FortiOS 6.0.1
Aktualizacja FortiOS z numerem 6.0.1 została wydana! Spora ilość rozwiązanych błędów udowadnia, iż producent dba o jak najwyższy poziom swojego oprogramowania. Zachęcamy do zapoznania się z informacjami na temat aktualizacji jak i notatkami wydanymi przez producenta.
Rozwiązane problemy:
AntiVirus
Bug ID Description
451348 Flow AV SSL traffic EICAR detection failure.
481615 MMDB has random version number after upgrading from 5.6.3 to 6.0.
481785 Regular AVDB becomes 1.00000 after rebooting FortiGate.
Authentication & User
Bug ID Description
483553 In case there are multiple LDAP search results for the same LDAP search query, LDAP group match fails.
Connectivity
Bug ID Description
474630 Central Management: IP/Domain Name disappears when using FQDN and clicking Apply brings down management tunnel.
477135 Updates of FortiGuard are causing CPU spikes slowing down the regular traffic.
Firewall
Bug ID Description
463468 Clients are unable to connect to the mail server when WAF is enabled on the VIP policy.
479672 FortiTelemetry not blocking VIP.
FortiGate 90D
Bug ID Description
482835 The cu_acd process uses high CPU on FG-90D.
FortiView
Bug ID Description
439438 FortiView time line for system events.
GUI
Bug ID Description
306406 FortiSwitch Ports page display improvements.
389328 REST API uses incorrect access group for backup and restore config.
389747 Shaping Policy dialog: should hide warning message when profile group contains app control used in policy.
389794 Simplify GUI proxy options based on inspection mode, and make the dialog/list consistent.
392569 New dashboard Sensor Information widget power supply value is incorrect.
397979 Dynamic Malware Detection version shows not loaded, even when the information is retrieved from FortiCloud.
451029 Should be able to assign hard token to user with no email configured by using the right-click menu.
454734 Security Fabric topology page cannot show detected server for (client) LAN > LAN (server) traffic.
455169 Dialup VPN phase2 selector name doesn’t display on GUI.
458546 LDAP user credential test in GUI gives syntax error. In CLI, user credential test works OK.
462279 New muTable list to support showing total count for matching entries.
462487 GUI should show all admin trusted hosts not just show the first three items.
464211 Some words are cut off when change widget is resized to 1X1 on dashboard.
464211 Some words cut off when changing widget size to 1*1 on dashboard.
468530 Can’t set 2FA authentication and email recipient with admingrp&usergrp read-write on GUI.
469666 While creating a local user, FortiGate GUI freezes, PC browser memory usage spikes, and the user is not created.
469807 Newly added app-ctl list entry cannot be found in drop-down menu on GUI until reboot.
470215 Selecting an interface with a name like a.b for SD-WAN will not show stats or connection information in Performance SLA.
472037 Changing disk usage in GUI fails.
472390 GUI won’t load with ECC certificate selected.
473086 Quarantine monitor should support showing devices for the whole fabric.
473140 Cannot paste a script or any character in the GUI CLI console.
473791 Four duplicate entries are displayed in WANOPT peer monitor when one peer was configured.
474538 Remove mobile malware protection option from GUI.
474548 Remove mobile malware protection option from GUI.
474775 Downstream FortiGates intermittently disappear from Security Fabric widget.
477496 Unable to add email wildcard to black/white list GUI in Anti-Spam profile.
477592 Data shown under incorrect date in Logs Sent to FortiAnalyzer Daily graph.
477748 Add a one-click launch button or Link on FortiOS GUI to help user start a FortiSandbox in AWS.
479030 Should remove Any interface in SD-WAN rule when you specify one or more interfaces.
480544 The Policy Edit Dialog shows WAN-OPT and Web Cache options even though Disk Setting is set at Log.
480857 In some configurations, the interface page cannot be displayed when logged in as prof admin.
480910 Cannot configure and display interface comments on GUI.
480931 GUI shows wrong expiry time when interface mode is DHCP.
481031 Cannot set Security Fabric automation destination to multiple FortiGates in GUI when creating and editing automation.
481373 Security Rating in multiple FortiGates always shows first percentile even when they get different security rating scores.
481381 Industry field shows up abnormally when adding security rating widget.
481388 The radio button for Enable Explicit FTP Proxy is off in the interface editing page even though FTP proxy is enabled.
