FortiOS 5.4.10 

Nowa wersja oprogramowania FortiOS oznaczona numerem 5.4.1 została wydana. W najnowszej odsłonie z linii 5.4.x zostało wprowadzone kilka poprawek oraz załatano kilka błędów. Zachęcamy do aktualizacji Firmware na swoich urządzeniach.

Urządzenia które wspiera wersja FortiOS 5.4.10 to:

FortiGate

FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,
FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FG-90D-POE, FG-92D, FG94D-POE,
FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE,
FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG600C,
FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D,
FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C,
FG-3700D, FG-3700DX, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi

FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D,
FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE

FortiGate Rugged

FGR-60D, FGR-90D

FortiGate VM

FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND,
FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG-VM64-HV, FG-VM64-KVM,
FG-VM64-OPC, FG-VMX, FG-VM64-XEN

Rozwiązane problemy:

AntiVirus
Bug ID Description

446793 Too many files pending in forticloud-fsb even though quard used memory is normal.
461707 FortiGate cannot generate replacement messages properly when FortiGate set block
oversize for SMTP.

Firewall
Bug ID Description

371526 realserver persistence with shaping-policy does not work well.
466602 U-turn traffic in Transparent mode VDOM does not check the incoming firewall policy.

FortiView
Bug ID Description

433630 FortiView All Sessions shows no data if PC and FortiGate timezones are different.

GUI
Bug ID Description

450919 IPS sensor with >= 8192 signature entries should not be created from GUI.
462011 GUI is blank when access with RADIUS user with read-access profile and the FortiGate is managed by FortiManager.
485386 Adding a signature on existing IPS sensor profile gives internal server error -500 error message on web GUI.
486346 Ambulance context icon present in FortiGuard web filter categories instead of a checkmark.

HA
Bug ID Description

446804 Diagnose firewall auth list flushed in 5 min after a failover.
462021 Update daemon run in HA_slave unit after upgrade.
465849 Wrong diagnose sys ha dump-by vcluster display when cluster is on the same LAN.

IPS
Bug ID Description

445134 The behavior of config anomaly in firewall DOS-policy changed during rebooting.
451452 IPS engine signal 14 alarm clock crash on FG-90D.
465134 SYN proxy still active when syn rate goes below configured threshold or is disabled.

IPsec VPN
Bug ID Description

390353 ICMP fragmentation needed is returned even when original packet size is less than destination LAN interface MTU.

Log & Report
Bug ID Description

477592 Data shown under incorrect date in Logs Sent to FortiAnalyzer Daily graph.

Proxy
Bug ID Description

409604 WAD crashing when get invalid firewall address.
452267 Web radio web sites cannot be opened with AV in proxy mode and inspect all enabled in the protocol options profile.
454185 Specific application does not work when deep inspection is enabled.
455779 User source IP in ICAP data packets.
467709 High memory usage on WAD process with low session count.

Router
Bug ID Description

472512 FortiGate not forwarding DNS packets when policy route is hit and DNS filter profile is applied to firewall policy.
480978 OSPF summary-address synchronized with FGSP.

SSL VPN
Bug ID Description

466438 High CPU usage by sslvpnd (web and mixed mode).
466821 Accessing Cisco Unified Communications Manager not working properly.
473963 Web-portal allows access only to resources based on the first matched policy and its group.
483712 sslvpnd consumes high memory causing FortiGate to enter conserve mode.

System
Bug ID Description

370953 SLBC worker blade failed to re-synchronize with the config master blade due to the frozen confsync daemon.
415910 CPU cores utilization shows 0 percent while handling CPS in 5.4.
436399 snmpd crashes with signal 11 in get_fgHaStatsEntry.
449160 CPU0 and CPU1’s IRQ got busy after traffic stopped.
457004 DHCP relay sends too many DHCP offers to client.
459273 Slave worker blade loses local administrator accounts.
477135 Updates of FortiGuard are causing CPU spikes which slows down regular traffic.
478307 SNMP reports incorrect MTU on GRE tunnels.
479142 SLBC 5001D slave blade going out of sync.
483014,488587 FortiGate is rebooting at least once a day due to kernel panic.
488611 virtual-wire-pair IPv6 reflection session – ghost IPv6 sessions stacking in kernel/NP.
493052 Sometimes 5001D slave blade loses kernel static route after down/up traffic interface in
5001D/5913C SLBC system.

Upgrade
Bug ID Description

495994 After upgrade to 5.4.9, observing lot of IPS syntax errors on the console screen.

VM
Bug ID Description

408366 FGT_VM64 fails to join HA cluster after upgrade to b1117 (from b1111).

WebAppFirewall
Bug ID Description

463468 Clients are unable to connect to mail server when WAF is enabled on the VIP policy.
477074 Inconsistent WAF behavior.

WiFi
Bug ID Description

484556 URL filter does not match for right-hand matched URL when there is similar URL entry which includes – (dash).
485685 Proceeding from a web filter warning page intermittently results in the BLOCK page shown instead of the expected web site.
486466 HTTPS web page is blocked after clicking Proceed button.
491381 FOS 5.4 needs to configure DFS channels for FAP-221E/223E in Japan.

Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references

496431 FortiOS 5.4.10 is no longer vulnerable to the following CVE Reference:
l CVE-2018-9192

497128 FortiOS 5.4.10 is no longer vulnerable to the following CVE Reference:
l CVE-2018-9194

Znane problemy do rozwiązania:

AntiVirus
Bug ID Description

374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).

Endpoint Control
Bug ID Description

374855 Third party compliance may not be reported if FortiClient has no AV feature.
375149 FortiGate does not auto update AV signature version while Endpoint Control (fortiheartbeat) is enabled but no AV profile is used.

Firewall
Bug ID Description

364589 LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D
Bug ID Description

385860 FortiGate-3815D does not support 1 GE SFP transceivers.

FortiRugged-60D
Bug ID Description

375246 invalid hbdev dmz may be received if the default hbdev is used.

FortiSwitch-Controller/FortiLink
Bug ID Description

304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully but fails to pass traffic until you reboot FortiSwitch.

FortiView
Bug ID Description

368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
372350 Threat view: Threat Type and Event information is missing in the last level of the threat view.
375187 Using realtime auto update may increase chrome browser memory usage.

GUI
Bug ID Description

289297 Threat map may not be fully displayed when screen resolution is not big enough.
297832 Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
355388 The Select window for remote server in remote user group may not work as expected.
365223 In Security Fabric topology, a downstream FortiGate may be shown twice when it uses hardware switch to connect upstream.
365317 Unable to add new AD group in second FSSO local polling agent.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
368069 Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
369155 There is no Archived Data tab for email attachment in the DLP log detail page.
372908 The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.
373363 Multicast policy interface may list the wan-load-balance interface.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374081 wan-load-balance interface may be shown in the address associated interface list.
374162 GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
374224 The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374320 Editing a user from the Policy list page may redirect to an empty user edit page.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
374397 Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
374521 Unable to Revert revisions in GUI.
374525 When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.
375036 The Archived Data in the Sniffer Traffic log may not display detailed content and download.
375227 You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
375346 You may not be able to download the application control packet capture from the forward traffic log.
375369 May not be able to change IPsec manualkey config in GUI.
375383 The Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
379050 User Definition intermittently not showing assigned token.

HA
Bug ID Description

403097 Some IPsec SAs not synced to HA slave.
479311 Certificate status changes from OK to Pending one minute after importing certificate from GUI on vcluster device.

IPsec
Bug ID Description

393958 Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.
Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.
439923 IKE static tunnels using set peertype one may fail to negotiate.

Router
Bug ID Description

299490 During and after failover, some multicast groups take up to 480 seconds to recover.

SSL VPN
Bug ID Description

303661 The Start Tunnel feature may have been removed.
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
374644 SSL VPN tunnel mode Fortinet bar may not be displayed.
382223 SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.

System
Bug ID Description

287612 Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
371320 show system interface may not show the Port list in sequential order.
372717 Option admin-https-banned-cipher in sys global may not work as expected.
392960 FOS support for V4 BIOS.
416452 Admin profiles with addresses read-write permission will not work for reputation/VIP/address page.
445383 Traffic cannot go through LACP static mode interface with NP6 offload enabled.

Upgrade
Bug ID Description

289491 When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair name exceeds 12 characters.

Visibility
Bug ID Description

374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an
address change.

Więcej informacji tutaj: Release notes 5.4.10 Build 1220

 
Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiGate FortiOS