Fortinet publikuje aktualizację systemu operacyjnego dedykowanego dla FortiGate oznaczonego numerem wersji 6.0.X. W nowej wersji oprogramowania producent wyeliminował między innymi problemy z wyświetlaniem listy urządzeń wpiętych w porty do przełączników zarządzanych z poziomu FortiGate. Mimo wykrycia większej ilości urządzeń wyświetlane były tylko 3 , a lista z pozostałymi urządzeniami nie była wyświetlana prawidłowo. To oczywiście jeden z kilkudziesięciu rozwiązanych przez Fortinet problemów w nowym systemie FortiOS 6.0.5,  dlatego też zachęcamy do aktualizacji urządzeń oraz lektury zmian jakie wprowadzono w nowej wersji systemu operacyjnego.

Rozwiązane problemy:

Antivirus

Bug ID	Description
519759	Process scanunit crashes in removeTransformCleanup when Outbreak prevention is enabled.
525711	FortiGate not sending email headers to FortiSandbox.
530210	Content Disarm cleans file even when it what was flagged Clean in FortiSandbox.

Data Leak Prevention

Bug ID	Description
518146	DLP incorrectly blocking .deb file extension (DLP log unclear for matches in archive files).
524910	DLP profile to block the file name pattern „*” not blocking uploaded files.
530470	DLP blocking html file categorized as bat file.

DNS Filter

Bug ID	Description
525068	No need to resolve safe search FQDN if not used.

Endpoint Control

Bug ID	Description
521645	Traffic blocked after enabling Compliance on SSL VPN interface.
525179	FortiGate fails to assign FortiClient Compliance profile based on LDAP group membership.

Firewall

Bug ID	Description
492034	Traffic not matching expected sessions and getting denied.
525995	Session marked dirty when routing table update for route which is not related to the session.
526748	Firewall policies with action DENY show Default proxy-options applied in GUI.
528464	Disappearing policy add. Also happens in 6.0.3 build 0200.
536868	A FortiGate in TP mode with set send-deny-packet enabled policy, generates strange ICMP-REPLY for TCP SYN/ICMP-REQUEST/UD.

FOC

Bug ID	Description
536520	GTP Tunnel States are not synced on subordinate unit after a reboot.

FortiView

Bug ID	Description
521497	The FortiView All Sessions real time view is missing right-click menu to end session/ban ip.
527708	Policy ID hyper link in policy view is missing.
527751	No user name on Fortiview > Sources main page
527775	FortiView logs entries do not refresh on log drill down page.
527952	FortiView > WiFi Clients > drill down > Sessions gets nothing at final drill down if device identification is disabled.
528684	FortiView > Bubble Chart cannot drill down on Firefox 63 with ReferenceError: „event is not defined”.
528744	FortiView > Traffic Shaping displays data with error message if switched from other pages in custom period.
529313	FortiView > Web Sites > Web Categories drill down displays all entries in Policies tab.
529558	System Events widget shows No matching entries found when drilling down HA event.
538873	Traffic shaper info missing under Shaper column in FortiView.
539981	Unable to see Source DNS Name in FortiView.

GUI

Bug ID	Description
473148	FGT5001D Sessions widget in Dashboard show negative % for nTurbo after throughput test.
477493	GUI fails to read correct Last Used time for firewall policy.
479482	Timeout does not work properly if user moves away from FortiGate GUI.
493704	While accessing FortiGate page, browser memory usage keeps spiking and finally PC hangs.
498738	GUI creating B/W widget referencing SIT-Tunnel generates error.
509791	Editing Address Objects name within SSL-SSH inspection profile selection pane cause loss of Address/Web exemption objects.
509978	Unable to download the results of the scheduled script.
521253	LAG interface is not listed on the dropdown list when configuring DNS Service.
536841	DNS server in VPN SSL setting is overwritten when SSL-VPN settings are modified via GUI.

