Native VPN client breaks after the Windows client initiates the ISAKMP SA renegotiation.
1073670	Iked crash on secondary caused ipsec client reconnects.
1087651	FortiGate does not correctly utilize timeout timers for 2FA with Remote Access over FortiClient VPN IPsec (IKEv2).
1094028	Unexpected behavior observed in the IKED after configuration changes when the phase1 monitor feature is used.
1103594	ADVPN IPsec traffic over shortcuts drops during IPsec tunnel rekey.
1103754	Failed HTTP sessions occur when passing through nTurbo due to improper handling of fragmented packets.
1107198	Transparent mode, policy-based IPsec VPN, local-out traffic automatically enters VPN.
1109028	With `set peertype one`, the FortiGate will not accept ID_IPV4_Address as peer ID for dynamic IPsec IKEv2.
1109627	IPsec VPN match-security-posture-tag feature won’t work when FortiClient is behind NAT.
1112665	Static Route is marked inactive, but the VPN IPsec is up.
1113354	Group list is truncated because of fixed-size buffers.
1116825	Juniper device unable to establish IKEv1 tunnel with FGT.
1117758	FGT fails to negotiate encryption algorithm CHACHA20_POLY1305 against third- party client.
1117910	iked spikes to 99.9% if client sends FIN after ike tcp session is established.
1120003	FortiGate presents certificate information when accessed using IPsec VPN listening interface.
1127444	For ADVPN 2.0 shortcut negotiation, UDP hole punching for spoke behind NAT uses source port 500 instead of 4500.
1136536	SIA IPsec VPN authentication fails on FortiSASE when number of groups is greater than 150 user groups.
1102547	IPsec IKEv2 with cert based auth and eap enabled tunnel comes up even though there is a certificate validation failure.

Log & Report

Bug ID	Description
864002	Unauthenticated User mismatch with User in logs.
1004103	An Unable to fetch reports error is displayed when trying to view renamed FAZ reports.
1009584	FGT-VM64 has no crash log record and event logs for license status change from Valid to Warning.
1074460	Erroneous memory allocation results in intermittent HTTPSD disruption caused by a corrupted traffic log file.
1084934	Firewall logs show Object Object in GUI and `dstintf="unknown-0"` in raw logs.
1087534	When trying to load a large number of logs in Log Viewer, the page keeps loading and displays a warning message.
1091064	Forward traffic does not contain `poluuid` and `policyname` fields.
1100883	Forward Traffic log fetched from FortiGate Cloud takes a long time to load on GUI.
1107571	Some WiFi Log descriptions are inaccurate.
1116428	Observed Device vulnerability lookup on FortiGuard in high frequency under the system event log.
1118089	tmp files for log upload are not deleted even though FTP upload is complete.
1119147	Secondary device fails to generate reports at the set time.
1121505	On FG-200F, the Security Tab keeps loading on Log > Details > Security in Forward traffic Logs.
1122938	Syslog traffic uses the correct exit interface after a change in source interface but fails to update the source IP.
1129448	The body is partially missing from emails sent by alert mail.
1130821	IPS sensor log-attack-context output is both truncated and monitored with payload loss.

Proxy

Bug ID	Description
958200	Packets captured by IPS indicates HTTP/1.1 in case of HTTP/2 request.
988473	On FortiGate 61E and 81E models, a daemon WAD issue causes high memory usage.
1014014	FortiGate to IMAPs server connection is not working with TLS 1.2 because of client hello includes TLS1.3 parameter.
1023054	After an upgrade on a 2GB FortiGate device, the firewall policy does not switch from Proxy-based to Flow-based in the Inspection mode field.
1051875	The IP SNI check for `strict sni-server-cert-check` is skipped due to a WAD process issue.
1066113	Accessing certain websites through HTTPS fails when using inspect-all deep-inspection in proxy mode firewall policy.
1096728	An error case observed in the WAD, affecting some VIP traffic, caused by erroneous memory allocation.
1107205	FortiGate encounters a WAD memory usage issue when using a secure explicit web proxy with WAD user authentication to visit some websites.
1116771	Add a limit on the memory used by user-device-store as a percentage of the total system memory.
1121171	Large file downloads through proxy HTTP2 are slow when IPS/APP/SSL inspect-all enabled.
1126253	When VDOM configuration file is restored, it changes the no-inspection profile under ssl-ssh-profile to deep-inspection.
1126385	WAD fails to handle deep-inspection traffic under FIPS mode.

REST API

Bug ID	Description
943756	The API key `remote` could not be handled correctly for POST request `/api/v2/cmdb/vpn.certificate/remote`.
1019750	The available interfaces list is slow in configurations with many IPsec tunnel connections.
1026547	Sensor information through REST API on a FG-81F returns 404 error.
1071799	Failed to rename switch-controller managed-switch entries through the CMDB REST API.
1107698	Adding ipv6-trusthost under api-user will override ipv4-trusthost setting and allow all IPv4 soure IP addresses.

Routing

Bug ID	Description
897308	The system fib version does not match VDOM fib version in FG-1801F.
1008434	The speed-test result files are not deleted after test runs. The new test ID may collide with a previous result. In this case, the GUI may read a previously failed result and report errors.
1058283	Routing Widget is unresponsive due to high number of routes when using search to filter the routes and do route-lookup.
1058700	SD-WAN rule in load-balance mode limited to 8 active SD-WAN members.
1072311	BGP flaps occur when high L2P TPE drops are detected under heavy IPsec traffic conditions.
1080449	IPv6 prefix delegation does not add IPv6 route automatically.
1082842	The loopback interface does not appear as an outgoing option for BGP peer connections when configuring through the GUI.
1084851	When adding new static route and prefix-list using CLI, `0.0.0.0/0` takes effect, in spite of invalid format of `dst` and `prefix`.
1084907	IPv6 routes are inactive when dual stack BFD is configured.
1086944	The BGP router-id fails to reset after editing the neighbor group settings because the dialog doesn’t properly handle the reset functionality.
1093215	Users can create a BGP neighbor without configuring remote-as using CLI, and after completing BGP neighbor configuration, neighbor will remain in admin down state.
1095307	When filtering an SD-WAN rule with a member, it fails to show results for physical interfaces with Alias names.
1099554	FortiGate uses link-local IPv6 address as nexthop in VLAN network, instead of global address.
1100529	BGP Stale route not working as expected.
1103212	GUI BGP AS number with asdot/asdot+ format will silently drop the trailing 0s on ” set set-aspath” router-map config.
1105064	IPv6 traffic can’t match the correct firewall policy in certain SD-WAN cases.
1108192	Restore image from FTP server failed using SD-WAN.
1108874	SD-WAN Default_DNS performance SLA shows all participants of Default_DNS are down.
1109286	Incorrect priorities applied from Remote Health-checks.
1111233	`auto-asic-offload` disabled under `vne-interface` after upgrading from 7.4.6 to 7.6.1.
1111967	SD-WAN zone not selectable as interface in GUI for DoS policy, multicast policy, and central snat map.
1113929	Incorrect SDWAN rule is matched. fib-best-match is configured under zone.
1114687	SNMP response times out when querying SD-WAN health check.
1116924	In SD-WAN, when detect mode Prefer Passive is used, routing table is not updated in time
1118891	ADVPN shortcut is established between different transport-groups.
1119119	Inadvertent behavior observed in BGPD due to erroneous memory freeing when applying route-maps.
1122021	FortiGate disregards SD-WAN members for path selection even when they are in SLA.
1128032	Traffic fails with Fabric Overlay Orchestrator using automatic policy creation with system zones.
1129698	When FortiAnalyzer setting `interface-select-method` is `sdwan`, FortiAnalyzer connection is closed and restarted, even though SD-WAN interface doesn’t change.
1133796	IPv6 routes are stuck on kernel routing table.
1138483	link-monitor daemon drops the trailing characters when a long hostname is used for SD-WAN health-check.

Security Fabric

Bug ID	Description
903922	Physical and logical topology is slow to load when there are a lot of managed FortiAP devices (over 50). This issue does not impact FortiAP management and operation.
1006397	Granular failure details for each device in a federated upgrade are now reported, allowing users to identify individual devices with specific failure reasons during the upgrade process.
1011833	FortiGate experiences a CPU usage issue in the `Node.js` daemon when there multiple administrator sessions running simultaneously.
1021684	In some cases, the Security Fabric topology cannot load properly and displays a Failed to load Topology Results error.
1090401	Error messages from netxd API calls are not displayed when running as a daemon because they are printed to stderr instead of the CLI.
1099235	Scheduled triggers do not include eventtime in log entries, causing automation scripts using %%log.eventtime%% to fail and generate filenames with missing or incorrect timestamps.
1101806	Failed to trigger Security Rating Summary event automation stitch due to issue with log field ID.
1111619	The `replacemsg-group` in `automation-action` gets unset when system reboots.
1113463	FortiGate Azure connector fails to retrieve AKS information on AKS 1.29.5.
1119616	Externally maintained threat feed contains both resource FQDNs and IP address ranges/subnets. Entry such as <addr>/0x1 then matches half of all possible IPv4 address and causes network disruption.
1120652	Fabric topology with two devices on different VDOMs but behind the same router shows wrong VDOM data on tooltip.
1134970	Inconsistent DNS TTL behavior in Kubernetes API through SDN-Connector.

Switch Controller

Bug ID	Description
1015992	Cannot disable Lockdown ISL setting on FortiLink.
1016034	Lockdown ISL setting on FortiLink is enabled automatically after HA failover.
1108965	Config sync error due to dhcp-snooping-static-client.
1113465	VLAN configurations intermittently fail to assign on FSW ports when devices matching DPP policy come online, which is caused by a race condition during FSW initialization.
1130242	Partial SNMP community configuration gets pushed from the FGT to the FSW.
1138333	Increase efficiency of FortiLink configuration daemon memory usage.

