Fortinet publikuje aktualizację systemu operacyjnego dedykowanego dla FortiGate oznaczonego numerem wersji 6.0. Nowa wersja – 6.0.9 oprogramowania FortiOS zawiera wiele poprawek, które eliminują błędy związane z SSL VPN i portalem WEB, oraz zbyt wysokim zużyciem zasobów przez procesy WAD oraz inne odpowiedzialne za autoryzację użytkowników. Rozwiązano również kilka problemów związanych z autoryzacją poprzez serwer RADIUS. Więcej informacji w artykule poniżej!

Rozwiązane problemy:

Data Leak Prevention

Bug ID	Description
591178	WAD fails to determine the correct file name when downloading a file from Nextcloud.

DNS Filter

Bug ID	Description
561297	DNS filtering does not perform well on the zone transfer when a large DNS zone’s AXFR response consists of one or more messages.
563441	7K DNS filter breaking DNS zone transfer.

Explicit Proxy

Bug ID	Description
578098	Unwanted traffic log generated for firewall policy with web filter profile as MonitorAll.
594598	Enabling proxy policies (+400) increases memory by 30% and up to 80% total.

Firewall

Bug ID	Description
535303	Address page takes more than 15 seconds to load with certain configurations.

FortiView

Bug ID	Description
542154	Custom admin is unable to load FortiView when VDOMs or FortiCloud logging are enabled.
556178	FortiView > Sources historical view sometimes cannot retrieve data from FortiCloud.

GUI

Bug ID	Description
486230	GUI on FG-3800D with 5.6.3 is very slow for configurations with numerous policies.
493704	While accessing the FortiGate page, PC browser memory usage keeps spiking and finally PC hangs.
543260	When modifying the g-default web filter, access denied error message appears.
545443	GUI is slow in FG-300D, FG-500D, FG-600D, FG-1000D, and FG-1200D with a high number of firewall policies.
546580	Should not be able to unset user or user group on an SSL VPN policy when inline editing the source column in the policy list.
556397	IP pools in SSL VPN settings are overwritten when SSL VPN settings are modified in the GUI.
559866	When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via the management tunnel.
575592	IP pool and tunnel mode settings in config vpn ssl web portal are overwritten when SSL VPN settings are modified in the GUI.
593624	GUI behavior is different with local user using super admin profile and TACACS user using super admin profile.

HA

Bug ID	Description
523582	ha-mgmt gateway IP gets synced from the master to slave after restoring configurations.
530215	application hasync returns „*** signal 11 (Segmentation fault) received ***”.
557277	FGSP configured with standalone-config-sync will sync the FortiAnalyzer source IP configuration to the slave.
560107	Cluster upgrade from 5.6.7 build 1653 to SB 5.6.8 build 3667 takes longer than normal.
576638	HA cluster GUI change does not send logs to the slave immediately.
585348	default-gateway injected by dynamic-gateway on PPP interface deleted by other interface down.

Intrusion Prevention

Bug ID	Description
567923	Receiving IPS engine application crash messages.
601944	IPS engine 4.045 (FG-2000E with FOS 6.0.6) signal 14 crash occurred.

IPsec VPN

Bug ID	Description
550333	In an ADVPN spoke with one interface connecting to two hubs, the shortcut created on receiver side matches to the wrong phase 1.
575477	IKED memory leak.
589096	In IPsec after HA failover, performance regression and IKESAs are lost.

Log & Report

Bug ID	Description
493886	reportd is sometimes stuck at 99% CPU usage.
527991	Add CLI setting to configure timeout value when connecting to FortiGate Cloud. Enable async_log retrieval from FortiGate Cloud.
565505	miglogd high CPU utilization.
586038	FortiOS 6.0.6 reports too long VPN tunnel durations in local report.
596278	sentdelta and rcvddelta showing 0 if syslog format is set to CSV.
599860	When logtraffic is set to all, existing sessions cannot change the egress interfaces when the routing table is updated with a new outgoing interface.

Proxy

Bug ID	Description
525328	External resource does not support no content length.
566859	In WAD conserve mode 5.6.8, max_blocks value is high on some workers.
573028	WAD crash causing traffic interruption.
579400	High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.

REST API

Bug ID	Description
587470	REST API to support revision flag.

Routing

Bug ID	Description
581488	BGP Confederation router sending incorrect AS to neighbor group routers.
584394	VRRP on LAG cannot forward packet after vrrp-virtual-mac is enabled.
587198	After failover/recovery of link, E2 route with non-zero forward address recurses to itself as a next hope.
592599	FortiGate sends malformed OSPFv3 LSAReq/LSAck packets on interfaces with MTU = 9k.
595937	PPPoE interface bandwidth is mistakenly calculated as 0 in SD-WAN.
598665	BGP route is in routing table but not in FIB (kernel routing table).

