FortiOS 6.2.1 - B&B Bezpieczeństwo w biznesie

Fortinet publikuje aktualizację systemu operacyjnego dedykowanego dla FortiGate oznaczonego numerem wersji 6.2.1. Producent zaleca jak najszybszą aktualizację oprogramowania ze względu na podatność wykrytą w firmware 6.2.0 którą sam określił jako krytyczną! Mowa tutaj o nieprawidłowym sprawdzaniu certyfikatów pod kątem ich ważności. Jeśli korzystałeś z poprzedniej wersji systemu FortiOS 6.2.0 to zapewne wiesz, że występował tam problem z procesem WAD oraz DNSproxy w których był problem z wyciekami pamięci przez co urządzenie przechodziło w tryb Conserve Mode. W wersji 6.2.1 problemy te zostały wyeliminowane.

UWAGA!

Producent zaleca jak najszybszą aktualizację oprogramowania ze względu na podatność wykrytą w firmware 6.2.0 którą sam określił jako krytyczną! Mowa tutaj o nieprawidłowym sprawdzaniu certyfikatów pod kątem ich ważności. Zaleca się jak najszybszą aktualizację FortiOS z wersji 6.2.0 do 6.2.1!

Co więcej w 6.2.1?

Usprawniono wiele procesów których błędy, wycieki pamięci bądź nagłe crashe powodowały problemy naszego urządzenia i uniemożliwiały prawidłowe funkcjonowanie. Poza tymi błędami Fortinet zadbał o poprawienie komunikacji pomiędzy FortiAnalyzerem, gdyż w wersji 6.2.0 występowały błędy powodujące usunięcie logów przesyłanych do FortiAnalyzera. Wprowadzono również łatki do SSL VPN, które naprawiają błędy polegające na niespodziewanym crashu procesu, problemy komunikacji z serwerem RADIUS, czy nieprawidłowym ładowaniu zakładek webowych dostępnych w portalu web. Dużo więcej informacji o naprawionych błędach przeczytacie poniżej.

Fortinet zadbał także o poprawę błędów związanych między innymi z SSL VPN, oraz IPsec. Zakładka Custom Devices w nowej wersji 6.2.1 funkcjonuje już prawidłowo, opóźnienia w ładowaniu strony oraz niemożność utworzenia własnych grup urządzeń zostały naprawione! Oprócz tego producent wprowadził zmiany dotyczące komend używanych w CLI, o których więcej przeczytacie w notatkach producenta.

Rozwiązane problemy:

AntiVirus

Bug ID	Description
528743	Copy/paste of IPv4 policy does not work once AV profile is applied.
557259	FortiGates using AV-Profile proxy mode with `servercomfort` options enabled sending same request twice to the server.

Data Leak Prevention

Bug ID	Description
540903	Missed filename in the office365_Attachment. Download DLP log while it is blocked\Allowed.
547437	WAD crash due to scheduler error occurs when oversized file is bypassing the DLP sensor.
548396	DLP archiving intermittently blocks a file when it should be log only.

DNS Filter

Bug ID	Description
505474	DNS events are not included in the security event list.
525068	No need to resolve safe search FQDN if not used.

Endpoint Control

Bug ID	Description
521645	Traffic blocked after enabling Compliance on SSL VPN interface.
554765	Revert IPv6 `src-spoof` for GTP.

Explicit Proxy

Bug ID	Description
545724	FortiGate cannot upload file to FortiSandbox when AV profile added in only Proxy-policy.
548415	User cannot pass authentication after timeout if using IP-based authentication.

Firewall

Bug ID	Description
474239	Some DCE-RPC mapped connections are intermittently blocked by policy 0.
521913	Session timers don’t update for VLAN traffic over VWP.
524599	Sessions TTL expire timer is not reset when traffic goes through if traffic is offloaded in a TP VDOM.
537349	VIP with central NAT does not hide real IP.
539530	Firewall-session-dirty check-new is blocking traffic and causing session spike.
543469	Cannot create VIP6 range over 31 bits.
546953	DNS Filter column and Profile Group column is missing on policy list.
551747	Not able to configure VIP from GUI with port forwarding for the same TCP and UDP port.
555992	Changes to per-IP shaper settings not reflected in offloaded sessions.
560617	FortiGate logging is not stable: failed-log and log-in-queue.

