Aktualizacja FortiOS z rodziny 5.6 została właśnie opublikowana. Nowa wersja, FortiOS 5.6.7 wnosi wiele poprawek i eliminuje błędy wykryte w poprzedniej wersji oprogramowania. Zachęcamy do zapoznania się z listą poprawek jak i do aktualizacji swoich urządzeń.

Rozwiązane problemy:

Antivirus
Bug ID Description

502138 AV full scan mode causes traffic to fail.

Authentication
Bug ID Description

453095 Mobile FortiTokens not assignable VDOM in vcluster on slave unit.

473118 Fnbamd crashes after upgrading ca_bundle file.

515226 FortiGate keeps sending accounting packet to RADIUS server for user that is no longer authenticated.

Data Leak Prevention
Bug ID Description

454103 Certain PDF files being blocked when DLP filter set to block bat file.

Explicit Proxy
Bug ID Description

491118 Kerberos users unable to access internet.

496294 SNMP value returned OID of fgExplicitProxyMemUsage and fgExplicitProxyUpTime is always 0.

506654 High memory usage on WAD.

509876 Web proxy internet service as dst address cannot work for some IP address range overlap cases.

509994 Web site denied due to certificate error (revoked) only in Proxy_policy and deep inspection profile.

512294 WAD should not keep buffer data if the server’s response broke the HTTP protocol.

513667 WAD crash when a callback is triggered during closing procedure.

514426 Explicit proxy cannot catch Microsoft Outlook after FFDB update

515327 WAD returns '502 Bad Gateway’ if the server disconnects without data received.

Firewall
Bug ID Description

390422 When a firewall address group is used in firewall policy, a wildcard FQDN address should not be allowed to be added into the firewall address group as a member.
511261 RSH connection disconnects when we have multiple commands executed via script and we can see the message no session matched.
514187 VIP ping healthchecks fail with high number of realservers.

GeoIP
Bug ID Description

465122 GeoIP database mismatch on cluster after every new database release.

GUI
Bug ID Description

473140 Cannot paste a script or any character in the GUI CLI console.
503867 In GUI, some certificates break the Certificate page.
508596 GUI Dashboard > Interface Bandwidth widget cannot be added for GRE tunnel interfaces.
511776 Once user has assigned token other tokens not listed in pull down menu.
515022 FortiGate and FSA has right connectivity, but Test Connectivity on GUI interface is showing Unreachable or not Authorized.

HA
Bug ID Description

445214 Slave in AP cluster memory/CPU spike as a result of DHCP/HA sync issue.
485340 HA failover does not work after changing system time manually.
501147 Moving VDOM to virtual cluster from GUI causes cluster to go out of sync.
510585 HA does not recognize proper ping-server status, hence does not failover when ping-server is down.
510660 Upgrade to build 3574 fails for HA cluster.

511522 HA uninterruptible upgrade from 9790 to 3558 fails.
512383 local-in-policy for ha-mgmt-int doesn’t work after reboot.
516779 Confsync cannot work with three members when encryption is enabled.

IPS
Bug ID Description

465134 SYN proxy still active when syn rate goes below configured threshold or is disabled.
469608 ICMP packets dropped during FortiGate update.
476219 Delay for BFD in IPinIP traffic hitting policy with IPS while IPsec calculates a new key.
497602 After upgrading, sniffer packet on any interface causes drops on kernel and traffic impact. DoS policies used.

IPsec VPN
Bug ID Description

463441 NAT -T broken with AWS and FortiGate.
481720 Using transparent mode and policy base VPN, about 4 ICMP packets which exceed over MTU 1375 byte are dropped.
515375 VPN goes down randomly, also affects remote sites dialup.

Log & Report
Bug ID Description

436037 Application logs set the SRC interface and DST interface in reverse.
467367 app-ctrl logs show policyid=0 sessionid=0 and no srcintf and dstintf field.
475694 log rate widget: fortianalyzer log rate is always 0 when no disk log enabled.
500972 Wrong log for FortiGuard block page.
503897 Fortigate-501E units generating logs only for five minutes after rebooting the unit, then do not generate any more logs.
505393 Quad File Dropped Reason forticloud-daily-quota-exceeded.

NPI
Bug ID Description

462178 Front panel SPEED LED is flashing green when transmitting and receiving data.
Affected models: FG-60D, FG-60E, FG-80E, FG-90D, and FG-500D.
Affected versions: 5.6, 6.0, and 6.2.

Proxy and WebProxy
Bug ID Description

454185 Specific application does not work when deep inspection is enabled.
506995 FG-1200D WAD crashing 5.6.5 (WAD MAPI).
512930 WAD crash with signal 11.
513270 Certificate error with SSL deep inspection.
513663 FG-3200D running FOS 5.6.5 – WAD crashing frequently.

Router
Bug ID Description

476805 FortiGate delays to send keepalive which causes neighbor’s hold down timer to expire and reset the BGP neighborship
481731 Router access-list prefix 0.0.0.0/0 is replaced with any after reboot
499100 SD-WAN with IPPool not respecting associated interface if one of the links has a dynamic IP.
500432 IGMP multicast joins taking very long time and uses high NSM CPU utilization.
504164 OSPF – LSA checksum error.
505467 For some OSPFv3 intra-area routes, the next-hop link-local address is not displayed.
507187 BGP Configuration incrementally adding set-aspath attribute with every BGP update.
511203 When using policy route for IPv6, NAT64 does not work.
514410 The BGP default gateway advertised doesn’t work after the upgrade without being manually reset.
514851 BGP default route origination doesn’t work.
518929 SNMP, OSPF MIB ospfIfState value when designated router is not correct

SSL VPN
Bug ID Description

477231 Unable to log in to VMware vSphere vCenter 6.5 through SSL VPN web portal.
477529 SSL VPN web mode IE11 always gets block when host-check is enabled for skip-check-forunsupported-browser.
493772 Some URLs in SSL VPN return HTTP404.
507068 Internal server page does not display in SSL VPN web-mode; displays OK in tunnel mode.
507242 Internal web site not working through SSL VPN web mode.
511107 For RADIUS with 2FA and password renewal enabled, password change fails due to unexpected state AVP + GUI bug.

