Producent oprogramowania FortiNet opublikował aktualizację dla produktu FortiClient 7.2.2 dla systemu Windows. Update zawiera wiele poprawek, które dotyczą zasad połączenia ZTNA, filtra sieciowego czy też samego interfejsu graficznego. Ponadto Forti Client dla Windows nie jest narażony na ujawnienie informacji w dzienniku agenta.
Rozwiązane problemy:
ZTNA connection rules
Web Filter and plugin
| Bug ID | Description |
|---|---|
| 867483 | Web Filter does not give warning message. |
| 915287 | Extension does not properly apply safe mode HTTP header restrictions. |
| 919419 | Web Filter with FortiGuard Anycast spamming blocks (Unknown) alerts in Notifications. |
GUI
| Bug ID | Description |
|---|---|
| 913777 | Action for cookies should be moved from Advanced > VPN to Settings. |
| 926401 | GUI error log should be in info log Failed to load REG_SSLVPN_SERVICE_PORT. |
| 943787 | Message keeps popping up on endpoint after user acknowledges it. |
Endpoint control
Application Firewall
| Bug ID | Description |
|---|---|
| 853451 | FortiClient blocks PIA VPN. |
| 853808 | Excluding IPS signatures from Application Firewall (Detect and Block Exploits) is not possible. |
| 876265 | Zip Files become corrupt with Application Firewall enabled. |
| 897207 | Application Firewall blocks Microsoft 365 Defender device isolation . |
FSSOMA
| Bug ID | Description |
|---|---|
| 841316 | Some FortiClient single-sign on mobility agent (FSSOMA) versions do not present client certificate to FortiAuthenticator. |
| 862021 | Local account can access Internet if FSSOMA is logged in and user locks the screen. |
| 888721 | SSOMA does not report the domain/user information to FortiAuthenticator in hybrid Azure Active Directory (AD) setup. |
| 893985 | FSSOMA creates issue with tenant ID on FortiAuthenticator in standard AD setup. |
Configuration
| Bug ID | Description |
|---|---|
| 864571 | Configuration backup file contains wrong default port of 65535. |
| 897927 | FortiClient causes reboot on domain controllers . |
Install and upgrade
| Bug ID | Description |
|---|---|
| 896152 | FortiClient shows Update failed – Error occurred! popup after reboot. |
| 905132 | Failed to upgrade FSSO 7.2.0 to 7.2.1 with installer that FortiClientSSOConfigurationTool created. |
| 907340 | Telemetry connection requires reboot after install. |
| 915493 | Reboot popup does not display. |
| 926815 | Host_verification_xml is missing after upgrading FortiClient 7.2.0 to 7.2.1. |
Logs
| Bug ID | Description |
|---|---|
| 923245 | FortiClient logs do not include time zone . |
| 935428 | Frequent log floods other logs in FortiTray and makes debugging difficult. |
| 945992 | Diagnostic result is missing FortiClient (Windows) local log. |
Zero Trust tags
| Bug ID | Description |
|---|---|
| 928574 | Logged in Domain tags do not work for Azure AD domains. |
| 931490 | ZTNA tag is not removed after vulnerability is resolved. |
| 932828 | Registry key ZTNA tag does not work when comparing DWORD type data. |
| 911533 | AD group ZTNA tag does not calculate on EMS and FortiClient. |
| 919595 | ZTNA tag rule does not work for Bitlocker disk encryption. |
Vulnerability Scan
| Bug ID | Description |
|---|---|
| 908266 | FortiClient fails to detect vulnerabilities due to FCM skipping certain VIDs when scanning. |
| 920439 | Vulnerability scan reports excluded applications. |
| 944404 | Upgrade OpenSSL to 3.1.2: third party component upgrade required for security reasons. |
Remote Access
| Bug ID | Description |
|---|---|
| 702764 | IPsec VPN connection fails with error: Certificate Was Not Loaded. |
| 800934 | DH group settings are not read-only for tunnel that EMS pushed. |
| 801747 | New XML tag <block_outside_dns> should be configured per-tunnel. |
| 811458 | Connecting to SSL VPN fails after installing Windows update KB5013942. |
| 824165 | SSL VPN reconnection does not work when using turn-based FortiClient connection vs. PPP method. |
| 838231 | Some users fail when using SAML authentication with SSL VPN. |
| 851093 | IPv6 DNS requests do not work. |
| 855836 | Remote VPN is visible when on-fabric when it should be hidden. |
| 858696 | FortiClient (Windows) cannot connect to SSL VPN with SAML via Satellite ISP. |
| 886928 | VPN before logon displays FortiClient credentials prompt if using user@domain.local format for username. |
| 893958 | FortiClient (Windows) does not support autoconnect in this session (CREDENTIALPROVIDER). |
| 904923 | SSL VPN with external DHCP servers requires DHCP option 12 hostname. |
| 905354 | Split tunnel with SSL VPN does not work. |
| 906617 | SSL VPN with certificate and token does not work as expected when connecting from tray icon in Windows 10 x64. |
| 907361 | IPsec VPN IKE v1 and v2 blocking IPv6 does not work. |
| 907518 | FortiClient can connect to VPN without proper remote secure access tag. |
| 909699 | Autoconnect only when off-net fails to connect if remote gateway network is down then up. |
| 912255 | SSL VPN stays connected even though there is no network connection to the VPN gateway when DTLS is enabled. |
| 914414 | When VPN before logon is configured, FortiClient does not initiate SSL VPN when Use Windows Credentials is enabled. |
| 918669 | Single user mode VPN disconnects if user locks then unlocks Windows. |
| 920805 | With multifactor authentication enabled, SSL VPN may fail to work. |
| 920870 | GUI does not support encryption as NCSC support defines. |
| 923869 | FortiClient retries multiple times to connect to VPN with Azure AD autologin when user belongs to more than 100 groups. |
| 925710 | For split tunnel exclusions, local routes are added with incorrect next hop on multihomed devices. |
| 926174 | DNS has delays on SSL VPN with Same as client system DNS error and DNS server is unreachable over VPN. |
| 926774 | Azure SAML VPN fails to autoconnect after machine wakes from hibernation. |
| 927083, 937347 | SAML login window does not come up when clicking SAML Login button. |
| 927825 | Host check for firewall does not work with FortiOS 7.0.12. |
| 929177 | IPsec VPN IKE v2 with preshared key or certificate-based with EAP enabled fails to connect. |
| 931326 | Invalid server address or port number. error occurs during upgrade. |
| 931680 | VPN before logon on Windows 11 build 7129 does not work as expected. |
| 938746 | Secure remote access with SAML tries to connect when it should be blocked. |
| 943208 | FortiClient (Windows) continuously autoconnects after manual disconnection. |
| 945056 | FortiClient (Windows) does not save Azure SAML authentication cookies in local storage and is missing SAML_VPN_COOKIES key. |
| 947956 | FortisslVPNdaemon.exe indexes the FortiClient installed location on port 8053. |
| 950199 | FortiClient (Windows) sends no DTLS encrypted alert to FortiGate when disconnecting SSL VPN DTLS tunnel. |
| 950815 | SSL VPN SAML login fails to work when using Okta for initial authentication. |
| 951164 | FortiClient (Windows) does not save SAML login credentials when Save Password is enabled. |
| 953853 | SSL VPN SAML login shows black login page if FortiClient (Windows) cannot reach IdP. |
Malware Protection and Sandbox
Zero Trust telemetry
| Bug ID | Description |
|---|---|
| 911495 | FortiClient fails to autoregister to FortiClient Cloud due to Telemetry key mismatch. |
| 922757 | ZTNA registry tag rule crashes FortiNSNAC and causes FortiClient to fail to sync EMS profile and deregister. |
| 953263 | FortiESNAC process has memory leak. |
| 953521 | Feature shows as hidden when EMS does not configure it being hidden. |
Deployment and installers
| Bug ID | Description |
|---|---|
| 942984 | EMS shows wrong scheduled time under endpoint details page for endpoint user-scheduled FortiClient (Windows) deployment. |
Endpoint management
| Bug ID | Description |
|---|---|
| 904348 | FortiClient (Windows) and EMS detect encrption status as not enabled when only one hard disk has encryption (Bitlocker) enabled. |
PAM
| Bug ID | Description |
|---|---|
| 864571 | Backup configuration contains wrong default port of 65535. |
| 868822 | PAM does not support some video parameters such as resolution, color, and so on. |
| 905506 | Recording shows black screen for SQL Server Management Services. |
| 908671 | PAM doe snot include private HTTP header (x-complete: true) to signal the file is finished uploading. |
| 909164 | PAM does not support live streaming. |
| 912655 | FortiPAM secret launchers do not launch correctly when accessing FortiPAM via external DNAT. |
| 914874 | FortiClient PAM component does not report that video monitoring has stopped. |
| 917230 | If some CLI launch (mysql shell) closes quickly, PAM GUI keep loading for 15 seconds , then response error displays. |
| 918352 | Client executable integrity check. |
| 918486 | No video-Finish received in FortiPAM. |
| 930761 | „Unchecked runtime.lastError: The message port closed before a response was received.” error displays with PAM agent. |
| 931648 | FortiClient PAM is not disabled in the MSI MST when it is disabled in the installer package. |
| 939187 | PAM session recorded video from extension has incorrect length because information is missing in mpd file. |
| 946105 | PAM does not include FortiClient version, OS type, and build number. |
FortiSASE
| Bug ID | Description |
|---|---|
| 930967 | FortiClient (Windows) cannot establish FortiSASE VPN with Azure SAML AD user and Windows Defender blocks FortiClientConsole.exe. |
Other
Common Vulnerabilities and Exposures
| Bug ID | Description |
|---|---|
| 957936 | FortiClient for Windows no longer is vulnerable to exposing sensitive information in the agent log. |
Notatki producenta: FortiClient 7.2.2 ( Windows)
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