FortiView

Bug ID	Description
538873	Traffic shaper info missing under Shaper column in FortiView.
539981	Unable to see Source DNS Name in FortiView.

GUI

Bug ID	Description
504770	Introduce an enable/disable button in the GUI to toggle central SNAT table.
532309	Custom device page keep loading and cannot create device group.
537550	HTTPSD uses high CPU when accessing GUI network interfaces.
545074	Unable to login into FortiGate GUI with Yubikey. CLI works as expected.
546254	Forward traffic log cannot be shown on Windows Edge browser.
547393	GUI still shows `fortianalyzer-cloud` connection status error even after FortiGate connects to `fortianalyzer-cloud`.
547458	Cannot access VOIP profile list and only the default profile editor is shown.
547808	Security rating event logs cannot be shown in `split-vdom` FortiGate GUI.
548091	Cannot configure network interface IP addresses from GUI for FG-5001D and FG-5001E.
552329	NP6 sessions dropped after any change in GUI.

HA

Bug ID	Description
501200	Requirement for disabling IPsec SA and IKE SA in FGSP cluster-sync solution.
519266	FGT-HA does not fail over when pingserver is down the second time.
538512	`ha-direct` option for OCSP.
543724	After restoring configuration, FortiGate added unexpected parameters that are not set.
545371	Being Dual Master in specific situation if two `pingsvr` is set.
546714	GARP is output even though GARP setting is disabled.
547367	Cannot synchronize slave from scratch in v6.0.4 with 500 VDOMs, duplicate global profiles.
547700	HA out of sync after upgraded in multi-VDOM environment.
548695	FortiGate master not sending all system events.
549969	After upgrade to special build 5.6.7 b3638, cluster is out of sync when a new guest user is created.
549991	`fgLinkMonitorState` is not accurate.
553231	Moving VDOM between virtual clusters causes cluster to go out of sync.
556057	FGSP cluster members showing out of sync with four members.

ICAP

Bug ID	Description
541423	After any configuration change is applied to FortiGate device, the Symantec ICAP server rejects connections due to too many connections.
551488	FortiGate not sending blocked content page received from the ICAP server to the client.

Intrusion Prevention

Bug ID	Description
528860	IPS archive PCAP periodically cannot capture.
546399	FortiOS runs to conserve mode because IPS engine is taking a lot of memory (memory leak in heap).
548649	IPS custom signature is not detected after FortiGate is rebooted or upgraded.
548908	SSL mirroring does not work on VLAN interface with NTURBO enabled.
552168	IPS archive PCAP usage cannot clear by deleting IPS log and actual PCAP files.
553262	TCP connections through IPsec (bound to loopback) do not work when IPS offload is enabled to NTurbo.
556538	Enabling IPS on IPv4 policy impacting HTTPS traffic over the site to site VPN using PPOE for internal servers.

IPsec VPN

Bug ID	Description
474870	Source MAC address is not updated for offloaded IPsec sessions.
481201	The OCVPN feature is delayed about one day after registering on FortiCare.
518681	`npu-offload` enabled and failover occurred on the checkpoint firewall (upstream firewall) the tunnel is up but traffic is not passing.
534444	Unable to delete IPsec VPN tunnel phase-1 interface config even though we do not have any reference.
542169	Dialup IPsec „net-device” should continue to default to „disable” in 6.2.
545871	IPsec tunnel can’t establish if OCVPN members with different Fortinet_CA and Fortinet_factory cert.
546212	Multiple ADVPN shortcuts should be allowed between two spokes.
546459	IKE route overlap should be allowed across two distinct dialup phase1 with 'net-device disable’.
547062	After VDOM config restore, routes are active for IPsec tunnels that are not active.
547293	OSPF point-to-multipoint re-convergence with dailup IPsec.
548032	IKEv2 tunnel does not establish to Google VPN Gateway because of Identification Payload mismatch.