System
Bug ID Description

471191 Improve CLI help text for config system NP6 session-timeout options.
474612 SNAT is using low ports below 1023.
491090 FortiGuard service is unavalable since upgrading to 5.6.3.
503725 NP6 affecting all user traffic when enable on policy.
505522 Intermittent failure of DHCP address assignment.
505715 DHCP lease new IP to same EFTPOS S800 device causes DHCP lease exhausted.
506030 SLBC cluster never in-sync after policy push.
507447 FortiGate 300E is bridging OSPF packets during boot phase.
510200 FortiGate DNS configuration doesn’t allow single-word domain names.
510419 HTTP link-monitor – response parser is case-sensitive (Content-Length header).
510737 Users are not able to pull DHCP addresses from FGT.
512963 vdom-properties firewall-address discrepancies.
513156 Packet loss on startup when interfaces are in bypass mode (2500E).
513339 Finisar FCLF8521p2BTL (FG-TRAN-GC) and (FS-TRAN-GC) FCLF8522P2BTL Transceivers not detected by FortiOS.
513671 File descriptor leaks upon exec backup blocking new admin connections.
515401 SLBC-Dual mode: Slave chassis blade sending traffic logs.
516105 Daylight Saving Time is no longer in use in Azerbaijan.

User and Device
Bug ID Description

500917 FSSO Collector Agent – Group change not synced back to FortiGate if last match to group-filter is removed.
519826 fnbamd crashing and ldap auth stopped working after upgrade.

VM
Bug ID Description

305116 FOSVM unable to register with forticare.
498653 FortiOSVM stops passing traffic after failover.
512713 Connectivity loss between FGT-SVM and FGT-VMX cause license to became invalid after one
hour.

Web Filter
Bug ID Description

455193 Flow-based webfilter URL exempt not generating a UTM log.
499864 Web filter profile’s proxy options to allow corporate Gmail accounts gets overlooked if „general interest” category is blocked under web filter.

WiFi Controller
Bug ID Description

415981 WiFi Health Dashboard Enhancement: add AP name and AP group to Login Failures Information.
503106 Remote site client connected to the FAP14C ethernet port is randomly not able to reach the LAN client connected to the FortiGate.
503190 FAP info (apsn, apname, channel, radioband) missing from traffic logs.

Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.

Bug ID Description
510148 FortiOS 5.6.7 is no longer vulnerable to the following CVE Reference:
l CVE-2018-15473

Znane problemy:

Application Control
Bug ID Description

435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
448247 Traffic-shaper in shaping policy does not work for specific application category like as P2P.

FortiGate-90E/91E
Bug ID Description
393139 Software switch span doesn’t work on this platform.

FortiGate 3815D
Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.

FortiSwitch-Controller/FortiLink
Bug ID Description

304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully, but fails to pass traffic until you reboot FortiSwitch.
404399 FortiLink goes down when connecting to ForiSwitch 3.4.2 b192.

FortiView
Bug ID Description

366627 FortiView Cloud Application may display incorrect drill down File and Session list in the Applications View.
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.

375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
408100 Log fields are not aligned with columns after drill down on FortiView and Log details.

GUI
Bug ID Description

356174 FortiGuard updategrp read-write privilege admin cannot open FortiGuard page.
374844 Should show ipv6 address when set ipv6 mode to pppoe/dhcp on GUI > Network > Interfaces.
375383 If the policy includes the wan-load-balance interface, the policy list page may receive a javascript error when clicking the search box.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
445113 IPS engine 3.428 on Fortigate sometimes cannot detect Psiphon packets that iscan can detect.
451776 Admin GUI has limit of 10 characters for OTP.

HA
Bug ID Description
481943 Green checkmarks indicating HA sync status on GUI only appear beside virtual cluster 1.

Log & Report
Bug ID Description

412649 In NGFW Policy mode, FortiGate does not create webfilter logs.

Security Fabric
Bug ID Description

403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.

SSL VPN
Bug ID Description

405239 URL rewritten incorrectly for a specific page in application server.

System
Bug ID Description

295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
436580 PDQ_ISW_SSE drops at +/-100K CPS on FG-3700D with FOS 5.4 only.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411 Monitor NP6 IPsec engine status.
457096 FortiGate to FortiManager tunnel (FGFM) using the wrong source IP when multiple paths exist.
461370 Auto MDIX does not work when interface is set to 10full/100full. It only works when interface is set to auto.
464873 RADIUS COA Disconnect-ACK message ignore RADIUS server source-ip setting.

VM
Bug ID Description
441129 Certify FortiGate-VMX v5.6 with NSX v6.3 and vSphere v6.5.
528405 FortiMeter Consumption is not accurate.

Zapraszamy do lektury notatek wydanych przez producenta, gdzie znajdą Państwo dużo więcej informacji na temat aktualizacji! Notatki producenta

—

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiOS