FortiOS 6.0.2

Fortinet zaktualizował oprogramowanie dla FortiGate’a, które ukazało się pod numerem 6.0.2! Obszerna lista rozwiązanych problemów mówi, że producent jak zwykle się postarał. Zachęcamy zatem do aktualizacji urządzeń oraz lektury zmian jakie wprowadzono w systemie operacyjnym FortiOS.

Rozwiązane problemy:

AntiVirus
Bug ID Description

487946 MSS value increases when AV or WEB filter in use resulting in Packet too big message.
489308 scanunit process frequently crashes.
497371 Flow-AV blocks Windows updates (.cab files).

Application Control
Bug ID Description

423140 All IPS sessions lost when new custom signature added.

Authentication & User
Bug ID Description

477392 Cannot use FAC username password and FortiToken two-factor authenticate login HA slave unit.
481469 Failed to resolve hostname for configured CRL URL on a non-managment VDOM.
488566 Renaming guest user group name doesn’t reflect under Guest administrator account assigned leads to black page.
491175 diag test application fnbamd 1 causes fnbamd to enter an idle state and causes authentication failure.
491235 New diag command diag test app wad 13.
491241 Enhance diag command diag test app fnbamd 1.
493470 Authenticated user receives Oops „Authentication requested” referencing a proxy policy which does not have authentication.
493930 Admins who use dedicated HA mgmt interfaces are not visible in the CLI.
495210 Guest user accounts do not show expiration time, but time until expiration only.
496524 After successful wired portal auth, the wired PC still gets many http redirection and fails to access the internet.

Connectivity
Bug ID Description

463982 FortiManager IP is unset in FortiGate CM.
479607 Scheduled auto-update happens twice in 10 seconds but a log entry for the first try is not logged.
481058 Configuration revision control list can’t be retrieved from FortiCloud.

DLP
Bug ID Description

478524 Diskless model missing full-archive-proto in config DLP sensor when only FortiCloud logging enabled.
486958 Scanunit signal 14 alarm clock caused by DLP scanning bz2 file.
492624 DLP blocking web sites in FortiOS v6.0 GA.
496255 Some XML-based MS Office files are recognized as ZIP files.

Firewall
Bug ID Description

474612 SNAT is using low ports below 1023.
475539 Inaccurate netflow export. Traffic measurements do not match with SNMP readings.
478681 Should be able to disable SNAT when a VIP exists and central-NAT is enabled.
492961 Set utm-status disable did not hide profile-group. Unset profile-group will make profile-protocol-options empty.
498188 Dirty_session_check in FortiGate drops all established VIP64 sessions.
502579 Local-In-Policies with FQDN address is not working after upgrade from 5.6 to 6.0.1.