System

Bug ID	Description
814119	`drop-overlapped-fragment {enable \| disable}` does not work on NP7 platforms.
932077	Connection issue between SOC4 platform and Hirschmann GRS 105 switches since SOC4 doesn’t support certain carrier extension signals.
976722	Invalid YAML files are generated when exporting configurations containing multi-value attributes or long strings with newline characters.
992323, 1056133, 1075607, 1082413, 1084898	Traffic interrupted when traffic shaping is enabled on 9xG and 12xG.
1017941	GUI interface bandwidth shows Tetrabyte spike for Gigabyte interface. Affected platforms: FGT-220xE and FGT-330xE
1040137	NPD skips config parsing when policy-offload-level set to disable.
1040489	Traffic using VXLAN VTEP with a loopback over an IPsec VPN is dropped when VXLAN and IPsec are configured in different VDOMs due to incorrect tunnel creation success indicators.
1046484	After shutting down FortiGate using the „execute shutdown” command, the system automatically boots up again.
1069208	If the DHCP offer contains padding when DHCP relay is used, the DHCP relay deletes the padding before relaying the packet.
1075279	Member interfaces of VWP appear in packet capture creation dialog despite being ineligible.
1076883	When the top application bandwidth feature is disabled, the GUI process still performs the initial check for application bandwidth, which may cause FortiCron to experience high CPU usage.
1077562	Hardware egress shaping doesn’t work on SOC5 when NPU offload is enabled.
1078119	Traffic is intermittently interrupted on virtual-vlan-switch on Soc5 based platforms when a multicast or broadcast packet is received.
1078568	When FortiManager adds FortiGate via serial number and is behind NAT, FortiGate cannot initiate requests to FortiManager, causing the GUI to fail in retrieving the certificate CN/SAN and resulting in an error.
1079850	HA1/HA2 ports remain down after setting status to up. Rebooting fixes the issue.
1085407	FortiGate unresponsive when `default-qos-type` is set to `shaping`.
1086268	VXLAN interface cannot be created if its underlying interface is DHCP.
1087160	NP drops traffic when VXLAN is a member of software switch in implicit mode.
1087270	Unexpected traffic increase over the FortiGate 6000 base backplane.
1089143	The time change in FOS is restored after reboot. The RTC node is not created correctly so the time change can’t be kept in RTC.
1089272	The inability to view or click the „+” sign occurs when a user is assigned an admin profile with only read access, restricting actions that require write privileges.
1090372	Cannot create more than seven access profile entries on a FortiGate 40F.
1091175	Incorrect values shows on the Interface Bandwidth monitor and SNMP.
1091551	Hardware limitation on the NP7 platform causes the following QTM related issues: Incorrect checksum for fragments after QTM. Packets longer than 6000 bytes cause QTM unresponsiveness. Refresh issue causes QTM unresponsiveness. MTU is not honored after QTM, so packets are not fragmented.
1094404	State of peer ports of FGT ports(negotiated speed, 1G) is down after upgrade on specific FGT
1095834	Memory usage of node process continuously increases when FortiManager is configured but unreachable.
1096409	EXPIRE dates cannot be displayed properly when displaying the output of `get sys fortiguard-service status`.
1096878	DNS cache flushing occurs too frequently due to unnecessary interface-reload events triggered by DHCP6 packets and SLAAC updates.
1099770	NP7 drops encrypted GRE packets that have checksum bit set (1) due to invalid checksum.
1101392	Administrators can execute the command `diagnose sys ha reset-uptime` when the permissions of Admin Profile is set to Read.
1101647	FortiGate encounters a CPU usage issue for cmdbsvr process
1102416	Cannot push `config sfp-dsl enable` and vectoring under interface.
1103146	Duplicated RADIUS packets are captured by the sniffer when performing firewall authentication with a RADIUS server.
1103966	FG901G gen1/2 boxes „diag hardw test asic” got FAILED
1104410	The FortiGate-120G SFP ports fail to establish connectivity when configured with `set speed 1000full` due to improper auto-negotiation handling.
1104966	SNMP fgDiskCount.0 OID not returning disk count value
1105989	System global configuration lost due to port collision.
1105995	The switch MTU doesn’t set correctly on 100m speed.
1109633	The FGT prompts the user to choose a certificate during login, even no PKI admin is set.
1110527	FortiGate did not update password-expire time on the start or end of daylight savings time.
1111601	Fortiguard sends IP addresses to proxy instead of FQDNs
1112376	Unexpected behavior observed in the newcli daemon due to inconsistencies in node registration between cmdbsvr and other daemons.
1113720	Traffic could not work with Proxy-ARP over the VXLAN network (VXLAN VTEP with the loopback over IPSEC VPN configuration)
1115486	Virtual switch interface drops LLDP packets.
1116922	FortiGate encounters a memory usage issue if too many ports have LLDP reception enabled.
1117435	Add SNMP new OIDs `fgAdminLoggedInTable` for `get sys admin list`.
1117527	VXLAN interface should be brought down when underlay interface is down.
1119595	FGT doesn’t change the IP address of Fortiguard FQDN which is set in „central-management”.
1120467	No SNMP trap at power failure for DC PSU.
1120907	High traffic load on a particular interface causes packet loss on other interfaces of the FortiGate.
1122306	Typo in log-controller-update request.
1123727	Offload failed when egress shaping applied on VLAN interface on SOC5 platform.
1124024	When `set append-index disable` in system.snmp.sysinfo, querying per-VDOM BGPPeerTable might get incorrect results because of no updates.
1125301	FortiGate stuck after reloading configuration that contains expired user passwords.
1125947	FortiGate encounters a memory usage issue due to usage by HTTSD
1126100	Expired user passwords are stored as plaintext in configuration files when password history is enabled.
1126327	The SNMP query for `fgSwPortSwitchSerialNum` gives switch name as the output instead of SN.
1128087	In new version of RDP client, FortiGate drops some RDP sessions due to IPv6 extended headers.
1133159	Inbandwidth setting not respected with large number of class IDs in shaping profile.
1133842	Packet dropped with 'DCE_IVS_IGR_DIR_DROP’ over hardware switch.
1142013	Policing improvement for QTM by limiting buffer size or switching to TPE (`shaping-profile mode of config`).

Upgrade

Bug ID	Description
1043815	Upgrading the firmware for a large number (100+) of FortiSwitch or FortiAP devices at the same time may cause performance issues with the GUI and some devices may not upgrade.
1102990	SLBC FortiGate 5001E primary blade failed to install image, even though graceful-upgrade was disabled.
1104649	In 7.6.1 and 7.6.2, if a local-in policy, local-in-policy6, DoS policy, interface policy, multicast policy, TTL policy, or central SNAT map is used in an interface in version 7.4.5, 7.6.0, or any previous GA version that was part of the SD-WAN zone, these policies will be deleted or show empty values after upgrading to version 7.6.1 or 7.6.2.
1105771	Upgrade from 7.4.6 GA to 7.6.1 GA results in an incomplete WAD device memory list table and triggers WAD error.
1106072	The image file transfer between FortiManager and FortiGate may not work as expected when transferred by the FGFM tunnel.
1110809	Egress-shaping-profile setting lost on interface after upgrade.
1114232	When upgrading FortiGate from earlier than 7.4.1 to 7.4.1 or later, system.replacemsg.webproxy configuration is lost.
1123954	Upgrading FortiOS from 7.2.10 to 7.4.5 will automatically enable FortiGuard updates without a warning.
1130861	FG-4401F enters a reboot loop after upgrading from 7.2.9 GA to 7.4.6 GA with a large config file (more than 10K policies).

User & Authentication

Bug ID	Description
1017348	Memory usage by fsso_ldap daemon increases continuously when the LDAP server responds with „LDAP_UNWILLING_TO_PERFORM” due to an unhandled memory allocation issue.
1020808	Use new keys for certificate renewal through EST server.
1025260	Wildcard admin remote authorization password change in system GUI does not work.
1043189	Low-end FortiGate models with 2GB memory can enter conserve mode when processing large amounts (over 5000 user records) of stored user store data, when each record has a large amount of IoT vulnerability data. For example, the Users and Devices page or FortiNAC request can trigger the following API call that causes httpsd process to spike in CPU and memory: GET request /api/v2/monitor/user/device/query
1054818	Password encryption changed for `config vpn certificate local` without actual certificate changes.
1075207	Errors may occur in the FNBAMD due to the presence of two wildcard-enabled remote administrators in separate VDOMs.
1077636	No SNMP trap available to detect FSSO external connected status change.
1091483	When importing local certificate, GUI displays an error, even when certificate is correctly imported.
1093538	In SAML config, after enabling „AD FS claim” (Active Directory Federated Services and rebooting, the „Attribute used to identify users” and „Attribute used to identify groups” fields are blank.
1093542	FortiGate admin user authentication with token+RADIUS fails when wildcard user is configured.
1093654	FGT uses global DNS when attempting to provision a certificate through SCEP or EST.
1105305	Guest user not removed past expiry time.
1119143	Unable to view local certificate in GUI or CLI after certificate import.
1121987	Overlapping text when viewing FSSO user login groups membership.
1136244	RSSO not working on 7.6.x with Cisco Meraki MX.

VM

Bug ID	Description
999842	Azure fails to honor seamless live migration. In most cases, the public IP to private IP NAT fails to forward traffic from/to SD-WAN.
1012000	When unicast HA setup has a large number of interfaces, FGT Hyper-V takes a long time to boot up.
1094600	The system.virtual-wire-pair and system.vxlan do not work on cloud images (Azure, AWS, GCP).
1101264	On Azure-FGT A-P HA cluster with SDN connector v7.4.5, the failover time increased from 2-4 request timed out to 10-12.
1102434	Configuring VRF on hbdev causes FGT VM HA not to sync.
1107007	samld stops working when certificate set to Fortinet_Factory in user SAML.
1107933	GRE decapsulation tasks using a single CPU core on AWS fortigate with ena nic drivers .
1107962	Dynamic addresses are removed/added every few seconds when the OCI SDN connector fetches only the first page of API results.
1109724	Azd daemon on Azure NVA keeps consuming memory until FortiGate enters conserve mode.
1113362	FGT-VM64-AZURE cannot establish connection with other FGTs in the Security Fabric tree.
1121521	Azure SDN connector does not properly catch AKS cluster state.
1121974	Due to continuous disk logging, slab memory for dentry continuously increases in FortiGate VM.
1128351	Configuration fails to fully apply during bootstrap when the reboot function does not trigger an immediate reboot, causing cloudinit to re-run with insufficient tablespace.

Web Filter

Bug ID	Description
874516, 1100819	SMB traffic fails when the file server uses AES-256-GCM/CCM encryption with FortiOS.
906603	For newly created webfilter profile, GUI commits local and remote categories’ Allow action to Monitor.
1099818	Output of `diagnose webfilter fortiguard cache dump` command shows the message „Cache is not enabled”.
1107456	FG-120G webfilter.profile tablesize is incorrect.
1110668	Add an option to control webfilter.urlfilter simple-type entries match subdomains.
1110850	The value for x-forwarded-for is not properly displayed in the log on AWS environment.
1118132, 1122036, 1127984	Webfilter local category override not working after reboot in flow mode.

WiFi Controller

Bug ID	Description
823387	Email addresses collected from the captive portal do not show up under the user column under WiFi clients.
921080	The Fortigate Hostapd does not support IPv6 address of RADIUS server.
987030	Unexpected behavior observed in the CAPWAP daemon when managing multiple APs and clients through dynamic VAP changes.
1013892	On FortiGate’s in an HA pair, the npd process do not work as expected when trying to manually update the threat feed.
1030197	For an SSID with radius-mac-auth and radius-mac-auth-usergroups in HA environment, the secondary unit is missing some information, and traffic is blocked after failover.
1039985	Erroneous memory allocation observed in the CAPWAP function on NP6 and NP6XLite platforms due to a rare error case.
1080094	Offline station data consumes excessive memory when the sta-offline-cleanup or max-sta-offline settings are not configured.
1083395	In an HA environment with FortiAPs managed by primary FortiGate, the secondary FortiGate GUI Managed FortiAP page may show the FortiAP status as offline if the FortiAP traffic is not routed through the secondary FortiGate. This is only a GUI issue and does not impact FortiAP operation.
1086128	An error condition in CAPWAP occurred due to a rare case.
1089999	FAPs remain offline post-upgrade when using image stored on FortiGate.
1094415	VLAN pooling does not work as expected on the SSID after FGT upgrades from 7.4.1 to 7.4.5.
1096961	When using FMG to upgrade FAP, FGT did not generate `AP image receive success` log (ID 43618).
1098727	Enable 5GHz channels 52-64, 108, 116-128 for FAP-231G-P, 431G-P Uzbekistan. (Uzbekistan has no DFS certification process.)
1100220	External/FortiGuest MPSK COA disconnect is not functional.
1101583	Intermittent traffic disruption observed in cw_acd caused by a rare error condition.
1102808	APs disconnect from the firewall when new configurations are applied.
1108726	FortiAPs periodically lose connectivity with FortiGate (acting as WLC) due to an error case.
1114144	WSSO firewall authorization session cannot be created when FGT receives multiple group attributes, and the first group does not exist.
1114311	Packets are incorrectly routed when FAP management interface uses clear-text dtls-policy in a software switch with explicit intra-switch-policy.
1123829	Support legal firewall policy when SD-WAN/zone member interface manages FAP with `dtls-policy` set to `ipsec-vpn`.
1128272	FGT-120G PPPoE interface cannot manage teleworker FAP-231F.
1130750	Managed AP 5Ghz radio channel override value missing after changes on AP-profile.
1133829	FAP stays offline after the FGT is rebooted.
1139749	FortiGate does not honor source IP for MPSK RADIUS requests.

ZTNA

Bug ID	Description
1101022	FortiClient gets a blank page when doing SAML authentication due to the use of a stale user node.
1107986	Should be unable to select geography object in ZTNA proxy-policy.
1111112	Unable to configure more than eight mapped ports for access proxy realservers when the limit is 16.
1114976	ZTNA policy matching failed due to an accidental deletion of firewall.policy with ZTNA tags when the firewall.policy is updated.

Notatki producenta: FortiOS 7.6.3 Release Notes

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

Post Views: 144

7.6.3 FortiGate Fortinet FortiOS FortiOS 7.6.3