Log & Report

Bug ID	Description
545322	Send interface information to FortiAnalyzer using `miglogd`.
551031	FortiGate lost logs to FortiAnalyzer when route is changed and without physical interface down.

Proxy

Bug ID	Description
513470	WAD crashes on `wad_http_client_notify_scan_result.isra.XXX`.
522827	Add GUI support for `unsupported-ssl` option in SSL inspection profile.
542189	AV profile in proxy mode, with inspect-all enabled, causes timeout when accessing some sites.
544517	WAD process crashing and affecting HTTP/HTTPS traffic.
546360	When applying proxy address in transparent proxy policy, FortiGate blocks traffic and reports `SSL_ERROR_SYSCALL`.
548233	SMTP, POP3, IMAP `starttls` cannot be exempted by FortiGate when first time traffic goes through FortiGate.
549295	WAD crash causes high CPU usage.
549660	WAD crashes with signal 11.
549787	Unable to fetch the Root and Intermediate Certificate.
550895	FG-1500D goes into kernel conserve mode. WAD process consuming high memory.

REST API

Bug ID	Description
541246	Segmentation Fault when generating VPN certificate via REST API.

Routing

Bug ID	Description
503686	Application PDMD crashes.
528145	BGP Configuration gets applied to the wrong VDOM if user switches VDOM selection in between operations (slow GUI).
529512	SSL VPN user gets disconnected when load-balance-mode is measured-volume-based in SD-WAN.
535055	When adding more than seven VPN tunnels to SD-WAN, PPOE default routes disappear.
537054	IPsec interface Internet service router can’t work normally.
540682	SD-WAN sends traffic to interfaces with volume-ratio set to 0.
546198	SD-WAN performance SLA via GRE-Tunnel fails to set options or connect ping6 socket for monitor.
549958	Kernel panic due to deletion of ECMp session.
550342	Since upgrade to 6.2, getting RADVD IPv6 router advertisement logs, although IPv6 is not configured on receiving interface.
551492	BGP neighbors are lost on configuration change (large configuration file).
552350	BFD peers down, not seen (over BGP up).
554077	OSPF MD5 authentication issues after upgrade to 6.2.0.
558689	Traffic dropped by anti-replay in ECMP with IPS.
558690	Session timer left at half-open value once established in an ECMP with IPS context.
559146	When a route is evaluated with multiple match conditions including route tag in a route map, route tag is evaluated.
559149	Wrong protocol and sport shown for SD-WAN and regular policy routes.
561097	SD-WAN rule corrupted upon reboot after ISDB update.

Security Fabric

Bug ID	Description
525572	Security Fabric topology page always shows FortiGate HA slave has incompatible firmware version.
547509	Fail to configure Security Fabric if only enable FortiAnalyzer cloud logging not FortiAnalyzer logging in GUI.
547659	Access denied error when reviewing security recommendations from physical topology in VDOM mode.
557821	IP threat feed won’t work.