FortiView
Bug ID Description

414172 HTTPsd / DNSproxy/ high CPU/memory with high rate UDP 1Byte spoofing traffic.

GUI
Bug ID Description

402457 Suggest to improve IPsec VPN monitor page Proxy ID Source and Proxy ID Destination fields.
413881 VDOM link tooltip displays Failed to retrieve info.
444104 Accept/Decline buttons cannot be seen in GUI with a long login disclaimer and screen under certain resolutions.
449598 Remote LDAP User Definition wizard does not pull users.
457627 Want the ability to change the date/time format displayed in the GUI of the FortiGate.
457721 FortiLink Switch-controller GUI – allow user to edit Port Description for FortiLink/ISL.
457966 Virtual wire pair > Add VLAN range filter on GUI.
460617 GUI FortiGuard Check Again button doesn’t work as expected due to FortiGuard service 8888/53 incorrectly routed.
462011 GUI is blank when accessed with RADIUS user with read-access profile and the FortiGate is managed by FortiManager.
462072 GUI should show full FQDN name in reputation search result.
468465 Some filters do not return logs when source is FortiCloud.
468797 Cannot filter by date or timestamp when viewing logs from FortiCloud.
469082 prof_admin profile admins are not able to display GUI IPv4 source address.
470241 Raw logs are downloaded from the default location even if you select another log device in GUI.
472023 Outbreak prevention detection makes „clean” counter increment in Advanced Threat Protection Stats widget.
472558 DHCP Server GUI – GUI populates wrong information when switching from DHCP Relay to DHCP Server.
473808 Column filter is not persistent and is removed after refreshing the page.
474807 Cannot restore default page in replacement message group.
475036 Virtual Server Duplicate Entry found error in GUI.
477393 Negative values in Load Balance monitor logs.
477870 Alias for modem interface present in GUI but not in CLI.
479468 The link status is lost after SD-WAN GUI changes to List Edit.
479937 GUI should hide options that don’t apply to certificate inspection.
481902 When accessing FortiView > Websites page, gets error Failed to get FortiView data and httpsd keeps crashing.
482628 CPU.Speculative.Execution.Timing.Information.Disclosure signature can’t be filtered if Application is selected.
489674 When scroll to the end of an muTable, GUI should shows 100% of entry.
489675 The Firefox web browser sometimes cannot delete performance SLA rules.
489715 Destination address should not be mandatory in GUI in SD-WAN Rules.
492898 Cannot delete FSSO AD group entries in GUI anymore.
493351 Object tooltip of last page should not always display on current page.
493773 SD-WAN rule in GUI unable to select (whether as source or destination) the address group grp_citrixfarm.
494724 When creating trunk interface on managed FSW, FSW ports in right-side list show down, even when some are up.
496613 Editing web filter profile in GUI deletes web-proxy profile and URL filter entries.
497667 FortiSwitch Ports page loads very slowly.
502785 Remove # of interfaces from device list.

HA
Bug ID Description

408886 Uninterrupted upgrade from B718 to tag 9702 failed with 1.5M BGP routes and 6M sessions load.
461915 When standalone config sync is enabled in FGSP, IPv6 setting of interface is synced.
473806 Management interface IP address replicating to slave when using standalone management VDOMs.
473806 Management interface IP address replicating to slave when using standalone management VDOMs.
474622 IPsec itn=0 after a unit joins an FGSP cluster.
482548 Conserve mode caused by hasync consuming most of memory.
485340 Cluster Uptime: -141 days -20:-31:-50.
486552 vcluster HA failover fails with large site-to-site IPsec VPN configuration on 3800D.
487444 FortiGate stops accepting traffic from any interface in a hardware switch after HA failover in 80/81E.
491311 Management port has sync’ed when creating a new NAT VDOM.
493759 When vcluster2 is removed from HA config, all active sessions are killed once session-ttl is reached.
494029 After failover, sometimes cannot connect to management-ip of backup device.
501147 Moving VDOM to virtual cluster from GUI causes cluster to go out of sync.

IPS
Bug ID Description

478185 Improve the ability of detection fragmented intrusion attacks.
489557 Strange traceroute issues when IPS is enabled.

IPsec VPN
Bug ID Description

486756 Traffic is not fragmented for IPsec VPN when Proxy-based UTM is enabled.
489990 Make PKI validation of IDi & Certificate Identity optional.
490066 FortiClient with IPsec with Proxy / Webfilter – Fragmentation is needed.
491305 Packet from FortiClient cannot go through VXLAN over IPsec depending on packet size.
492046 FortiGate does not respond to INFORMATIONAL exchange message as requested by RFC.
493918 Memory leak with IKED.

Log & Report
Bug ID Description

459306 Suggest to lower Threat Level for oversized file.
493140 Need to see application signature names instead of LDS under Logs & Report > System event logs.
494040 Creating or modifying security profiles generate multiple logs with misleading action.
497357 FortiGate logs show the action as block when we use DNS filter and if a DNS query timeout happens.
498519 Web filter authentication failed to set status field in the event log message.

Proxy
Bug ID Description

479678 IPpool does not work properly in explicit Proxy-policy.
482916 WAD crashes with signal 6.
486821 Web application Symphony fails with AV profile enabled in policy.
487096 SSL handshake fails when activate ESET application.
491417 FortiGate is dropping server hello packets when URLFILTER is enabled.
491424 Adjust the proxy-auth-timeout default value and unit.
491630 With UTM enabled, client failed to get response from server, gets 500 Internal error.
494081 WAD process crashes with signal 11 after upgrading the firmware to v5.6.4.

Router
Bug ID Description

443948 High memory usage for zebos_launcher and isisd.
482631 OSPF adjacencies lost, FGFMD high CPU while pushing policies from FortiManager.
491423 BGP shutdown neighbor capability-default-originate parameter always in use.
491679 FortiGate chooses higher metric OSPF E2 route for traffic under some circumstance.
492063 Route map not able to set attribute with BGP conditional advertisement.
493454 Large PIM SM bootstrap packets are not forwarded with kernel 3.2.
494393 Router access list should not default to prefix any and exact match disable.
500673 SD-WAN rules with application do not work after HA switchover.

SSL VPN
Bug ID Description

466438 High CPU usage by sslvpnd.
483712 sslvpnd consumes high memory causing FortiGate to enter conserve mode.
486918 SSL VPN web mode unable to load the page correctly.
489827 In SSL VPN web mode, Visteon.service-now.com/vss URL is not loading.
491895 Web mode SSL VPN HTTP bookmark not working.
494948 Confluence software is not rendered correctly in web mode.
494960 SSL VPN web mode has trouble loading internal web application.
494978 authd registers SSL VPN user with wrong user/group information and breaking SSL VPN after upgrade to 5.6.4.
498249 Need update SCEP over SSL host name/certificate check.
501769 SSL VPN: Bookmark to internal web site not loading correctly – JavaScript errors.

Switch
Bug ID Description

493685 Hardware switch flooding traffic.

System
Bug ID Description

370953 SLBC worker blade failed to re-synchronize with the config master blade due to the frozen confsync daemon.
394509 No log entry for failed admin PKI authentication.
414081 SMB1 support has been by default disabled under part models.
441483 Confused by set enable-shaper disable to enable HPE protection.
459273 Slave worker blade loses local administrator accounts.
462178 Front panel SPEED LED is flashing green when transmitting and receiving data.
466317 [api] is in Z state.
468938 Kernel panic on 3700D – slave.
472267 DNS filter performance improvement.
472270 SNMP feature for DNS filter counts.
473354 Suggest enable per-session-accounting on NP6Lite by default.
477886 PRP support.
479142 SLBC 5001D slave blade going out of sync.
481783 DHCP address assignment sometimes fails – DHCPD crashing multiple times.
485781 Deleting EMAC VLAN interface on a different VDOM causing connectivity loss to the EMAC VLAN for 5-7 pings.
493219 Softirq and nice are taking high CPU resources when sending and receiving packets with a virtual wire pair.
494603 FortiGate in transparent mode is not accessible over https/ssh (administrative access) once trusted host is configured.
494707 FortiGate trusthost settings not respected.
499332 No error message when configuring address .067 and address converted with .55.
499435 Allow packet sniffer to use RAM disk.
499793 FortiGate set wrong timezone for Paraguay.

Upgrade
Bug ID Description

495994 After upgrade to 5.4.9, observing a lot of IPS syntax errors on the console screen.

VM
Bug ID Description

493225 FTG-VM01 is missing diag sys mpstat command option.
499154 FortiGate Azure rejects static route configure pushing from FortiManager.
501911 In FOS-AWS prompt, user password = instance ID, and force user to change password upon initial log in.

VoIP
Bug ID Description

478634 Debug commands for SIP filter are not applied.

Web Filter
Bug ID Description

454634 Web filter set warning-prompt per-domain is warning per-category instead of per-domain.
476806 FortiOS incorrectly sends ICMP „Destination Unreachable” with WF/certificate inspection.
486171 The Web Rating Overrides option doesn’t work with flow-mode.
490377 The Web Rating Overrides option doesn’t work properly on proxy-based.
498231 Web sites like FedEx.com is catogized as malicious category incorrectly.

