Fortinet opublikował nowszą wersje oprogramowania dla FortiOS o numerze 6.0.12. Aktualizacja usprawniła protokół używany pomiędzy urządzeniem FortiGate a FortiGuard. Dzięki aktualizacji poprawiono połączenia SSL-VPN, gdzie problem dotyczył zrywania połączenia podczas analizowania adresu URL. Nowsza wersja poprawiała pracę urządzenia FortiGate 1500D, gdyż występował tam problem powodujący pętle na interfejsie i zarówno sieć VLAN mogła zostać wyłączona po stronie przełącznika. W samym FortiView skorygowano błędne wyświetlanie bajtów przy połączniu VPN. Wersja 6.0.12 usprawniła prace IPS, ponieważ ciągle się zawieszał, a ipshelper zwiększał zużycie CPU. Po więcej szczegółowych informacji, zapraszam do dalszej części artykułu.
Aktualnie wspierane modele:
| FortiGate | FG-30D, FG-30D-POE, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E, FG‑51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG‑60E‑POE, FG-61E, FG-70D, FG-70D-POE, FG‑80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90D, FG-90D-POE, FG-90E, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG- 200D, FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE, FG‑300D, FG-300E, FG-301E, FG‑400D, FG-400E, FG-401E, FG‑500D, FG‑500E, FG-501E, FG-600D, FG-600E, FG-601E, FG‑800D, FG-900D, FG-1000D, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3400E, FG-3401E, FG3600E, FG-3601E, FG-3700D, FG-3800D, FG‑3810D, FG-3815D, FG‑3960E, FG‑3980E, FG‑5001D, FG-5001E, FG-5001E1 |
| FortiWiFi | FWF-30D, FWF-30D-POE, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-50E, FWF-50E-2R, FWF‑51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-61E, FWF‑90D, FWF-90D-POE, FWF-92D |
| FortiGate Rugged | FGR-30D, FGR-35D, FGR-60D, FGR-90D |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG‑VM64‑AWSONDEMAND, FG-VM64-HV, FG‑VM64-KVM, FG-VMX, FG-VM64-XEN, FG‑VM64‑GCP, FG-VM64-OPC, FG‑VM64-GCPONDEMAND |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN |
| FortiOS Carrier | FortiOS Carrier 6.0.12 images are delivered upon request and are not available on the customer support firmware download page. |
Rozwiązane problemy:
Antivirus
| Bug ID | Description |
|---|---|
| 582368 | URL threat detection version shows a large negative number after FortiGate reboots. |
Firewall
| Bug ID | Description |
|---|---|
| 520558 | Should not do passive port NAT for FTP session helper. |
| 643446 | Fragmented UDP traffic is silently dropped when fragments have different ECN values. |
| 683604 | When changing a policy and creating a firewall sniffer concurrently, there is traffic that is unrelated to the policy that is being changed and matching the implicit deny policy. Some IPv4 firewall policies were missing after the change. |
FortiView
| Bug ID | Description |
|---|---|
| 650447 | Negative byte value shown on FortiView > VPN (drilldown for SSL VPN users) when using 24 hours time period. |
GUI
| Bug ID | Description |
|---|---|
| 587673 | On Proxy Policy page, the default view method Interface Pair View is not clickable. |
| 662434 | Aggregated interfaces in Zone are not displayed correctly. |
HA
| Bug ID | Description |
|---|---|
| 507013, 525522 | HA configuration checksum mismatch between debug zone and checksum. |
| 530215 | Application hasync may crash several times due to accessing memory out of bound when processing hastat data. |
| 540600 | The HA hello-holddown value is divided by 10 in the hatalk daemon, which makes the hello-holddown time 10 times less than the configuration. |
| 584551 | hatalk keeps exchanging heartbeat packet incorrectly with FortiManager. |
| 601550 | Application hasync may crash several times due to accessing memory out of bound when processing hastat data. |
| 621583 | HA status is not displayed in the GUI when HB cables reconnect. |
| 637711 | CSR on cluster primary is generating out-of-sync alerts on secondary and tertiary devices. |
| 643958 | Inconsistent data from FFDB caused several confsyncd crashes. |
| 651674 | Long sessions lost on new primary after HA failover. |
| 654341 | The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 668631 | IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 610203 | When an offloaded IPsec SA uses NP6 reserved space, it gets stuck and packets on the tunnel start to drop. |