Security Fabric

Bug ID	Description
583107	The Access Layer Quarantine action is not propagated to the downstream device in Security Fabric > Automation.
587758	Invalid CIDR format shows as valid by the Security Fabric threat feed.
588262	IP address Threat Feed Fabric connector not working.

SSL VPN

Bug ID	Description
546280	Internal website (confluence.1wa.local) not loading all elements with SSL VPN web mode (it works fine internally).
559785	FortiMail login page with SSL VPN portal not displaying correctly.
561585	SSL VPN does not show correctly in the Windows Admin Center application.
571005	NextCloud through SSL VPN behaving strangely.
580182	The EOASIS website is not displayed properly using SSL VPN web mode.
586032	Unable to download report from an internal server via SSL VPN web mode connection.
588066	SSO for HTTPS fails when using „\” (backslash) with the domain\username format.
599668	In SSL VPN web mode, page keeps loading after user authenticates into internal application.
599671	In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.

Switch Controller

Bug ID	Description
592111	FortiSwitch shows offline CAPWAP response packet getting dropped/failed after upgrading from 6.2.2.

System

Bug ID	Description
527599	Internal prioritization of OSPF/BGP/BFD packets in conjunction with HPE feature to ensure these routing packets are handled in time. It affected all NP6 platforms.
527942	diagnose firewall proute list should not print vwl_mbr_seq if it is not generated by the VWL service rule.
545449	IPinIP traffic over another IPinIP is dropped in NP6-Lite when offloading is enabled.
547712	HPE does not protect against DDoS attacks like flood on IKE and BGP destination ports.
548443	DHCP-enabled interfaces occasionally fail to perform discovery.
561234	FG-800D shows wrong HA, ALARM LED status.
573090	Making a change to a policy using inline editing is very slow with large table sizes.
576337	SNMP polling stopped when FortiManager API script executed onto FortiGate.
578531	The FortiCloud deamon resolves mgrctrl1.fortinet.com to the wrong IP address.
580883	DNS servers acquired via PPPoE in non-management VDOMs are used for DHCP DNS server option 6.
582498	Traffic can be offloaded to both NTurbo and NP6 when DoS policy is applied on ingress/egress interface in a policy with IPS.
582520	Enabling offloading drops fragmented packets.
586034	Enabling ECN dramatically decreases TCP throughput on FG-3400E.
586301	GUI cannot show default Fortinet logo for replacement messages.
588202	FortiGate returns an invalid configuration when FortiManager retrieves the configuration.
589079	QSFP interface goes down when the get system interface transceiver command is interrupted.
589234	Local system DNS setting instead of DNS setting acquired from upstream DHCP server was assigned to client under management VDOM.
592699	Console outputs master change information after entering forticontroller mode and config-error-log.
594577	Out of order packets for an offloaded multicast stream.
598357	Low throughput on subinterfaces VLAN because IP packets are marked with ECN = CE flag.
603194	NP multicast session remains after the kernel session is deleted.

User & Device

Bug ID	Description
547657	Guest portal RADIUS authentication failure due to FortiAuthenticator trying to resolve third-party websites as access points.
549662	RADIUS MSCHAP-v2 authentication fails against Windows NPS with non-ASCII characters in user password.
587519	fnbamd has high CPU usage and user is unable to authenticate.
592241	Gmail POP3 authentication fails with certificate error since version 6.0.5.

VM

Bug ID	Description
577653	vMotion tasks cause connections to be dropped as sessions related to vMotion VMs do not appear on the destination VMX.
591563	Azure autoscale not syncing after upgrading to 6.2.2.
592611	HA not fully failing over when using OCI.

VoIP

Bug ID	Description
580588	SDP information fields are not being natted in multipart media encapsulation traffic.
582271	Add support for Cisco IP Phone keepalive packet.

WiFi Controller

Bug ID	Description
580169	Captive portal (disclaimer) redirect not working on Android phones.

Znane problemy do rozwiązania:

Antivirus

Bug ID	Description
581460	FG-30E AV TP mode cannot log and block oversize files.
590092	Cannot clear scanunit vdom-stats to reset the statistics on ATP widget.

Firewall

Bug ID	Description
508015	Editing a policy in the GUI changes the FSSO setting to disable.

FortiView

Bug ID	Description
527540	Cannot click the Quarantine Host option on a registered device.

Intrusion Prevention

Bug ID	Description
579018	IPS engine 5.030 signal 14 alarm clock crash at nturbo_on_event.

Log & Report

Bug ID	Description
592766	Log device defaults to empty and cannot be switched on in the GUI after enabling FortiAnalyzer Cloud.

Proxy

Bug ID	Description
584719	WAD reads ftp over-limit multi-line response incorrectly.

SSL VPN

Bug ID	Description
582265	RDP sessions terminate (disconnect) unexpectedly.

User & Device

Bug ID	Description
567831	Local FSSO poller is regularly missing logon events.

FortiOS 6.0.9 – Notatki do wydania

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

FortiGate FortiOS fortios 6.0.9