Web Proxy
Bug ID Description

500182 UDP over SOCKS proxy.

WiFi
Bug ID Description

471638 FortiGate disconnects all clients when they roam from AP to AP.
479415 Incorrect auth-success-page Authentication Success Page Replacement message.
491248 VAP RADIUS-based MAC authentication should support CoA.
491769 Support for third-party external portal with RADIUS MAC authentication.
495995 Custom categories override doesn’t work.

Common Vulnerabilities and Exposures
Bug ID CVE references

450553 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:
CVE-2017-12150
CVE-2017-12151
CVE-2017-12163
487421 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:
CVE-2018-13365
495090 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:
CVE-2018-13366
496431 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:
CVE-2018-9192
499552 FortiOS 6.0.2 is no longer vulnerable to the following CVE Reference:
CVE-2016-7431

Znane problemy do rozwiązania:

Application Control
Bug ID Description

435951 Traffic keeps going through the DENY NGFW policy configured with URL category.

FortiGate 3815D
Bug ID Description

385860 FG-3815D does not support 1GE SFP transceivers.

FortiSwitch-Controller/FortiLink
Bug ID Description

304199 Using HA with FortiLink can encounter traffic loss during failover.
357360 DHCP snooping may not work on IPv6.

FortiView
Bug ID Description

375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
453610 Fortiview->Policies(or Sources)->Now, it shows nothing when filtered by physical interface at PPPoE mode.
460016 In Fortiview > Threats, drill down one level, click Return and the graph is cleared.
482045 FortiView – no data shown on Traffic from WAN.
494731 Incorrect reporting in Fortiview.

GUI
Bug ID Description

256264 Realtime session list cannot show IPv6 session and related issues.
439185 AV quarantine cannot be viewed and downloaded from detail panel when source is FortiAnalyzer.
442231 Link cannot show different colors based on link usage legend in logical topology real time view.
451776 Admin GUI has limit of 10 characters for OTP.
470589 The Forward Traffic Log Details panel Security tab does not display security log details when multiple log devices are enabled.
487350 FortiGuard Filtering Services Availability showing Unavailable on GUI when no valid Anti-spam license is present.
493839 Cannot change quota type (time-based, traffic-based).

HA
Bug ID Description

451470 Unexpected performance reduction in case of Inter-Chassis HA fail-back with enabling HA override.
479987 FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works).
503433 hasync daemon crashes when admin session times out and cluster could be out of sync for a short period.

IPS
Bug ID Description

445113 IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.

IPsec VPN
Bug ID Description

469798 The interface shaping with egress shaping profile doesn’t work for offloaded traffic.
481201 The OCVPN feature is delayed about one day after registering on FortiCare.

Log & Report
Bug ID Description

412649 In NGFW Policy mode, FortiGate does not create webfilter logs.

Security Fabric
Bug ID Description

403229 In FortiView display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.

SSL VPN
Bug ID Description

405239 URL rewritten incorrectly for a specific page in application server.

System
Bug ID Description

295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
364280 User cannot use ssh-dss algorithm to login to FortiGate via SSH.
436746 NP6 counter shows packet drops on FG-1500D. Pure firewall policy without UTM.
440411 Monitor NP6 IPsec engine status.
466048 Huawei USB LTE E3276 cannot be detected.
468684 EHP drop improvement for units using NP_SERVICE_MODULE.
472843 When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes.
474132 FG-51E hang under stress test since build 0050.
482497 Running diagnose npu np6lite session in FGT-201E results in high CPU and system instability.
494042 If we create VLAN in VDOM A, then we cannot create ZONE name with the same VLAN name in VDOM B.

Upgrade
Bug ID Description

470575 After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and webfilter.
473075 When upgrading, multicast policies are lost when there is a zone member as interface.
481408 When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
494217 Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1.
Workaround: Use CLI to rename the user bookmark to the new name.

Web Filter
Bug ID Description

480003 FortiGuard category does not work in NGFW mode policy.

Więcej informacji znajdą Państwo w notatkach: Notatki do wydania

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiGate FortiOS