Aktualizacja FortiOS 6.2.15 daje nowe możliwości, między innymi opcję kontrolowania minimalnej wersji protokołu SSL używanej w komunikacji między FortiGate a usługami SSL i TLS innych firm. Nowszy system znacznie zwiększa interoperacyjność między innymi produktami Fortinet, dotyczy to takich rozwiązań jak FortiAnalyzer, FortiClient EMS, FortiClient, FortiAP i FortiSwitch. Po więcej o najnowszym wydaniu w artykule poniżej.
Co nowego w FortiOS 6.2.15:
1. Optymalizacja przestrzeni flash: FortiOS 6.2.15 wprowadza optymalizację przestrzeni flash w modelach serii FortiGate 30 i 50. Dzięki temu rozwiązaniu, zainstalowanie bazy danych GEOIP V2 zajmuje mniej miejsca na karcie flash, a mniejsza baza danych usług internetowych (ISDB) dostępna jest specjalnie dla tych modeli. Dodatkowo, przeniesienie bazy danych IPS na partycję /data2 pozwala zmniejszyć obciążenie partycji /data.
2. Aktualizacja FortiClient: Wersja 6.2.15 wprowadza zmiany związane z FortiClient. Licencja FortiClient Endpoint Telemetry jest teraz przestarzała, a profil zgodności FortiClient oraz opcja wymuszania sprawdzania zgodności zostały usunięte. Zamiast tego, punkty końcowe FortiClient 6.2.0 są rejestrowane tylko w FortiClient EMS 6.2.0, a zgodność jest osiągana za pomocą reguł weryfikacji zgodności skonfigurowanych w FortiClient EMS.
3. Aktualizacje Security Fabric: FortiOS 6.2.15 wprowadza znaczną poprawę interoperacyjności z innymi produktami Fortinet. Dotyczy to takich rozwiązań jak FortiAnalyzer, FortiClient EMS, FortiClient, FortiAP i FortiSwitch. W celu uaktualnienia Security Fabric, zaleca się aktualizację urządzeń zarządzających, takich jak FortiAnalyzer i FortiManager, przed aktualizacją innych urządzeń.
4. Kontrola wersji protokołów SSL: W celu zwiększenia bezpieczeństwa, FortiOS 6.2.15 wprowadza opcję ssl-min-proto-version, która kontroluje minimalną wersję protokołu SSL używaną w komunikacji między FortiGate a usługami SSL i TLS. Domyślnie ustawioną wartością jest TLS v1.2, jednak istnieje możliwość dostosowania tego ustawienia dla różnych usług, takich jak serwer e-mail, certyfikat, FortiSandbox itp.
FortiOS 6.2.15 obsługuje następujące modele.
| FortiGate | FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-30E-MG, FG-40F, FG-40F-3G4G, FG-50E, FG‑51E, FG-52E, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-92D, FG-100D, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE, FG-200E, FG-201E, FG‑300D, FG-300E, FG-301E, FG‑400D, FG‑400E, FG-400E-BP, FG‑401E, FG‑500D, FG‑500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG‑3810D, FG-3815D, FG-5001D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM, FWF-40F, FWF-40F-3G4G, FWF-50E, FWF-50E-2R, FWF‑51E, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE |
| FortiGate Rugged | FGR-30D, FGR-35D, FGR-60F, FGR-60F-3G4G, FGR-90D |
| FortiFirewall | FFW-3980E |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG‑VM64‑AWSONDEMAND, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG‑VM64‑GCP, FG‑VM64-GCPONDEMAND, FG-VM64-HV, FG‑VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Modele obsługiwane przez gałęzie specjalne
The following models are released on a special branch of FortiOS 6.2.15. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1378.
| FG-80D | is released on build 5253. |
| FG-200F | is released on build 7257. |
| FG-201F | is released on build 7257. |
Znane problemy:
DNS Filter
| Bug ID | Description |
|---|---|
| 582374 | License shows expiry date of 0000-00-00. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 540091 | Cannot access explicit FTP proxy via VIP. |
Firewall
| Bug ID | Description |
|---|---|
| 654356 | In NGFW policy mode, sessions are not re-validated when security policies are changed.
