FortiOS 5.6.5

Aktualizacja FortiOS z numerem 5.6.5 została wydana! Fortinet jak zwykle nie pozostawia złudzeń i eliminuje wiele błędów wykrytych w poprzednich wersjach oprogramownia i udostępnia nową wersję software’u. Zachęcamy do zapoznania się z listą poprawek jak i do aktualizacji swoich urządzeń.

Wprowadzone poprawki:

Authentication
Bug ID Description

474833 Newly generated Fortinet_CA_SSL certificate reverts back to previous version after reboot on FG61E with VDOMs.
476692 Multiple FNBAMD crashes.
491175,491241 diag test application fnbamd 1 causes fnbamd to go into an idle state and authentication failure.
491235 New diag command diag test app wad 13.

AV
Bug ID Description

441739 Enabling AV breaks web connection to license server.
461707 FortiGate cannot generate replacement messages properly when FortiGate set block oversize for SMTP.

Connectivity
Bug ID Description

460617 GUI FortiGuard Check Again button doesn’t work as expected due to FortiGuard service 8888/53 incorrectly routed.
467733 All users will disconnect automatically and not be able to connect again (it will show password is incorrect).
477135 Updates of FortiGuard are causing CPU spikes which slows down regular traffic.

DNS Filter
Bug ID Description

470650 DNS filter getting purged by FortiManager when not used in a policy because FortiGate DNS filter does not contain static entry.
478076 DNS source IP setting is ignored in case communication with SDNS server goes over IPsec tunnel interface.

Endpoint Control
Bug ID Description

473248 FortiClient blocks all navigation with APPCTRL profile when registered to FortiGate.
479672 FortiTelemetry not blocking VIP.

FIPS-CC
Bug ID Description

463211 When alarm is enabled in FIPS mode, the console hangs and the getty process uses very high CPU usage.

Firewall
Bug ID Description

470167 Session state shows „dirty” even if the policy setting had not been changed after session established.

FortiGate 500D
Bug ID Description

403449 FortiGate 500D has some issue with FINISAR transceiver.

FortiSwitch-Controller
Bug ID Description

408082 Operating a dedicated hardware switch into FortiLink changes STP from enable to disable in a hidden way.
477885 FSW Security Policy – RADIUS configuration not pushed to FSW if source-ip is specified.
Workaround: configure a separate RADIUS server without source-ip parameter and use it in the FSW security policy.
482835 The cu_acd process uses high CPU on FG-90D.

FortiView
Bug ID Description

441835 Drill down a auth-failed wifi client entry in „Failed Authentication” could not display detail logs when CSF enabled.
442238 FortiView VPN map can’t display Google map (199 dialup VPN tunnel).
442367 In FortiView > Cloud Applications, when the cloud users column is empty, drill down will not load.
483142 FortiView GUI dropped Threats shown as Session Allowed.

GUI
Bug ID Description

408445 GUI test for secondary RADIUS server returns „invalid” secret, CLI test OK.
435780 GUI cannot delete SD-WAN rules or health-check.
451029 Should be able to assign hard token to user with no email configured by right clicking.
453706 If policy has set fixedport enable while using a fixed-port-range type IPpool, the session is dropped when dirty state hits.
462011 GUI is blank when accessed with RADIUS user with read-access profile and the FortiGate is managed by FortiManager.
464211 Some word cut off when changing widget size to 1*1 on dashboard.
468459 Translation issue on Countries.
468530 Can’t set 2FA authentication and email recipient with admingrp&usergrp read-write on GUI.
469082 prof_admin profile admins are not able to display GUI IPv4 source address.
469666 While creating local users, the FortiGate GUI freezes, PC browser memory usage spikes, and the user is not created.
470452 Enhance FortiSwtich ports GUI to scale for larger switch networks.
472390 GUI won’t load with ECC certificate selected.
474630 Central Management: IP/Domain Name disappears when using FQDN and clicking Apply causes management tunnel to go down.
474991 Cannot set Trust-IP as 0.0.0.0/24 on dedicated management interface via GUI.
475036 Virtual Server Duplicate Entry found Error on GUI.
475371 GUI Edit Managed AP page > Firmware Upgrade cannot recognize new images of FAP-221C, 222C, 223C, and 321C.
477592 Data shown under incorrect date in Logs Sent to FortiAnalyzer Daily graph.
482897 If using a hyphen as a search character for DLP logs on GUI, unintended logs are included in the search result.
484303 No management IP info on GUI when VDOM is in TP mode.

HA
Bug ID Description

474594 User cannot access the ForitGate management-ip through SSH.
474867 FortiGate does not send syslog from ha-mgmt-interface after management-vdom is changed
477392 Can’t use FAC username and password and FortiToken two-factor authenticate login on HA slave unit.
482168 Ports are flapping when IPv6 traffic is passing through.
486552 Vcluster HA failover fails with large site-to-site IPsec VPN configuration on 3800D.

ICAP
Bug ID Description

455779 User source IP in ICAP data packets.

IPS
Bug ID Description

443418 User is not listed in quarantine list in case block duration value is set long enough.
450693 ERR_SSL_PROTOCOL_ERROR when deep scan enabled along with IPS in policy.
451452 IPS engine signal 14 alarm clock crash on FG-90D.
472980 System crashes after adding 199 custom IPS signatures.

IPsec VPN
Bug ID Description

436301 Packets won’t pass through IPsec tunnel after switching from static to dialup or from dialup to static.
453156 Suggest net-device and tunnel-search options setting can be changed.
461777 Sometimes kernel crash triggered by diag vpn ike restart.
469648 Not all IPv6 IPsec VPN traffic work when crossing NP6.
474408 Multicast resolve wrong OIF for dialup VPN using exchange-ip to assign address (net-device enable).
491305 Packet from FortiClient cannot go through VXLAN over IPsec depending on packet size.

Log & Report
Bug ID Description

438858 Synchronized log destination with Log View and FortiView display source.
468672 FG-3HD logs SIP traffic in the outbound direction while traffic is coming in the inbound direction.
476575 Filter result fields on compliance-check event log do not work.
491750 Log and SNMP Polling for fnbamd stats.

Proxy and WebProxy
Bug ID Description

459972 WAD crashes when using external cache to store https objects.
467431 WAD treats IPv6-addr in Host Header as an invalid URL.
467709 High memory usage on WAD process with low session count.
471664 FG-1500D going into kernel conserve mode. WAD process consuming high memory.
473019 Web category cannot display on Web-proxy Block Page.
476391 Proxy AV breaks Citrix Virtual Delivery Agent (VDA) HTTP traffic.
482375 High memory usage on WAD.
484983,487664 WAD SSL proxy crash with signal 11.
486821 Web application „Symphony” fails with AV profile enabled in policy.
489065 When user authentication/authorization fails, the username should be logged in the user event log.
489301 Some web proxy users receive Oops message with Error 504 Gateway timeout.
493272 Multiple WAD crashed with signal 11 (segmentation fault).
493470 Authenticated user receives Oops „Authentication requested” referencing a proxy policy which does not have authentication enabled.
494081 WAD process is crashing with signal 11 after upgrading firmware to 5.6.4.

Router
Bug ID Description

458982 OSPF6 redistribute connected doesn’t work as expected if area type is set as NSSA.
461660 OSPF nssa area redistributed IPv6 route cannot be learned properly by OSPF neighbor.
469131 Broadcast traffic getting forwarded when policy route is enabled in the device.
472512 FortiGate not forwarding DNS packets when policy route is hit and DNS filter profile is applied to firewall policy.
473972 When the X1 interface is brought down and back up, routing/BGP is lost even though there are no neighbours or routing to X1.
474083 SD-WAN Health check status shows interface down when the interface is up.
478307 SNMP reports incorrect MTU on GRE tunnels.
480978 OSPF summary-address synchronized with FGSP.
483443 VRRP start time option does not work when the VRRP primary device interface goes from down to up.

SSL VPN
Bug ID Description

456027 SMB Bookmark in SSL VPN portal doesn’t work with Dynamic user-mapping and getting error Invalid HTTP request.
458964 SSLVPN web mode SSH connection tool timeout in 5 minutes.
466821 Accessing Cisco Unified Communications Manager does not work properly.
471472 SSL VPN Duo authentication iframe does not load in 5.6 (Worked in v5.4).
472195 Request to increase Strict-Transport-Security HTTP Header max-age= value or make it configurable to pass security audit.
472541 Unable to log in to an internal website via SSL VPN web mode.
473963 SSL VPN web-portal allows access only to resources based on the first matched policy and its group.
483712 sslvpnd consumes high memory causing FortiGate to enter conserve mode.
484381 SSL VPN portal URL unreserved characters encoding issue.
486918 SSL VPN web mode unable to load the page correctly.
489827 On SSL VPN web mode, Visteon.service-now.com/vss URL does not load.

System
Bug ID Description

395551 cw_acd restart every 1 minute on FG-800C.
415910 CPU cores utilization shows 0 percent while handling CPS in 5.4.
433745 SNMP trap & log for power failure with external redundant PSU.
436418 inbandwidth and outbandwidth of NP6lite interface does not work when offloaded.
442457 After deleting a LAG, FortiGate interface cannot be pinged.
459273 Slave worker blade loses local administrator accounts.
463982 FMG IP is unset in FGT CM.
465611 The sniffer’s packet description does not show the source and destination IP for ESP traffic.
468938 Kernel panic on FG-3700D – Slave.
472561 FG-300E kernel panic once after factory reset.
474475 When unselecting member from an addrgrp via CLI, TAB completion allows you to see/unselect members that are not in the addrgrp.
475064 STP BPDUs not forwarded on ports connected to the internal switch of FG-3H0E.
475388 FG-501E, 10G Base-T, 10G Base-SR transceivers don’t work on SFP+ ports.
475692 System autoupdate schedule set time, setting mm to 60 for random does not work properly.
476446 Can’t SSH to management interface if SSH is allowed only on the management interface.
477979 Potential memory leak detected in FTS.
479611 Cannot set the port associated with firewall address to virtual wire pair.
480411 DDNS does not work when dual wan is configured in loadbalancing mode.
482959 Unexpected system reboot with comlog output: soft lockup.
483014,488587 FortiGate is rebooting at least once a day due to kernel panic.
483516 FG-81 enters conserve mode suddenly and scanunit crash.
484281 SALB cluster has synchronization issues.
486265 check_sprite_file timeout creates tmpxxxxxx files and causes FortiGate to enter conserve mode.
488222 Cannot use certificate for FortiGate administration.
488611 virtual-wire-pair IPv6 reflection session – ghost IPv6 sessions stacking in kernel/NP.
488861 Kernel panic and reboot.

User
Bug ID Description

475294 Renewing expired guest account does not reset first login value.

VM
Bug ID Description

408366 FGT_VM64 fails to join HA cluster after upgrade to b1117 (from b1111).
422241 FortiGate-VM Azure (BYOL & PAYG): Support for Azure Stack – Update WA Agent.
464434 WAN OPT is unavailable in FGT-VM GUI even when disk usage is set to wanopt.
486026 FortOS-VM On Demand stopped processing traffic after losing connection with FortiManager and was rebooted.
490280 Make the central management settings sticky after reboot.
491974 Possible memory leak in awsd.

WAF
Bug ID Description

463468 Clients are unable to connect to mail server when WAF is enabled on the VIP policy.
477074 Inconsistent WAF behavior.

WCCP
Bug ID Description

460383 I see you message sent from FortiGate WCCP contains an Assignment Info component which is not part of the RFC specification.

WiFi
Bug ID Description

454634 Web filter set warning-prompt per-domain is warning per-category instead of per-domain.
462297 No support to enable WIDS through CLI for 2×2 platforms.
467517 High Latency when web filter is enabled in the policy in TP mode and the packet travels twice through the FortiGate.
475897 FortiGuard quota timer is running faster than it should.
482970 FAP with MAC OUI 70-4C-A5 as mesh leaf cannot connect with FWF local radio as mesh root.
484556 URL filter does not match for right-hand matched URL when there is similar URL entry which includes – (dash).

Znane problemy:

Application Control
Bug ID Description

435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
448247 Traffic-shaper in shaping policy does not work for specific application category like as P2P.
487421 Application control violation page leaks private IP and hostname.

Firewall
Bug ID Description

478360 IPv6 VIP does not translate IP address.

FortiGate-90E/91E
Bug ID Description

393139 Software switch span doesn’t work on this platform.

FortiGate 3815D
Bug ID Description

385860 FG-3815D does not support 1GE SFP transceivers.

FortiSwitch-Controller/FortiLink
Bug ID Description

304199 HA with FortiLink traffic loss – no virtual MAC.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.

FortiView
Bug ID Description

366627 FortiView Cloud Application may display incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
408100 Log fields are not aligned with columns after drill down on FortiView and Log details.

GUI
Bug ID Description

356174 FortiGuard updategrp read-write privilege admin cannot open FortiGuard page.
374844 Should show ipv6 address when set ipv6 mode to pppoe/dhcp on GUI > Network > Interfaces.
375383 If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box.
422413 Use API monitor to get data for FortiToken list page.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
445113 IPS engine 3.428 on Fortigate sometimes cannot detect Psiphon packets that iscan can detect.
451776 Admin GUI has limit of 10 characters for OTP.

HA
Bug ID Description

458320 Cluster uptime was not consistent.
471816 Policy route setting is synced in standalone-config-sync mode.
481943 Green checkmarks indicating HA sync status on GUI only appear beside virtual cluster 1.
493759 When vcluster2 is removed from HA configuration, all active sessions are killed once session-ttl is reached.

Log & Report
Bug ID Description

412649 In NGFW Policy mode, FortiGate does not create webfilter logs.

Proxy
Bug ID Description

454185 Specific application does not work when deep inspection is enabled.

Security Fabric
Bug ID Description

403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.

SSL VPN
Bug ID Description

405239 URL rewritten incorrectly for a specific page in application server.
477231 Unable to login to VMware vSphere Client 6.5 through SSL VPN web portal.
492066 High memory usage in SSL VPN even when there is only one connection.

System
Bug ID Description

295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
435388 The parent physical interface cannot be in zone list when VLAN interface is added to zone.
436580 PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411 Monitor NP6 IPsec engine status.
457096 FortiGate to FortiManager tunnel (FGFM) using the wrong source IP when multiple paths exist.
461580 Getting authentication portal by FQDN:1000/login? and /logout? does not work if using authredirect fqdn in policy.
464873 RADIUS COA Disconnect-ACK message ignore RADIUS server source-ip setting.
465957 Backup VPN static route remains after failback when explicit proxy and NAT are configured.
475745 Backup password for administrator account is not working when interface is down.
486466 HTTPS web page is blocked after clicking Proceed button.
490066 FortiClient with IPsec with Proxy / Webfilter – Fragmentation is needed.
492193 DoS policies consume 20% more CPU than in FortiOS 5.2.

VM
Bug ID Description

441129 Certify FortiGate-VMX v5.6 with NSX v6.3 and vSphere v6.5.

Notatki do wydania

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiGate FortiOS