481436 GUI cannot assign remote-ip for site-to-site IPsec tunnel interface.
481563 The log viewer cannot view and download IPS archive when device is FortiAnalyzer and archive panel is blank.
481663 Get Error 500 message when editing one-arm sniffer if including IPv6 Packets.
481797 Policy View/Log View: missing tooltip when mouse over policy ID.
482679 FortiCare registration from GUI does not work.
482689 Cannot change password or log out of GUI when logged in as guest admin.
484246 Could not show Application Control and WebFilter log in GUI under NGFW policy mode.
492784 Could not add application, app, and URL category for traffic shaping policy from GUI in policy.
HA
Bug ID Description
474867 FortiGate does not send syslog from ha-mgmt-interface after management-vdom is changed.
480932 New factory reset box fails to sync with master in multi-VDOM after upgrade.
Workaround: reboot the new slave.
IPS
Bug ID Description
230766 Flow-AV full mode should support archive block/log feature.
421854 Increase number of custom signatures allowed.
451452 IPS Engine signal 14 alarm clock crash on FGT90D.
460138 When upgrading IPS engine to anything higher than 3.174, Google applications sometimes get blocked.
469608 ICMP packets dropped during FortiGate update.
481107 IPS Engine signal 11 crash during stress test.
IPsec VPN
Bug ID Description
469648 Not all IPv6 IPsec VPN traffics works properly when crossing NP6.
471326 AES-256-GCM for phase 1.
474408 Multicast resolve wrong OIF for dialup VPN using exchange-ip to assign address (net-device enable).
481153 IPsec configuration can’t create (no pask) when re-enabling OCVPN after FortiGate factory reset.
481449 OCVPN may not work if FortiGate hostname is different from the one registered on cloud.
482622 Traffic selector issues with IKEv2 in transport-mode and NAT.
482622 Traffic Selector issues with IKEv2 in transport-mode and NAT.
Log & Report
Bug ID Description
455193 Flow-based webfilter URL exempt not generating a UTM log.
474867 FortiGate does not send syslog from ha-mgmt-interface after management-vdom is changed.
476575 Filter result fields on compliance-check event log not working.
477411 Update the Meaning field in the logging module.
477592 Data shown under incorrect date in Logs Sent to FortiAnalyzer Daily graph.
489065 When user authentication/authorization fails, username should be logged in the user event log.
Router
Bug ID Description
472512 FortiGate not forwarding DNS packets when policy route is hit and DNS filter profile applied to firewall policy.
480978 OSPF summary-address synchronized with FGSP.
483443 VRRP start time option does not work when the VRRP primary device interface goes from down to up.
Security Fabric and Rating
Bug ID Description
481373 Security rating widget in multiple FortiGates always show first percentile even if they get different security rating scores.
465756 Automation should be available even when Security Fabric is not enabled.
Spam
Bug ID Description
466606 Emails tagged as SPAM – Whitelist is not effective.
SSL VPN
Bug ID Description
456027 SMB bookmark in SSL VPN portal doesn’t work with dynamic user-mapping and gets Invalid HTTP request error.
466821 Accessing Cisco Unified Communications Manager not working properly.
483253 FQDN doesn’t work well through SSL VPN web mode.
484381 SSL VPN portal URL unreserved characters encoding issue.
379015 Encounter forticron signal 11 crash after changing VCPU allocation to above 82 cores.
388563 snmpd signal 6 crash frequently in corporate firewall 3700D
415910 CPU cores utilization shows 0% while handling CPS in 5.4.
435910 On FG-50E and FG-51E, ifHCOutOctets rolls at counter32.
464332 SNMP agent returns No Such Object available when querying etherStatsCRCAlignErrors MIB variable.
464332 SNMP Agent returns No Such Object available when querying etherStatsCRCAlignErrors MIB variable.
469608 ICMP Packets drop while FGD updates.
471626 dot3StatsFCSErrors MIB OID query systematically returns 0 despite CRC errors recorded in rx_crc_error counter.
471626 dot3StatsFCSErrors MIB OID query systematically returns 0 despite CRC errors recorded in rx_crc_error counter.
472195 Request to increase Strict-Transport-Security HTTP Header max-age= value or make it configurable to pass security audit.