Workaround: clear the session after policy change. |
FortiView
| Bug ID | Description |
|---|---|
| 635309 | When FortiAnalyzer logging is configured using an FQDN domain, the GUI displays a 500 error message on the FortiView Compromised Hosts page. |
| 673225 | FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface’s role is WAN. Data is displayed if the source interface’s role is LAN, DMZ, or undefined. |
GUI
| Bug ID | Description |
|---|---|
| 354464 | Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made. |
| 514632 | Inconsistent reference count when using ports in HA session-sync-dev. |
| 529094 | When creating an antispam block/allowlist entry, Mark as Reject should be grayed out. |
| 541042 | Log viewer forwarded traffic does not support multiple filters for one field. |
| 584915 | OK button missing from many pages when viewed in Chrome on an Android device. |
| 584939 | VPN event logs are incorrectly filtered when there are two Action filters and one of them contains „–„. |
| 602102 | Warning message is not displayed when a user configures an interface with a static IP address that is already in use. |
| 602397 | Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA. |
| 621254 | When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error. |
| 664007 | GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration. |
| 672599 | After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly. |
| 682440 | On Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated. |
| 688994 | The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI. |
| 695163 | When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.
Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 565747 | IPS engine 5.00027 has signal 11 crash. |
| 586544 | IPS intelligent mode not working when reflect sessions are created on different physical interfaces. |
| 587668 | IPS engine 5.00035 has signal 11 crash. |
| 590087 | When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit. |
Log & Report
| Bug ID | Description |
|---|---|
| 606533 | User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI. |
REST API
| Bug ID | Description |
|---|---|
| 584631 | REST API administrator with token unable to configure HA setting (via login session works). |
| 713445 | For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.
Workaround: set CORS to an explicit domain. |
| 714075 | When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests. |
Routing
| Bug ID | Description |
|---|---|
| 537354 | BFD/BGP dropping when outbandwidth is set on interface. |
Security Fabric
| Bug ID | Description |
|---|---|
| 614691 | Slow GUI performance in large Fabric topology with over 50 downstream devices. |
SSL VPN
| Bug ID | Description |
|---|---|
| 505986 | On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication. |
Switch Controller
| Bug ID | Description |
|---|---|
| 588584 | GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM. |
| 605864 | If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface loses its CAPWAP setting. |
System
| Bug ID | Description |
|---|---|
| 464340 | EHP drops for units with no NP service module. |
| 578031 | FortiManager Cloud cannot be removed once the FortiGate has trouble with contract. |
| 595244 | There is duplicate information when checking interface references in global. |
| 600032 | SNMP does not provide routing table for non-management VDOM. |
| 607565 | Interface emac-vlan feature does not work on SoC4 platform. |
| 669645 | VXLAN VNI interface cannot be used with a hardware switch. |
| 694202 | stpforward does not work with LAG interfaces on a transparent VDOM. |
Upgrade
| Bug ID | Description |
|---|---|
| 658664 | FortiExtender status becomes discovered after upgrading from 6.0.10 (build 0365).
Workaround: change the config extender-controller extender
edit <id>
set admin enable
next
end
|
User & Device
| Bug ID | Description |
|---|---|
| 595583 | Device identification via LLDP on an aggregate interface does not work. |
VM
| Bug ID | Description |
|---|---|
| 587757 | FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type. |
| 596742 | Azure SDN connector replicates configuration from primary device to secondary device during configuration restore. |
| 605511 | FG-VM-GCP reboots a couple of times due to kernel panic. |
| 608881 | IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup. |
| 640436 | FortiGate AWS bootstrapped from configuration does not read SAML settings. |
| 668625 | During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available. |
| 685782 | HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings. |
Notatki producenta: FortiOS 6.2.15
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