Log & Report
| Bug ID | Description |
|---|---|
| 513959 | Memory usage in event log does not match the number in get system performance status. |
| 551031 | FortiGate lost logs to FortiAnalyzer when route was changed and without physical interface being down. |
| 555161 | Application miglogd crashes when numerous DLP logs are generated, where DLP archive files use up system inodes. |
| 634947 | rlogd signal 11 crashes. |
| 643099 | logid=0000000020 is generated even with set logtraffic disable in the policy. |
Proxy
| Bug ID | Description |
|---|---|
| 501299 | WAD sometimes does not spawn any workers when configuring FG-101E after a factory reset. |
| 578850 | Application WAD crash several times due to signal alarm. |
| 603195 | Multiple WAD crashes with signal 11. |
| 615391 | Reusing the buffer region caused frequent WAD crashes. |
| 617099 | WAD crashes every few minutes. |
| 620453 | Application WAD crash several times due to signal alarm. |
| 621787 | On some smaller models, WAD watchdog times out when there is a lot of SSL traffic. |
| 653099 | Wildcard URL filter in proxy mode with ? and * not always handled properly. |
Routing
| Bug ID | Description |
|---|---|
| 576930 | Time stamps are missing in routing debugs. |
| 593887 | High CPU usage from link monitor daemon. |
| 641022 | Kernel does not remove duplicate routes generated by SD-WAN health checks when hostname IP changes. |
Security Fabric
| Bug ID | Description |
|---|---|
| 609182 | Security Fabric Settings page sometimes cannot load FortiSandbox URL threat detection version despite FortiSandbox being connected. |
SSL VPN
| Bug ID | Description |
|---|---|
| 548599 | SSL VPN crashes on parsing some special URLs. |
| 551695 | Office365 applications through SSL VPN bookmarks. |
| 573727 | Cannot establish an SSL VPN connection using FortiClient for Mac OS when os-check is enabled and the action is allow. |
| 573853 | TX packet drops on SSL root interface. |
| 580377 | Unable to access https://outlook.office365.com as bookmark in SSL VPN web mode. |
| 591613 | https://outlook.office365.com cannot be accessed in SSLVPN web portal. |
| 596273 | sslvpnd worker process crashes, causing a zombie tunnel session. |
| 608453 | Internal website is not accessible from SSL VPN due to some Sage X3 JS files with errors. |
| 610995 | Error in SSL VPN web mode when accessing internal website, https://st***.st*.ca/. |
| 617170 | https://outlook.office365.com cannot be accessed in SSLVPN web portal. |
| 622068 | Adding FQDN routing address in split tunnel configuration injects single route in client for multiple A records. |
| 633114 | Cannot access internal website pl***.fr using SSL VPN web mode. |
| 633684 | Host check causing Mac users to be unable to connect to SSL VPN. |
| 644506 | Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password. |
| 646429 | Update Telnet idle timeout setting. |
| 648192 | Improve DTLS tunnel performance by allowing multiple packets to be read from the kernel driver, and redistribute the UDP packets to several worker processes in the kernel. |
| 648433 | Internal website loading issue in SSL VPN web portal. |
| 656557 | The map on the http://www.op***.org website could not be shown in SSL VPN web mode. |
| 662042 | The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal. |
| 664121 | SCM VPN disconnects when performing an SVN checkout. |
| 665879 | When sslvpn processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML. |
| 670803 | Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode. |
System
| Bug ID | Description |
|---|---|
| 508085 | The address object is still created even if the user sets an invalid address. |
| 540354 | WAD high CPU usage on FortiGate models not supporting SSH proxy in FOS 5.6. After upgrade to FOS 6.0, the SSL SSH profile certificate-inspection has its SSH status incorrectly set to deep inspection. |
| 571720 | Using DHCP to acquire addresses for mode-config with certificates fails to send DHCP request. |
| 585841 | Console prints out unregister_netdevice error on UOM setup. |
| 587521 | In VIP server load-balancing, persistence http-cookie is not refreshed after the timer. |
