Fortinet publikuje aktualizację systemu operacyjnego dedykowanego dla FortiGate oznaczonego numerem wersji 6.0. Nowa wersja – 6.0.10 oprogramowania FortiOS zawiera wiele poprawek, które eliminują błędy związane z SSL VPN i portalem WEB (problem z połączeniami RDP), oraz zbyt wysokim zużyciem zasobów. Oprócz tego wyeliminowano błędy związane z dynamicznym routingiem! Więcej informacji w artykule poniżej!

Rozwiązane problemy:

Antivirus

Bug ID	Description
553143	Redundant logs and alert emails sent when file is sent to FortiSandbox Cloud via Suspicious Files Only.
560044	Slave blades occasionally report critical log event Scanunit initiated a virus engine/definitions update.
561524	Cannot send an email with PDF attachment when FortiSandbox Cloud inspection is enabled.
562037	CDR does not disarm files when they are sent over HTTP POST, despite AV logs showing file has been disarmed.
563250	Shared memory not emptying out properly under /tmp.
581460	FG-30E AV TP mode cannot log and block oversize files.

Data Leak Prevention

Bug ID	Description
563447	Cannot download DLP archived file from GUI for HTTPS, FTPS, SMTP and SMTPS.
607444	DLP quarantines IP when no quarantine action is configured.

Explicit Proxy

Bug ID	Description
603707	The specified port configurations of https-incoming-port for config web-proxy explicit disappeared after rebooting.

Firewall

Bug ID	Description
597110	When creating a firewall address with the associated-interface setting, cmd will stuck if there is a large nested addrgrp.
604886	Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.
611840	Firewall policy search with decimal in the name fails in GUI.

GUI

Bug ID	Description
574101	Empty firmware version in Managed FortiSwitch GUI page.
586604	No matching IPS signatures are found when the Severity or Target filters are applied.

HA

Bug ID	Description
531083	Configuration of HA pair of FortiGates goes out of sync when removed from central management (FortiManager).
540632	In HA, management-ip that is set on a hardware switch interface does not respond to ping after executing reboot.
586004	Moving VDOM via GUI between virtual clusters causes cluster to go out of sync and VDOM state work/standby does not change.
621621	Ether-type HA cannot be changed.

Intrusion Prevention

Bug ID	Description
540718	Signal 14 alarm crashes were observed on DFA rebuild.
579018	IPS engine 5.030 signal 14 alarm clock crash at nturbo_on_event.
608501	IPS forwards attacks that are previously identified as dropped.

IPsec VPN

Bug ID	Description
516029	Remove the IPsec global lock.
532594	IKED crashed using ADVPN and OSPF.
602240	IKEv2 EAP-TLS handshake detected retransmit of client, but FortiGate does not retransmit its response.
604923	IKE memory leak when IKEv2 certificate subject alternative name/peer ID matching occurs.
612319	MTU calculation of shared dynamic phase 1 interface is too low compared to its phase 2 MTU and makes fragmentation high.

Log & Report

Bug ID	Description
531994	User group is not included in traffic log for transparent web proxy policy when traffic is allowed.
608565	FortiGate sends incorrect long session logs to FortiGate Cloud.

Proxy

Bug ID	Description
578251	Download bandwidth under FortiView is not accurate when traffic is being inspected by proxy mode AV.
622818	Breakout traffic is wrongly denied by proxy policy.

Routing

Bug ID	Description
560633	OSPF route for ADVPN tunnel interface flaps.
593864	Routing table is not always updated when BGP gets an update with changed next hop.
600332	SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.
630758	When an obsolete ISDB ID is used in a static route, a default route is created after rebooting.

SSL VPN

Bug ID	Description
476377	SSL VPN FortiClient login with FAC user FTM two-factor fail because it times out too fast.
525106	HTML PABX Admin Console not working correctly in SSL VPN mode.
525342	In some special cases, SSL VPN main state machine reads function pointer is empty that will cause SSL VPN daemon crash.
556657	Internal website not working through SSL VPN web mode.
561585	SSL VPN does not correctly show Windows Admin center application.
563022	SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy.
573853	TX packet drops on SSL root interface.
574724	In some lower-end FortiGates, the threshold of available memory is not calculated correctly for entering SSL VPN conserve mode. Threshold should be 10% of total memory when the memory is larger than 512 MB and less than 2 GB.
577522	SSL VPN daemon crashes when logging in several times with RADIUS user that is related to a framed IP address.
582265	RDP sessions are terminated (disconnect) unexpectedly.
588066	SSO for HTTPS fails when using „\” (backslash) with the domain\username format.
596441	FortiOS does not correctly re-write the Exchange OWA logoff URL when accessed via SSL VPN bookmark.
597658	Internal custom web application page running on Apache Tomcat is not displaying in SSL VPN web mode.
599394	SSL VPN web portal bookmarks are not full loading for Vivendi SelfService application.
600029	Sending RADIUS accounting interim update messages with SSL VPN client framed IP are delayed.
601084	Site in .NET framework 4.6 or 4.7 not loading in SSL VPN web mode.
601867	SSL VPN web mode cannot open DFS share subdirectories, gives invalid HTTP request message.
604772	SSL VPN tunnel is unexpectedly down sometimes when certificate bundle is updated.
610564	RDP over web mode SSL VPN to a Windows Server changes the time zone to GMT.
619306	SSL VPN daemon crash when multiple sessions are conflicting.
621270	SSL VPN user groups are corrupted in auth list when the user is a member of more than 100 groups.
622110	SSL VPN disconnects when importing or renaming CA certificates.
635240	The SSL VPN connection is not empty after destroying it, so it may be reused and crashes.

System

Bug ID	Description
511790	Router info does not update after plugging out/plugging in USB modem.
544570	Master unit does not send SNMP trap for all SNMP servers when plugging out the cable from the LAG configured interface.
567019	CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120 and device reboots.
569652	High memory utilization after upgrading FortiOS and IPS engine.
580038	Problems with cmdbsvr while handling a large number of FSSO address groups and security policies.
581496	FG-201E stopped sending out packets; NP6lite is stuck.
581528	SSH/RDP sessions are terminated unexpectedly.
582536	Link monitor behavior is different between FGCP and SLBC clusters.
587911	FortiGate 200D is dropping packets.
592827	FortiGate is not sending DHCP request after receiving offer.
604613	sentbyte of NTP on local traffic log shows as 0 bytes, even though NTP client receives the packet.
607452	Automatically logged out of CLI when trying to configure STP due to /bin/newcli crash.
608442	After a reboot of the PPPoE server, the FortiGate (PPPoE clients, 35 clients) keeps flapping (connection down and up) for a long time before connecting successfully.
610604	hasync and cmdbsvr processes crash on slave unit, causing failed httpsd, fgfmd, and snmpd on the master.
610900	Low throughput on FG-2201E for traffic with ECN flag enabled.
612351	Many no session matched logs while managing FortiGate.
614355	VPN interface is not pingable while NPU is enabled (FG-60F/61F).
616022	Long delay and cmdbsvr at 100% CPU consumption when modifying address objects and address groups via GUI or REST API.
617409	The FG-800D HA LED is off when HA status is normal.
636069	Unable to handle kernel NULL pointer dereference at 000000000000008f.

User & Device

Bug ID	Description
538925	Collector agent cannot be contacted after rebooting or restarting authd if FQDN is used on FSSO server.
586334	Brief connectivity loss on shared service when RDP session is logged in to from local device.
587293	The session to the SQL database is closed as timeout when a new user logs in to terminal server.
597884	Global imported local certificates can no longer be used in VDOMs.
605437	FortiOS does not understand CMPv2 grantedWithMods response.
605950	RDP sessions are terminated (disconnect) unexpectedly.

VM

Bug ID	Description
614038	vMotion causing sessions to be disconnected as it consider sessions stateless.

VoIP

Bug ID	Description
620742	RAS helper does not NAT the port 1720 in the callSignalAddress field of the RegistrationRequest packet sent from the endpoint.

Web Filter

Bug ID	Description
510509	Static urlfilter changes do not always work properly or take immediate effect.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID	CVE references
558685	FortiOS6.0.10 is no longer vulnerable to the following CVE Reference: CVE-2020-12812
576090	FortiOS 6.0.10 is no longer vulnerable to the following CVE Reference: CVE-2019-17655

Znane problemy do rozwiązania:

Antivirus

Bug ID	Description
590092	Cannot clear scanunit vdom-stats to reset the statistics on ATP widget.

Firewall

Bug ID	Description
508015	Editing a policy in the GUI changes the FSSO setting to disable.

FortiView

Bug ID	Description
527540	Cannot click the Quarantine Host option on a registered device.

Log & Report

Bug ID	Description
592766	Log device defaults to empty and cannot be switched on in the GUI after enabling FortiAnalyzer Cloud.

Proxy

Bug ID	Description
584719	WAD reads ftp over-limit multi-line response incorrectly.

System

Bug ID	Description
609668	VLANs under LAGs do not show RX/TX packets.

User & Device

Bug ID	Description
567831	Local FSSO poller is regularly missing logon events.

FortiOS 6.0.10 – Notatki do wydania

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiGate fortios 6.0.10