HA

Bug ID	Description
494900	Interface faceplate on System > HA shows inconsistent port link status with interface faceplate on Network > Interface.
513940	Enormous amount of session between heartbeat Interfaces for port 703 (HASYNC).
516234	GUI checksums show slave is not synchronized when the master is synchronized.
518717	MTU of session-sync-dev does not come into effect.
526252	High memory caused by updated daemon.
526492	FGSP between two FGCP clusters – session expectation.
526703	FGSP of FGCP cluster, does not pickup NAT’ed sessions.
529274	Factory reset box faild to sync with master in multi-VDOM upgraded from 6.0.3.
530215	Application hasync *** signal 11 (Segmentation fault) received ***.
538289	Old master keeps forwarding traffic after failover.
541224	Network loop over virtual-wire-pair in HA mode if running diagnose sys ha reset-uptime.
547700	HA out of sync after upgraded in multi-VDOM environment.

Intrusion Prevention

Bug ID	Description
452131	ipsengine up time on FG-51E is a negative number after changing db from extended to regular.
476219	Delay for BFD in IPinIP traffic hitting policy with IPS while IPsec calculates new key.
525398	Disabled and enabled IPS Signatures looks the same in IPS Sensor GUI.
528860	IPS archive PCAP periodically cannot capture.

IPsec VPN

Bug ID	Description
514519	OSPF neighbor can’t up because IPsec tunnel interface MTU keeps changing.
518063	DPD shows unnegotiated and is not functioning correctly on ADVPN Spoke.
519187	IKE route should not be deleted if it is needed by other proxyids.
527137	Local GW disappears from GUI.
537140	KEv2 EAP – FortiGate fails to respond to IKE_AUTH when ECDSA certificate is used by ForitGate.
537450	Site-to-site VPN policy based – with DDNS destination fail to connect.
537769	FortiGate sends failure response to L2TP CHAP authentication attempt before checking it against RADIUS server.

Log & Report

Bug ID	Description
387324	Archive mark is always on under UTM logs page when log-display location set to FAZ.
521020	VPN usage duration days in local report is not correct.
528786	In Log viewer, forward traffic filter Result Accept(all)/Deny(all) does not work.

Proxy

Bug ID	Description
458057	Constant DNS query on built-in FQDN cause network congestion.
470407	IPv6-Happy-Eyeballs-Mechanism not working with proxy-based Webfilter-Profile.
491675	FTP Server is not accessible when AV profile is set to proxy based inspection.
512936	SSL certificate inspection in proxy mode doesn’t use CN from Valid Certificate for categorization when SNI is not present.
516863	Webproxy learn-client-ip webfilter’s auth/warn/ovrd does not work.
525518	Skype call drops when handled by WAD process after around three sec of being answered.
526667	FortiGate doesn’t forward request:port command after 0 byte file transmission.
531575	Web site access failure due to OCSP check in WAD + Deep SSL inspection.
532121	WAD uses high CPU with „netlink recvmsg No buffer space available” after upgrade to 6.0.3+.
533838	WAD re-signs valid web sites with Untrusted CA certificate.
534346	WAD memory leak on OCSP certificate caching.
539452	FortiGate does not follow Authority key identifier when sending certificate chain in deep inspection.
544517	WAD process crashing and affecting HTTP/HTTPS traffic.
545964	FortiManager sends requests to FortiGate to collect proxy policy hit_count/bytes, and the response from FortiGate misses the uuid attribute.
549787	Unable to fetch the Root and Intermediate Certificate.

REST API

Bug ID	Description
523902	REST API issue: Access Token only verifies the first 30 characters.

Routing

Bug ID	Description
526008	Differences between routing table and kernel forward information. ADVPN + BGP.
527478	Proute list fill „null ” application name.
528465	GRE tunnel does not come up.
529683	Upgrade from 5.6 to 6.0 causes all routes to be advertised in BGP.
531660	With VRRP use VRDST checking without default gateway.
531947	SD WAN IPsec interfaces keep failing over when link selection strategy is set to Custom-profile.
533018	Process nsm with high CPU when displaying the GUI section of IP4 and IPv6 policy when receiving full routing of BGP.
537110	BGP/BFD packets marked as CS0.
539982	Multicast failed after failover from another interface.
541072	BGPd crash.
544603	Multicast on interfaces with secondary IP addresses.
546198	SD-WAN performance SLA via GRE-Tunnel fails to set options or connect ping6 socket for monitor.

Security Fabric

Bug ID	Description
525790	Not able to connect through SSL VPN to addresses resolved by SDN dynamic objects.

SSL VPN

Bug ID	Description
493127	Connection to web server freezes when using SSL VPN web bookmark.
509333	SSL VPN to Nextcloud doesn’t open.
515370	SSL VPN access denied if address object added after group object in firewall policy.
517819	Unable to load web page in SSL VPN web mode.
517859	Unable to load web page for some internal web sites in SSL VPN web mode.
518406	Unable to load WebPage through SSL VPN webmode. Some js files of xunta internal web sites have problems.
519113	SSL VPN web mode SMB connection doesn’t work when enable then disable SMBCD debug.
520965	IBM QRadar page not displaying in SSL VPN web-mode.
521036	SSL VPN web mode access problem.
522987	Backup and restore the VDOM config with SSL VPN settings causes some critical flags and counter for SSL VPN to not update so SSL VPN stops working.
523450	Unable to access internal website via bookmark in SSL VPN web mode.
523647	Search result gives empty output upon accessing the URL https://ieeexplore.ieee.org via SSL VPN bookmark.
523717	Dropdown list can not get expanded through bookmarks (SSL VPN).
525375	Atlassian Confluence wiki Javascript problem via SSL VPN web mode.
527348	JavaScript script is not available when connecting using SSL VPN web mode.
527476	Update from web mode fails for SharePoint page using MS NLB.
528289	SSL VPN crashes when it receives HTTP request with header „X-Forwarded-For” because of the wrong use of sslvpn_ap_pstrcat.
529186	Problem loading reaching internal web server through SSL VPN Web bookmark when using HTTPS. Some js files of „srvdnsmgt” do not run correctly.
529512	SSL VPN user gets disconnected when load-balance-mode is measured-volume-based in SD-WAN.
530223	SSL VPN wants client certificate even when no client-cert for realm is configured.
530833	Synology NAS login page stuck after login when accessing by SSL VPN Web portal.
531827	Active cache memory leak after upgrade to 6.0.3 GA.
531848	FortiSIEM WebGUI does not load on web portal.
533008	SSL web mode is not modifying links on certain web pages.
536058	Redirected port is not entered in the URL through SSL VPN web mode.
538904	Unable to receive SSL tunnel IP address.
539187	SSL VPN random stale sessions exhausting IP pool.
546161	TX packet drops on ssl.root interface.

Switch Controller

Bug ID	Description
490447	Multiple fortilinks flapped during staging upgrade.
527521	On FortiSwitch Ports page, Display More does not work.
530237	HA cluster out-of-sync after changing port POE mode on switch-controller managed-switch settings: Double commit.