474630 If using FQDN, in System > Settings, Central Management, the IP/Domain Name disappears when clicking Apply and this causes management tunnel to go down.
474833 Newly-generated Fortinet_CA_SSL certificate reverts back to previous version after reboot, on FG-61E with VDOMs.
477135 Updates of FortiGuard causes CPU spikes that slow down regular traffic.
477670 FortiGate 100E stops processing traffic and responding to management on HTTP, HTTPS, SSH, ping, etc.
477979 Potential memory leak detected in FTS.
477979 Potential memory leak detected in FTS.
479611 Cannot set the port associated with firewall address to virtual wire pair.
479611 Cannot set the port that is associated with firewall address to virtual wire pair.
480015 Cannot show full configuration if used before entering global,
480831 Wrong interface status and no info on system panel after logging in with VDOM admin.
481768 SIP ALG is not properly applying NAT.
483516 FG-81 enters conserve mode suddenly and scanunit process crashes.
489450 TCP traffic cannot go through NP6Lite with Nturbo enabled.
Upgrade
Bug ID Description
481085 Tolerance of vpn ssl web portal lost when upgrading from 5.6.3 to 6.0.0.
481146 ssl-min-version of virtual server changed to tls-1.1 during upgrade from 5.6.3.
VM
Bug ID Description
477748 Add a one-click launch button or link on FOS GUI to help user start a FortiSandbox in AWS.
480860 FGT_VM with evaluation license does not run security rating.
485676 The FortiGuard update-server-location default setting is different between hardware platforms and VMs.
WanOpt & Webcache
Bug ID Description
464434 WAN OPT is unavailable in FGT-VM GUI even when disk usage is set to wanopt.
Web Filter
Bug ID Description
472512 FortiGate not forwarding DNS packets when policy route is hit and DNS filter profile is applied to firewall policy.
484556 URL filter does not match for right-hand matched URL when there is similar URL entry which includes a dash (-).
WebProxy
Bug ID Description
459504 File upload does not work on FTP over HTTP when security profile is configured.
469656 WAD is crashing at signal 11.
471664 FG-1500D goes into kernel conserve mode. WAD process consumes high memory.
480722 WAD crashes at signal 11.
481649 With user authentication, the fourth request for FTP proxy service in a row is blocked.
482948 WAD daemon has signal 11 crash twice on corporate firewall.
484983 WAD SSL proxy crashes with signal 11.
WiFi
Bug ID Description
449137 FWF-xxE series local radio working as monitor mode cannot suppress rogue ap/sta.
478458 PMF on SSID causes application hostapd (wpad_ac) crash.
481394 Fast BSS Transition on SSID causes wpad_ac high CPU usage (FAP cannot be managed).
482970 FAP with MAC OUI 70-4C-A5 as mesh leaf cannot connect with FWF local radio as mesh root.
Common Vulnerabilities and Exposures
Bug ID CVE references
476125 FortiOS 6.0.1 is no longer vulnerable to the following CVE Reference:
l CVE-2018-9185
Znane problemy do rozwiązania:
Application Control
Bug ID Description
435951 Traffic keeps going through the DENY NGFW policy configured with URL category.
Authentication & User
Bug ID Description
477392 Cannot use FAC username password and FortiToken two-factor authenticate login HA slave unit.
491175 diag test application fnbamd 1 causes fnbamd to enter an idle state and causes authentication failure.
491241 Enhance diag command diag test app fnbamd 1.
Connectivity
Bug ID Description
481058 Configuration revision control list can’t be retrieved from FortiCloud.
DLP
Bug ID Description
478524 Diskless model missing full-archive-proto in config DLP sensor when only FortiCloud logging enabled.
Firewall
Bug ID Description
474612 SNAT is using low ports below 1023.
492961 Set utm-status disable did not hide profile-group. Unset profile-group will make profile-protocol-options empty.
FortiGate 3815D
Bug ID Description
385860 FG-3815D does not support 1GE SFP transceivers.
FortiSwitch-Controller/FortiLink
Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.
