Fortinet opublikował aktualizację systemu FortiOS z rodziny 5.6. Nowa wersja FortiOS 5.6.11 wnosi wiele poprawek i naprawionych błędów związanych między innymi z kontrolą aplikacji, współpracą urządzeń zestawionych w klastrze HA, wyeliminowano problem procesu miglogd który podczas utracenia połączenia z FortiAnalyzerem magazynując logi drastycznie zwiększał zapotrzebowanie na pamięć RAM co powodowało przejście urządzenia w tryb conserve mode!

Rozwiązane problemy:

Anti-Spam

Bug ID	Description
477496	Unable to add email wildcard to black/white list GUI in Anti-Spam profile.

AntiVirus

Bug ID	Description
569143	CIFS AV flow mode allows malware which has been blocked by HTTP.

Application Control

Bug ID	Description
499598	Application Control with SSL does not check SNI against server certificate.
558380	Application Control does not detect application with webproxy-forward-server.
561843	Application Control unscans the traffic to forward to upstream proxy.
562832	Application Control HTTP.BROWSER_Firefox is not blocking Facebook and some other sites.

DNS Filter

Bug ID	Description
525068	No need to resolve safe search FQDN if not used.

Explicit Proxy

Bug ID	Description
482916	WAD crash with signal 6.
533838	WAD re-signs valid web sites with untrusted CA certificate.
560076	SSL deep inspection not performed on certain sites.

Firewall

Bug ID	Description
543637	Cannot filter policy by multiple IDs.
557777	Policy ID filter not working for Single Policy ID.

FortiView

Bug ID	Description
552339	In FortiView GUI > All Sessions page, the filter is not working.

GUI

Bug ID	Description
477493	GUI fails to read correct Last Used time for firewall policy.
537550	HTTPSD uses high CPU when accessing GUI network interfaces.
552038	Routing monitor network filter does not filter subnets after upgrade.

HA

Bug ID	Description
518717	MTU of session-sync-dev does not come into effect.
518964	Slowness when adding or removing member from address group via SSH.
519266	FGT-HA does not fail over when pingserver is down the second time.
536520	GTP Tunnel States are not synced on subordinate unit after a reboot.
538289	Old master keeps forwarding traffic after failover.
541224	Network loop over virtual-wire-pair in HA mode if running diagnose sys ha reset-uptime.
551995	SCTP sessions affected after upgrade and failover.
552329	NP6 sessions dropped after any change in GUI.
574564	In HA setup, with uninterrupted upgrade option enabled, some signature DBs might be damaged if upgrading from 5.6.9 and earlier to 5.6.10.

Intrusion Prevention

Bug ID	Description
537571	IPS/AV not forwarding return traffic back to clients.
553262	TCP connections through IPsec (bound to loopback) do not work when IPS offload is enabled to NTurbo.
556538	Enabling IPS on IPv4 policy impacting HTTPS traffic over the site to site VPN using PPOE for internal servers.

IPsec VPN

Bug ID	Description
473609	IPsec gateway not matching for PKI user when there is a DC field in the Client Certificate.
553262	Dialup IPsec hardware acceleration drops.
537450	Site-to-site VPN policy based – with DDNS destination fails to connect.
568630	iked crashes frequently with signal 11.
553759	ESP packets are sent to the wrong MAC after a routing change when IPsec SA is offloaded.

Log & Report

Bug ID	Description
521020	VPN usage duration days in local report is not correct.
565216	Memory of miglogd increases and enters conserve mode.

Proxy

Bug ID	Description
534118	Active SSH sessions to a remote servers are dropped exactly when the session-ttl expires.
537183	Removed default ssl-exempt entries page show empty.
544517	WAD process crashing and affecting HTTP/HTTPS traffic.
545964	FortiManager sends requests to FortiGate to collect proxy policy hit_count/bytes, and the response from FortiGate misses the uuid attribute.

Routing

Bug ID	Description
480174	FortiGate cannot accept passwords starting with 0x in certain situations (interpreted as HEX).
503686	Application PDMD crashes.
511203	When using policy route for IPv6, NAT64 does not work.
528465	GRE tunnel does not come up.
536986	IPv6 routing failed to choose lower priority route when output interface is specified.
537110	BGP/BFD packets marked as CS0.
538151	NSM crashes during dev and QA test.
539982	Multicast fails after failover from another interface.
557787	Although the routing table was changed in IPv6 network, the offloaded communication stopped.

SSL VPN

Bug ID	Description
513572	FortiGate not sending Framed-IP-Address attribute for SSL VPN tunnel in RADIUS accounting packet.
523717	Dropdown list cannot get expanded through bookmarks (SSL VPN).
525106	HTML PABX Admin Console not working correctly in SSL VPN mode.
527348	JavaScript script is not available when connecting using SSL VPN web mode.
527476	Update from web mode fails for SharePoint page using MS NLB.
528289	SSL VPN crashes when it receives HTTP request with header „X-Forwarded-For” because of the wrong use of sslvpn_ap_pstrcat.
532261	SSL VPN web mode RDP connection not working when security set to NLA.
532921	Abnormal work of mac-addr-check in function SSL VPN.
533008	SSL web mode is not modifying links on certain web pages.
538904	Unable to receive SSL tunnel IP address.
546161	TX packet drops on ssl.root interface.
546187	SSL VPN login auth times out if primary RADIUS server becomes unavailable.
551535	HTTP 302 redirection is not parsed by SSL VPN proxy (web mode / bookmark).
556657	Internal website not working through SSL VPN Web mode.
569030	SSL VPN tunnel mode can only add spit tunneling of user’s policy with groups and its users in different SSL VPN policies.

System

Bug ID	Description
471690	Email Service > UserName is not enough for longer UserID. it gets truncated and causes authentication failure.
492655	DNSproxy does not seem to update link-monitor module.
493128	bcm.user always takes nearly 70% CPU after running Nturbo over IPsec script.
493843	SNMPD’s debug messages reveal source code function names.
505522	Intermittent failure of DHCP address assignment.
522973	System reboots due to a kernel panic.
527868	SLBC FortiOS should prevent change of default management VDOM.
529932	Primary DNS server is not queried even after 30 seconds.
540062	Kernel panic after upgrade from 5.6.7 to 5.6.8.
541243	DHCP option doesn’t include all NTP servers.
541527	Changing the order of VDOM in system admin when connected with TACACS+ wildcard admin is not propagated to other blades.
542441	SNMP monitoring of the implicit deny policy not possible.
543054	Setting alias or changing allowed access to aggregate link moves the state from down to up for a few seconds.
545717	USB Modem Huawei E173u-2 not working on FortiGate 60E device.
546169	DHCPD is using more memory on the slave unit than the active unit.
546464	DHCP not working properly with macOS when proxy arp is enabled/configured.
546874	Increase firewall.address tablesize for 80-90 series.
547720	FortiGate does not support DH 1024 bits as SSH server.
550433	FGT-5001D/B1672: /tmp/fcp_rt_dump file lost some IPsec VPN router info after modified IPsec VPN static router setting.
553326	Kernel panic on 3700D running 5.6.8.
554099	Can’t poll SNMP v3 statistics for BGP when ha-direct is enabled under SNMP user.
557798	High memory utilization caused by authd and wad process.
560686	4x10G split-port does not work on FG3700D rev 2.

Upgrade

Bug ID	Description
530793	config-error-log shows after upgrade from v5.6.6 to v5.6.7.

User and Device

Bug ID	Description
518129	FSSO failover is not graceful.
545074	Unable to login into FortiGate GUI with Yubikey. CLI works as expected.
558428	When all groups are included in a registry string that contains more than or equal to 16384 characters, the groups cannot be synchronized.
569434	Recurring conflicts between TS-Agent type FSSO sessions and regular FSSO sessions.

VM

Bug ID	Description
484540	FOS VM serial number changes during firmware upgrade.

VoIP

Bug ID	Description
510233	FortiGate VoIP handling.

Web Filter

Bug ID	Description
504239	Signal 11 crash on b0161.
518433	FGT D series number of web filter profiles decreased globally.
540902	VDOM is replying with TCP ACK 0.
544598	Invalid hostname return on GUI when static URL is defined.
562869	Web filter blocks connection.

WiFi Controller

Bug ID	Description
484667	Add support to update Fortinet_Wifi certificate through FGD.
530328	CAPWAP traffic dropped when offloaded if packets are fragmented.
556022	wifi-certificate settings becomes empty and eap_proxy is killed after deleting ca_bundle package and rebooting FortiGate.

 

Znane problemy do rozwiązania:

Application Control

Bug ID	Description
435951	Traffic keeps going through the DENY NGFW policy configured with URL category.
448247	Traffic-shaper in shaping policy does not work for specific application category like as P2P.

FortiGate-90E/91E

Bug ID	Description
393139	Software switch span doesn’t work on this platform.

FortiGate 3815D

Bug ID	Description
385860	FG-3815D does not support 1GE SFP transceivers.

FortiSwitch-Controller/FortiLink

Bug ID	Description
304199	Using HA with FortiLink can encounter traffic loss during failover.
357360	DHCP snooping may not work on IPv6.
369099	FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
404399	FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.

FortiView

Bug ID	Description
368644	Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172	FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
408100	Log fields are not aligned with columns after drill down on FortiView and Log details

GUI

Bug ID	Description
356174	FortiGuard updategrp read-write privilege admin cannot open FortiGuard page.
374844	Should show ipv6 address when set ipv6 mode to pppoe/dhcp on GUI > Network > Interfaces.
442231	Link cannot show different colors based on link usage legend in logical topology real time view.
445113	IPS engine 3.428 on Fortigate sometimes cannot detect Psiphon packets that iscan can detect.
451776	Admin GUI has limit of 10 characters for OTP.

HA

Bug ID	Description
481943	Green checkmarks indicating HA sync status on GUI only appear beside virtual cluster 1.

Log & Report

Bug ID	Description
412649	In NGFW Policy mode, FortiGate does not create webfilter logs.

Security Fabric

Bug ID	Description
403229	In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368	In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.

SSL VPN

Bug ID	Description
405239	URL rewritten incorrectly for a specific page in application server.

System

Bug ID	Description
295292	If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
436746	NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411	Monitor NP6 IPsec engine status.
457096	FortiGate to FortiManager tunnel (FGFM) using the wrong source IP when multiple paths exist.
464873	RADIUS COA Disconnect-ACK message ignore RADIUS server source-ip setting.

 

Zachęcamy do lektury notatek wydanych przez producenta: Release Notes – FortiOS 5.6.11

Pozdrawiamy, Zespół B&B
Bezpieczeństwo w biznesie

5.6.11 FortiGate FortiOS fortios 5.6.11