System

Bug ID	Description
370151	CPU doesn’t remove dirty flag when returns session back to NP6.
466805	Adding USB Host devices to a virtual machine connected by USB to FortiGate 500D causes the units to restart in loop.
468684	EHP drop improvement for units using NP_SERVICE_MODULE.
479533	skippingBad tar header message flooding on console after rebooting box and retrieving logs.
492655	DNSproxy does not seem to update link-monitor module.
493128	bcm.user always takes nearly 70% CPU after running Nturbo over IPsec script.
496934	New feature merge: DNS Domain List.
505252	EMAC VLAN: SNMP data is incorrect.
505522	Intermittent failure of DHCP address assignment.
510973	FortiGate with disk and send logs to FAZ has PCI alerts.
511018	SSH/SSL VPN connection to external VLAN interface drop by changing unrelated interface IP or restart OSPF.
513419	High CPU on some cores of CPU & packet drops around 2-3%.
519246	ipmc_sensord process not checking sensors due to pending jobs.
519493	MCLAG: if remote side change systemID, only one port goes down, the other remains up.
521193	DNSPROXY causing high CPU usage.
524422	Merge br_6-0_sp back to 6.0 and 6.2.
525813	FortiGate managed by FortiManager intermittently going offline after rebooting FortiGate.
526646	LAG interface flaps when the member ports go up.
526771	Allow sit-tunnel to not specify the source address.
526788	Password policy forces password change even if expire-status is disabled.
527390	Kernel panic in the HA cluster with FortiGate-3800D units running FortiOS v6.0.0 build 0200
527902	TXT records are truncated in DNS replies, when FortiGate is used as DNS server.
528004	Add global log device statistics to SNMP.
529932	Primary DNS server is not queried even after 30 seconds.
531584	Kernel Panic when Fragmented Multicast Traffic received on EMAC-VLAN interface.
533556	Read-only admin account can delete IPsec SA.
534757	Device 80D reboots every 2-3 days with a kernel panic error.
535730	Memory leak after upgrade to 6.0.4.
536817	FortiGate sending DHCP offer using broadcast.
538304	Aggregate interface (four member) flapps when the third member interface goes down.
539090	Modifying FortiGate administrator password to complex ones via SSH triggers a FortiManager password change by auto-update.
539444	5001D blade rebooted on its own due to kernel panic.
542441	SNMP monitoring of the implicit deny policy not possible.
547720	FortiGate does not support DH 1024 bits as SSH server.

Upgrade

Bug ID	Description
498396	Upgrade from 5.2.13 to 5.4.9 is affected by application list global limit.
530793	config-error-log shows after upgrade from v5.6.6 to v5.6.7.
546874	Increase firewall.address tablesize for 80-90 series.

User & Device

Bug ID	Description
517702	VPN certificate CA: shows newly added entry before reboot but not after.
525648	FortiOS does not prompt for token when Access-Challenge is received – RADIUS authentication fails.
525925	Unable to login to FortiGate using Symantec 2-factor authentication.
525929	LDAPS requests fail with fnbamd stop error „Not enough bytes”. LDAP works fine. Additional timeout observed.
529945	Local certificate content changes should be directly applied for the admin-server-cert sent to the client browser.
535279	FortiGate sends error user password to RADIUS server for CMCC auth user sometimes.

VM

Bug ID	Description
526471	VMX: Adding a security group with ~30+ devices into the redirection policy the connection starts to experience huge delay.
540062	Kernel panic after upgrade from 5.6.7 to 5.6.8.
542794	Session size overflow on VMX causing timeout and error on NSX vMotion task.

WCCP

Bug ID	Description
529685	WCCP not use the tunnel.

Web Filter

Bug ID	Description
509860	Regex case insensitivity flag is ignored in 5.6.5 and 6.0.2 when FortiGate is in proxy mode.
518433	FGT D series number of web filter profiles decreased globally.
531101	Web Filter inspection proxy mode unable to resolve hostname because website is unrated.
541539	URL filter wildcard expression not matched correctly on proxy mode.
544598	Invalid hostname return on GUI when static URL is defined.

WiFi Controller

Bug ID	Description
516067	CAPWAP traffic from non-VLAN SSID is blocked when dtls-policy=ipsec-vpn and NP6 offload are enabled.
530328	CAPWAP traffic dropped when offloaded if packets are fragmented.
537848	FortiGate IPsec VPN phase1-interface and phase2-interface configurations are not saved into configuration file.
537968	Region -N DFS support required for FAP-U422EV.

Common Vulnerabilities and Exposures

Bug ID	CVE references
452730	FortiOS 6.0.5 is no longer vulnerable to the following CVE Reference: CVE-2017-14186
496642	FortiOS 6.0.5 is no longer vulnerable to the following CVE Reference: CVE-2018-13371
528040	FortiOS 6.0.5 is no longer vulnerable to the following CVE Reference: CVE-2018-13384
529353	FortiOS 6.0.5 is no longer vulnerable to the following CVE Reference: CVE-2018-13380
529377	FortiOS 6.0.5 is no longer vulnerable to the following CVE Reference: CVE-2018-13379
529712	FortiOS 6.0.5 is no longer vulnerable to the following CVE Reference: CVE-2018-13381
529719	FortiOS 6.0.5 is no longer vulnerable to the following CVE Reference: CVE-2018-13383
529745	FortiOS 6.0.5 is no longer vulnerable to the following CVE Reference: CVE-2018-13382
534592	FortiOS 6.0.5 is no longer vulnerable to the following CVE Reference: CVE-2019-5587
539553	FortiOS 6.0.5 is no longer vulnerable to the following CVE Reference: CVE-2019-5586

Znane problemy do rozwiązania:

Application Control

Bug ID	Description
435951	Traffic keeps going through the DENY NGFW policy configured with URL category.
488369	DSCP/ToS is not implemented in shaping-policy yet.

Firewall

Bug ID	Description
546145	If the firewall policy includes a nonexistent ISDB ID on updated ISDB version, the firewall policy is not read and reflected.
554806	Deleted policy entry on interface pair view doesn’t disappear until refresh page.

FortiView

Bug ID	Description
403229	In FortiView, display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for downstream traffic.
411368	In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.
525702	FortiView does not support auto update in real-time view and shows unscanned application.
526956	FortiView widgets get deleted on upgrading to B222.
527540	In many FortiView pages, the Quarantine Host option is not clickable on a registered device.
528483	FortiView > Destination page filter destination owner cannot filter out correct destination in real time view.
528767	In FortiView > multiple charts, Previous Time Periods in custom period is missing.
554791	Policy direct hyperlink from historical FortiView sessions does not highlight policy.

GUI

Bug ID	Description
442231	Link cannot show different colors based on link usage legend in logical topology real time view.
451776	Admin GUI has limit of 10 characters for OTP.
508015	Edit Policy from GUI changes fsso setting to disabled.
516415	Edit Disclaimer Message button is missing on Proxy Policy page.
548775	Cannot continue to configure the same column for different ports in FortiSwitch Ports page unless you refresh the page.

HA

Bug ID	Description
479987	FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit works).
539155	HA master does not send SNMP trap when plugging cable into interface that is set as ha-mgmt-interfaces.
532015	High CPU on Core1 due to session sync process.

Intrusion Prevention

Bug ID	Description
445113	IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.

IPsec VPN

Bug ID	Description
469798	The interface shaping with egress shaping profile doesn’t work for offloaded traffic.
481201	The OCVPN feature is delayed about one day after registering on FortiCare.

Log & Report

Bug ID	Description
412649	In NGFW Policy mode, FortiGate does not create web filter logs.

SSL VPN

Bug ID	Description
405239	URL rewritten incorrectly for a specific page in application server.
554821	SSL VPN web mode to FortiGate 6.2 and 6.0.4 has display problem.

Switch Controller

Bug ID	Description
357360	DHCP snooping may not work on IPv6.

System

Bug ID	Description
295292	If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
472843	When FortiManager is set for DM = set verify-install-disable, FortiGate does not always save script changes.
474132	FG-51E hang under stress test since build 0050.

Upgrade

Bug ID	Description
470575	After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and web filter.
473075	When upgrading, multicast policies are lost when there is a zone member as interface.
481408	When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as interface.
494217	Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1. Workaround: Use CLI to rename the user bookmark to the new name.

FortiOS 6.0.5 – Notatki do wydania

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiGate FortiOS