FortiView
Bug ID Description
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
414172 HTTPsd / DNSproxy / high CPU/memory with high rate UDP 1Byte spoofing traffic.
453610 Fortiview->Policies(or Sources)->Now, it shows nothing when filtered by physical interface at PPPoE mode.
460016 In Fortiview > Threats, drill down one level, click Return and the graph is cleared.
482045 FortiView – no data shown on Traffic from WAN.
494731 Incorrect reporting in Fortiview.
GUI
Bug ID Description
256264 Realtime session list cannot show IPv6 session and related issues.
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
449598 Remote LDAP User Definition wizard does not pull users.
451776 Admin GUI has limit of 10 characters for OTP.
468797 Cannot filter by date or timestamp when viewing logs from FortiCloud.
470241 Raw logs are downloaded from the default location even if you select another log device in GUI.
470589 The Forward Traffic Log Details panel Security tab does not display security log details when multiple log devices are enabled.
472023 Outbreak prevention detection makes „clean” counter increment in Advanced Threat Protection Stats widget.
473808 Column filter is not persistent and is removed after refreshing the page.
479468 The link status is lost after SD-WAN GUI changes to List Edit.
481902 When accessing FortiView > Websites page, gets error Failed to get FortiView data and httpsd keeps crashing.
487350 FortiGuard Filtering Services Availability showing Unavailable on GUI when no valid Anti-spam license is present.
489674 When scroll to the end of an muTable, GUI should shows 100% of entry.
492898 Cannot delete FSSO AD group entries in GUI anymore.
493351 Object tooltip of last page should not always display on current page.
493839 Cannot change quota type (time-based, traffic-based).
494040 Creating/Modifying security profiles generates multiple logs with misleading action.
494724 When creating trunk interface on managed FSW, FSW ports in right-side list show down, even when some are up.
HA
Bug ID Description
451470 Unexpected performance reduction in case of Inter-Chassis HA fail-back with enabling HA override.
479987 FG MGMT1 does not authenticate Admin radius users through primary unit (secondary unit works).
482548 Conserve mode caused by hasync consuming most of memory.
493759 When vcluster2 is removed from HA config, all active sessions are killed once session-ttl is reached.
494029 After failover, sometimes cannot connect to management-ip of backup device.
IPS
Bug ID Description
445113 IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.
IPsec VPN
Bug ID Description
469798 The interface shaping with egress shaping profile doesn’t work for offloaded traffic.
481201 The OCVPN feature is delayed about one day after registering on FortiCare.
486552 vcluster HA failover fails with large site-to-site IPsec VPN configuration on 3800D.
Log & Report
Bug ID Description
412649 In NGFW Policy mode, FortiGate does not create webfilter logs.
Security Fabric
Bug ID Description
403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
SSL VPN
Bug ID Description
405239 URL rewritten incorrectly for a specific page in application server.
System
Bug ID Description
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411 Monitor NP6 IPsec engine status.
460617 GUI FortiGuard Check Again button doesn’t work as expected due to FortiGuard service 8888/53 incorrectly routed.
466048 Huawei USB LTE E3276 cannot be detected.
468684 EHP drop improvement for units using NP_SERVICE_MODULE
472843 When FMG is set for DM = set verify-install-disable FGT does not always save script changes.
474132 FG-51E hang under stress test since build 0050.
475539 Inaccurate netflow export. Traffic measurements do not match with SNMP readings.
477870 Alias for modem interface present in GUI but not in CLI.
482497 Running diagnose npu np6lite session in FGT-201E results in high CPU and system instability.
494042 If we create VLAN in VDOM A, then we cannot create ZONE name with the same VLAN name in VDOM B.
494603 FortiGate in transparent mode is not accessible over https/ssh (administrative access) once trusted host is configured.
Upgrade
Bug ID Description
470575 After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and webfilter.
473075 When upgrading, multicast policies are lost when there is a zone member as interface.
481408 When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
494217 Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1.
Workaround: Use CLI to rename the user bookmark to the new name.
VM
Bug ID Description
491974 Possible memory leak in awsd.
Web Filter
Bug ID Description
480003 FortiGuard category does not work in NGFW mode policy.
486171 The Web Rating Overrides option doesn’t work with flow-mode.
490377 The Web Rating Overrides option doesn’t work properly on proxy-based.
Webproxy
Bug ID Description
474296 High memory usage on WAD process.
491424 Adjust the proxy-auth-timeout default value and unit.
491630 With UTM enabled, client failed to get response from server, gets 500 Internal error
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