| 598464 | Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side. |
| 605723 | FG-600E stops sending out packets on its SPF and copper port on NP6. |
| 623775 | newcli daemon crash due to FTM user token activation email processing. |
| 627629 | DHCP client sent invalid DHCPREQUEST format during INIT state. |
| 628642 | Issue when packets from the same session are forwarded to each LACP member when NPx offloading is enabled. |
| 631296 | Forward or local bi-directional traffic from NPU inter-VDOM links through separate VDOMs is subject to high latency. |
| 633827 | Errors during fuzzy tests on FG-1500D. |
| 634929 | NP6 SSE drops after a couple of hours in a stability test. |
| 642005 | FortiGate does not send service-account-id to FortiManager via fgfm tunnel when FortiCloud is activated directly on the FortiGate. |
| 649729 | HA sync packets are hashed to a single queue while sync-packet-balance is enabled. |
| 660709 | The sflowd process has high CPU usage when application control is enabled. |
| 666030 | Empty firewall objects after pushing several policy deletes. |
User & Device
| Bug ID | Description |
|---|---|
| 604844 | The user group auth-concurrent setting is not working as expected. |
| 637577 | Inconsistent fnbamd LDAP group match result. |
| 675539 | FSSO collector status is down, despite that it is reported as connected by authd in a multi-VDOM environment. |
VM
| Bug ID | Description |
|---|---|
| 656701 | FG-VMX service manager enters conserve mode; cmdbsvr has high memory utilization. |
Web Filter
| Bug ID | Description |
|---|---|
| 553593 | diagnose debug urlfilter test-url <URL> returns URL test cache miss even though the test URL is in the web filter rating cache. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 608717 | Packet loss over CAPWAP tunneled SSID. |
| 618456 | High cw_acd usage upon polling a large number of wireless clients with REST API. |
| 680503 | The current Fortinet_Wifi certificate will expire on 2021-02-11. |
Common Vulnerabilities and Exposures
| Bug ID | CVE references |
|---|---|
| 606237 | FortiOS 6.0.12 is no longer vulnerable to the following CVE Reference:
|
Znane problemy:
Antivirus
| Bug ID | Description |
|---|---|
| 590092 | Cannot clear scanunit vdom-stats to reset the statistics on ATP widget. |
Firewall
| Bug ID | Description |
|---|---|
| 508015 | Editing a policy in the GUI changes the FSSO setting to disable. |
| 591731 | Cannot reorder shaping policy via GUI or CLI (FG-100F). |
FortiView
| Bug ID | Description |
|---|---|
| 527540 | On multiple pages, the Quarantine Host option is not clickable on a registered device. |
GUI
| Bug ID | Description |
|---|---|
| 467495 | An incorrect warning message appears that the proxy policy has no source interface. |
| 545900 | GUI shows Failed to save changes when trying to reorder a policy in the list. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 670025 | IKEv2 fragmentation-mtu option is not respected when EAP is used for authentication. |
Log & Report
| Bug ID | Description |
|---|---|
| 592766 | Log device defaults to empty and cannot be switched on in the GUI after enabling FortiAnalyzer Cloud. |
Proxy
| Bug ID | Description |
|---|---|
| 584719 | WAD reads ftp over-limit multi-line response incorrectly. |
SSL VPN
| Bug ID | Description |
|---|---|
| 599960 | RADIUS user with local token push cannot log in to SSL VPN portal/tunnel when they are prompted to change the password. |
System
| Bug ID | Description |
|---|---|
| 585053 | NP6 VLAN LACP-based interface RX/TX counters not increasing. |
| 607565 | Interface emac-vlan feature does not work on SoC4 platform. |
| 611512 | When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE. |
| 662681 | Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes. |
| 657629 | ARM-based platforms do not have sensor readings included in SNMP MIBs. |
User & Device
| Bug ID | Description |
|---|---|
| 567831 | Local FSSO poller is regularly missing logon events. |
| 615513 | scep-url greater than 64 characters is not saved. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 641042 | On FG-200D, TX packets are dropped on the SSID tunnel interface. |
Notatki producenta: FortiOS 6.0.12
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
