Producent oprogramowani Fortinet udostępnił najnowszą aktualizację dla FortiAnalyzer o oznaczeniu 6.4.8. Dzięki nowszej wersji zostały poprawione procesy dotyczące widżetów FortiView, które powodowały powolne działanie. Ponadto, naprawiono monitowanie łączy SD-WAN, gdzie problemy dotyczyły nieprawidłowych przepustowości. Od wersji 6.4.8 poprawiono integrację z oprogramowaniem FortiMail, skorygowano również uwierzytelnienie RADIUS. Zapraszam do dalszej części artykułu po więcej szczegółowych informacji.
Rozwiązane problemy:
Device Manager
| Bug ID | Description |
|---|---|
| 626506 | When FortiManager sends syslogs to FortiAnalyzer, the FortiManager device may appear twice as unauthenticated devices. |
| 638080 | FortiAnalyzer ha-member-auto-grouping may not work FortiGate HA devices. |
| 687527 | CSF cannot be formed when including FortiGate-6000 or FortiGate-7000 series as blades are not prompted on Device Manager. |
| 695804 | Device Manager may not show FortiGate Fabric members under the root Fabric tree. |
| 749455 | FortiAnalyzer may incorrectly detect FortiNAC firmware version. |
| 753567 | In some rare cases, only some fabric devices may appear in the fabric group tree. |
FortiSOC
| Bug ID | Description |
|---|---|
| 784786 | Selecting of the log group returns invalid params error under FortiSoC > Event Monitor >All Event. |
FortiView
| Bug ID | Description |
|---|---|
| 579910 | SOC should show AP SSIDs and clients from event logs when the service profile is in bridge mode. |
| 640553 | FortiView monitor WiFi widget is not showing bridged SSID information. |
| 678044 | FortiAnalyzer may not show rescan icon, and drill-down for rescan may show an empty page. |
| 691570 | FortiAnalyzer may not be able to cancel IOC re-scan task. |
| 723799 | Policy Name may not show up under FortiView > Traffic > Policy Hits > Policy Column for policies with name information. |
| 727056 | SD-WAN Monitor may show incorrect bandwidth. |
| 741910 | Top Cloud Applications may show 0 KB utilization under the Bandwidth column. |
| 742005 | FortiView widgets may take a very long time to load. |
| 751295 | FortiView Secure SD-WAN and Secure SD WAN report should display correct information for Health Checker’s packet loss. |
| 753911 | Monitor should be able to show values with faster response time. |
| 756502 | Exporting to report chart may fail for „Top Apps by Installs fails”. |
| 781460 | Adding filters and drilldown return an error, „Invalid params:” will show for chart or list for „Top Threats”. |
Log View
| Bug ID | Description |
|---|---|
| 653765 | Some log files under Log Browse may contain a mix of event and traffic messages. |
| 656507 | FortiAnalyzer may lose sorting when clicking the header column in Log Browse. |
| 661094 | In Log View, importing log may fail. |
| 674027 | Filtering FortiClient event logs with wildcard „UID” filter returns no data. |
| 717160 | FortiAnalyzer may show duplicated entries when filtering real-time logs in Log View. |
| 726340 | oftpd may not work properly if many log requests are received at the same time. |
| 735065 | FortiAnalyzer may not handle many re-connection requests causing FortiGate devices log system event on disconnecting or connecting. |
| 740046 | ADOM archive should not be higher than the configured value. |
| 745724 | Bandwidth data from SD-WAN event logs may not be inserted. |
| 746596 | FortiAnalyzer may be showing two VDOMs, root and default, in Log Browse for FortiClient devices. |
| 750515 | FortiAnalyzer may stop receiving logs every day until it has been rebooted. |
| 752407 | FortiAnalyzer Log View filter vanishes after displayed log details and returns to the log page with filter. |
| 755515 | ForiGate may show, „Failed to get FAZ’s status. Authentication Failed. (-19)”, when the device has been authorized and sending logs to FortiAnalyzer. |
| 755988 | FortiAnalyzer should support more than 128 characters with the „from” and „to” log fields for FortiMail’s History logs. |
| 759107 | FortiAnalyzer may gradually stop to receiving logs due to leaks in receiving buffers. |
| 760597 | FortiAnalyzer shows improper subject field values for FortiMail logs and in log details when the log has Cyrillic symbols. |
| 777233 | FortiAnalyzer stops receiving logs randomly and CPU utilization by OFTPD spikes to 100%. |
| 781113 | The custom view should list all the used filters. |
Others
| Bug ID | Description |
|---|---|
| 660310 | Drilldown compromised host from FortiGate may not work. |
| 676446 | FortiAnalyzer should change login-max and docker-user-login-max range from 1-32 to 1-256. |
| 687180 | When using the operator „>=” for „Greater than or Equal to” in FortiAnalyzer CLI, it does not accept the syntax and throws an error. |
| 698361 | SNMPv3 engineBoots may not properly be initialized. |
| 701753 | SIEM database should be trimmed at the same time when quota enforcement occurs. |
| 712159 | When FortiAnalyzer is changed to Collector mode, siemdb should automatically stop working. |
| 714991 | The login interface may crash if user inputs pre-login banner text in encoding other than UTF-8. |
| 716576 | User with read-only permissions cannot get the list of ADOMs via JSON request. |
| 723113 | High CPU usage has been observed after firmware upgrade (v5.6.8 to v6.4.5). |
| 726012 | FortiAnalyzer requires a FortiGuard Indicators of Compromised license in order to see compromised hosts. |
| 730214 | The „diag dvm support list” does not have FrotiWeb v6.4.0 GA and FortiMail v7.0.0 GA. |
| 730554 | FortiAnalyzer HA may use high memory usage. |
| 744293 | Several extra ports are opened when scanning FortiAnalyzer HA cluster’s virtual IP. |
| 744918 | Fortilogd may not write logs for FortiGate-401E-DC. |
| 745025 | HMAC given in log-checksum md5-auth option does not match. |
| 746022 | There may be multiple siemdbd crashes on „redisAppendCommand”. |
| 752817 | Log disk usage may frequently reach 99% due to calculation on the siemdb size. |
| 755843 | There may no a lot of errors showing „could not read block 0 in file” in pgsvr.log. |
| 756659 | When rebuilding database on the FortiAnalyzer HA’s secondary unit, it may stuck at 1%. |
| 756846 | Under Microsoft Azure, FortiAnalyzer HA’s secondary IP does not move to new primary after HA failover. |
| 758028 | FortiAnalyzer may frequently send 'csf-check’ requests causing miglogd consuming 99% of the CPU resources. |
| 758237 | The sqllogd may take a long time to startup. |
| 761200 | Several old files on „/drive0/private” did not clean automatically. |
| 765146 | Disk I/O is at 100% with no log insertion due to a device is wrongly recognized as a cell phone with multiple IP addresses. |
| 784028 | Due to the FortiClient’s log upload, several OFTP long idle sessions have been observed. |
Reports
| Bug ID | Description |
|---|---|
| 683353 | After exported report template from FortiAnalyzer 6.2 and imported the template to a later version, FortiAnalyzer may show an error, „Invalid Device or Vdom”. |
| 725119 | Running the default report User Detailed Browsing Log finishes successfully without displaying any data. |
| 737878 | GUI’s scrollbar shows up partially on Output Profile configuration. |
| 756363 | Template Secure SD-WAN Report may not show a graphic that includes both the SLA Name Object and WAN Interface fields. |
| 779952 | Cyber Threat Assessment should show IPS attack count 0 when there are no IPS logs. |
System Settings
| Bug ID | Description |
|---|---|
| 669402 | FortiAnalyzer may not time out admin a session after many hours. |
| 682026 | When creating a log forwarding entry, user should be able to select a FortiADC device from GUI. |
| 693584 | Syslog server can only send via UDP, and not TCP with TLS option configured. |
| 710986 | An existing log forwarding entry is gone after its status changed from On to Off. |
| 721627 | FortiAnalyzer HA cluster always uses VIP for log forwarding to server instead of another interface. |
| 722250 | When Device Manager’s permission is set at Read-Write and System Settings’ permission is set at Read-Only, SAML login user cannot create new or edit ADOM. |
| 730296 | RADIUS authentication using mschap2 may not work. |
| 748184 | FortiAnalyzer may show ADOM that stores logs that exceeds FortiAnalyzer log storage criteria. |
| 759809 | FortiAnalyzer should have time zone information for local logs. |
| 765818 | The forwarded CEF start time is different than the original timestamp of the log. |
| 768789 | Swap file size is restricted and can not be increased when storage is less than 1TB. |
| 769813 | Several FortiAnalyzer service and daemons crashed due to the swap file size restriction. |
| 773055 | Archive percentage should not exceed more than 100% of the disk space allocated. |
| 774553 | FortiAnalyzer’s GUI Login „Force to change password upon next log on” feature does not work. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
| Bug ID | CVE references |
|---|---|
| 770573 | FortiAnalyzer 6.4.8 is no longer vulnerable to the following CVE-Reference:
|
Znane problemy:
FortiView
| Bug ID | Description |
|---|---|
| 770206 | FortiAnalzyer may take more than two minutes to show log details with Top threat view with two filters. |
Log View
| Bug ID | Description |
|---|---|
| 765710 | When service is not in the log entry, filter based on negative service still should show related logs in the filtered result. |
System Settings
| Bug ID | Description |
|---|---|
| 734001 | FortiAnalyzer HA may randomly fail-over. |
| 759601 | FortiAnalyzer using Azure AD SAML SSO may show 'invalid_logout_response_error’ after logout. |
Notatki producenta: FortiAnalyzer 6.4.8
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