SSL VPN

Bug ID	Description
489110	SSL VPN web-mode fails to access Angular 5 application.
509333	SSL VPN to Nextcloud doesn’t open.
513572	FortiGate not sending Framed-IP-Address attribute to for SSL VPN tunnel in RADIUS accounting packet.
515158	SSL VPN web portal login FGT6.0.3 B0191 admin gets blank page.
522571	LAG interface not available for SSL VPN listening interface.
527476	Update from web mode fails for SharePoint page using MS NLB.
539207	Unable to get to http://spiceworks.int.efwnow.com:9750/tickets/v2#open_tickets via SSL VPN bookmark.
539719	Signal 11 (segmentation fault) on application `sslvpnd`.
540059	Graylog web application is not working through SSL VPN HTTPS.
540328	SSL VPN web mode accessing internal server getting `ERR_EMPTY_RESPONSE` in browsers.
542480	Internal server script stuck at loading when page accessed over SSL VPN web portal.
542706	With groups and its users in different SSL VPN policies and accessing resources via web, only user based policies are processed.
543091	RDP through SSL VPN web mode will disconnects if copying long text.
545440	The command user-bookmark should not be a prerequisite command for allow-user-access as it also affects Quick Connections.
545810	Subpages on internal websites are not working via SSL VPN web mode.
546161	TX packet drops on ssl.root interface.
546187	SSL VPN login auth times out if primary RADIUS server becomes unavailable.
546280	Internal web site (confluence.1wa.local) not loading all elements with SSL VPN web mode (internally it works fine).
546748	Cannot log in to internal server through SSL VPN web mode.
547069	Customer application is displayed wrong through SSL VPN bookmark.
548321	SSL VPN doesn not open QNAP shared folder link.
549588	No Error: Permission denied prompt when using the wrong username/password login SSL VPN web with special replacement login page.
549654	Citrix bookmarks should be disabled in SSL VPN portal.
549924	Local resource web interface not loading through SSL VPN web mode.
551535	http 302 redirection is not parsed by SSL VPN proxy (web mode / bookmark).
551923	SSL VPN crashing constantly.
552018	Web mode gets JavaScript errors when accessing internal web site.
553540	Empty RADIUS accounting info supplied for SSL VPN users via `account-interim-interval`.
554378	SSL VPN bookmark sending back to portal home after correct login inside backend application.
554740	Fails to load web pages in SSL VPN web portal.
555983	Internal web portal replies with HTTP 404 Not Found when accessed via SSL VPN web portal bookmark.
556326	SSL VPN web mode JavaScript error accessing internal resources.
559790	SSL VPN web-mode not performing proxy properly on internal websites.
559932	Customer unable to load website through web-mode SSL VPN.

Switch Controller

Bug ID	Description
548145	Configuring FortiLink from GUI does not work on platforms that do not support hardware switch.
549770	FortiSwitch `export-to` commands do not sync, causing HA sync problem.
555366	VLAN tagging issue to trunk having space in names.

System

Bug ID	Description
493128	`bcm.user` always takes nearly 70% CPU after running Nturbo over IPsec script.
527868	SLBC FortiOS should prevent change of default management VDOM.
529932	Primary DNS server is not queried even after 30 seconds.
533214	After executing shutdown, FGT90E keeps responding to ICMP requests.
534757	Device 80D reboots every 2-3 days with a kernel panic error.
537571	IPS/AV not forwarding return traffic back to clients.
537989	Kernel static route randomly lost.
540634	Status of a port member of a redundant interface changes if an alias is set.
540905	SNMP trap: FortiGate does not generate `fgTrapAvOversizeBlock` and `fgTrapAvOversizePass`.
541527	Changing the order of VDOM in system admin when connected with TACACS+ wildcard admin is not propagated to other blades.
542441	SNMP monitoring of the implicit deny policy not possible.
542482	NTurbo is causing `TX_XPX_QFULL`.
544828	FortiGate 301E consumes high memory even when there’s no traffic.
545717	USB Modem Huawei E173u-2 not working on FortiGate 60E device.
546169	DHCPD is using more memory on the slave unit than the active unit.
546746	Cannot lease DHCP address over IPsec for dialup-forticlient users.
547625	Physical interface, part of aggregate interface, disabled with CLI not going down after reboot.
547720	FortiGate does not support DH 1024 bits as SSH server.
547869	LACP member ports exhibit odd behavior regarding admin up and down.
548076	FortiGateCloud cannot restore configuration on FortiGate.
548315	Execute ping does not provide accurate time values.
548443	DHCP enabled interface occasionally fails to perform discovery.
548553	VDOM restore has config loss when interfaces have subnet overlap.
549922	Cannot add description to security zones.
550797	Misleading CLI help left over.
551374	DNSProxy causes the device to go to conserve mode.
551696	Status of a port member of a aggregated interface changes if a member’s alias/description is set.
552908	Restoring VDOM configuration removes interfaces from zones.
552935	FortiGate admin access does not offer SSH-RSA when EC Certificate is used for GUI `admin-server-cert`.
554099	Can’t poll SNMP v3 statistics for BGP when `ha-direct` is enabled under SNMP user.
555994	Kernel/system memory leak.

Upgrade

Bug ID	Description
546874	Increase firewall.address tablesize for 80-90 series.
548256	Upgrading to v6.2 from v6.0.x causes CIFS/SMB configurations in AV profile to be lost.
548813	Upgrading or downgrading the firmware image using FortiGuard as the source, and as initiated from the System > Firmwarepage, fails during download of the firmware image. The page still can be used to view the upgrade path, but as a workaround, you will need to manually download the firmware image from Fortinet’s Support site, and then initiate an upgrade or downgrade from the same page under the Upload Firmware section.

User & Device

Bug ID	Description
504375	Guest User Print Template doesn’t insert the images.
518129	FSSO failover is not graceful.
533838	WAD re-signs valid web sites with Untrusted CA certificate.
534678	`auth-https-port` (1003) for captive portal authentication cannot disable TLS1.1 support.
535488	IP addresses of discovered devices in the device inventory menu are not showing after FortiGate reboots.
538000	FSSO(polling) user names with special character are not showing up in FortiGate.
538218	Mobile Token authentication fails in vCluster on physical slave.
538666	FortiToken assignment on vCluster VDOM master on physical slave causes configuration mismatch and physical master overwrites.
539185	Modifying Login Challenge Page to include RADIUS attributes.
543503	RSSO user automatically gets added to a wrong user group.
546600	Cannot set certificate under `config certificate local`.
548460	`set device-identification disable` is reverted to default after VDOM restore.
549662	RADIUS MSCHAPv2 authentication fails on Windows NPS with non-ASCII characters in password.
550512	RSSO – wireless roaming causing undesirable removal of RSSO sessions.
554642	LDAP – search-type recursive does not retrieve nested membership through user’s primary group.
554646	FSSO fabric connector needs to be renamed and needs to show connection status again.

VM

Bug ID	Description
537788	TCP re-transmission due to VMXNET3 RX ring buffer exhaustion.
540641	FortiGate-VM deployed in OpenStack without bootstrapping doesn’t have empty password.
542794	`Session size overflow` on VMX causing timeout and error on NSX vMotion task.
545533	FGT VMX: Default MTU of 65521 results in packet drops.
548366	Azure SDN fabric connector is showing status down.
548453	Ondemand platforms show error with FortiCare/FortinetOne login.
548531	FGT-AWS HA failover and SDN using IAM role do not work due to AWS IAM role token length being +increased.
550977	AliCloud: Native FortiGate HA A-P failover does not complete in Shanghai and Hangzhou.
559051	Azure `waagent` process consumes high memory.

VoIP

Bug ID	Description
544877	H323/H245 helper abnormal in `openLogicalChannel`.

Web Filter

Bug ID	Description
435951	Traffic keeps going through the `DENY` NGFW policy configured with URL category.
544342	When `encryption` is set to yes, `file-type` incorrectly shows all file types when only `zip` files are supported.
547772	Web filter FGD category is not detected by sniffer policy for HTTPS traffic.

WiFi Controller

Bug ID	Description
491390	FWF-60E crashes intermittently with no console access at the time.
509442	Suggest to input at least 12 characters when configuring pre-shared key for WPA/WPA2-Personal SSID.
516454	FortiGate doesn’t send IPv6 router-advertisement towards one AP if the same SSID is being broadcast on two different APs.
526035	Standby FortiGate reporting rogue AP on wire.
537968	Region -N DFS support required for FAP-U422EV.
539916	TCP SYN+ACK is not forwarded under specific conditions.
548101	CAPWAP tunnel does not get established on secondary IP address unless we enable CAPWAP access on primary IP address.
556451	Use firewall schedule (recurring, onetime, and group) to configure schedules for DARRP, disabling background rogue-AP scan, SSID, and FortiAP LED state.

Common Vulnerabilities and Exposures

Vulnerability
FortiOS 6.2.1 is no longer vulnerable to the issue described in the following link – https://fortiguard.com/psirt/FG-IR-19-144.

Bug ID	CVE references
503568	FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference: CVE-2018-13367
532730	FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference: CVE-2019-6693
539962	FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference: CVE-2019-5591
548154	FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863
555805	FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference: CVE-2019-5593

Znane problemy do rozwiązania: