Fortinet publikuje aktualizację systemu operacyjnego dedykowanego dla FortiGate oznaczonego numerem wersji 6.2.2. W wersji 6.2.2 wprowadzono kilka usprawnień takich jak obsługa 802.11ax dla urządzeń FortiAP, czy obsługę logowania do SSL VPN przy użyciu certyfikatu.W wersji 6.2.2 zaimplementowano obsługę protokołu IPv6 dla wyszczególnionych konfiguracji. Oprócz tego producent wyeliminował błędy zgłoszone przez administratorów w poprzedniej wersji firmware’u 6.2.1. Więcej informacji w artykule!

 

Co usprawniono w 6.2.2?

• Obsługa logowania SSL VPN przy użyciu certyfikatu i zdalnego uwierzytelniania nazwy użytkownika / hasła (LDAP lub RADIUS)
• Monitorowanie interfejsu (API), aby sprawdzić status sumy kontrolnej klastra SLBC. Dodano nowe API – monitor / system / config-sync / status
• FortiOS obsługuje teraz 802.11ax dla urządzeń FortiAP-U431F / U433F
• Obsługa agregacji łączy LACP na poziomie podstawowym FortiGate została rozszerzona na wszystkie dwucyfrowe pola poziomu podstawowego
• Dodano obsługę protokołu IPv6 w komunikacji pomiędzy Collector agent oraz FortiGate/DC_Agent/Terminal Server Agent

Rozwiązane problemy:

New features or enhancements

Bug ID	Description
457153	Support for SSL VPN sign on using certificate and remote (LDAP or RADIUS) username/password authentication.
538760	Monitor API to check SLBC cluster checksum status. New API added – monitor/system/config-sync/status.
544704	FortiOS support for 802.11ax FortiAP-U431F/U433F.
550912	Support for link aggregation LACP on entry level FortiGate is extended to all two-digit entry level box for the following models: FGR-30D, FGR-35D, FG-30E, FG-30E-MI, FG-30E-MN, FG-50E, FG‑51E, FG-52E, FG-60E, FG‑60E-POE, FG-61E, FG‑80D, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-92D, FWF-30E, FWF-30E-MI, FWF-30E-MN, FWF-50E, FWF-50E-2R, FWF-51E, FWF-60E, FWF-61E
554965	IPv6 is supported in communication between the following: Collector agent and FortiGate Collector agent and DC_agent Collector agent and terminal server agent

AntiSpam

Bug ID	Description
559802	Spam mail can’t be checked by antispam filter on SMTP protocol.

AntiVirus

Bug ID	Description
545381	When proxy-av is configured for firewall policy, FTP file upload is stopped.
553143	Redundant logs and alert emails sent when file is sent to FortiSandbox Cloud via Suspicious Files Only.
561524	Cannot send an email with PDF attachment when FortiSandbox Cloud Inspection is enabled.
562037	CDR does not disarm files when they are sent over HTTP-POST even though despite AV logs show file has been disarmed.
575177	Advanced Threat Protection Statistics widget clean file count is incorrect.
580212	Policy in flow mode blocking Adobe creative cloud desktop application.

Application Control

Bug ID	Description
558380	AppCtl does not detect application with webproxy-forward-server.

DNS Filter

Bug ID	Description
567172	Enforcing Safe Search in 6.0.5 blocks access to Google domains which makes Safe Search not work.
578267	DNS request to a second DNS server with same Transaction ID is discarded when DNS Filter is enabled on a policy.
581778	Cannot re-order DNS domain filter list.

Data Leak Prevention

Bug ID	Description
522472	DLP logs have a wrong reference link to archived file.
540317	DLP cannot detect attached zip files when receiving emails via MAPI over HTTP.
570379	DLP only detects the first word of filename.

Explicit Proxy

Bug ID	Description
543794	High CPU due to WAD process.
552334	Website does not work with SSL Deep inspection due to OCSP validation process.
557265	Browser redirect loop after re-authentication when using proxy-re-authentication-mode absolute.
561843	AppCtl unscans the traffic to forwarding to upstream proxy.
564582	Explicit proxy policy treats domain.tld in FQDN firewall address object as wildcard.
567029	WAD crashes at crypto_kxp_xform_block_enc when WAD is restarted while visiting a website after an authentication.
571034	Using disclaimer causes incorrect redirection.
572220	Unable to match the expected firewall proxy-policy when dstint is set to Zone where Zone member has PPPoE interface.
577372	WAD has signal 11 crash at wad_ssl_cert_get_auth_status.

Firewall

Bug ID	Description
539421	Load Balance monitor stats reset after mode change.
540949	Health status of standby server in server load balance not available in GUI or CLI.
545056	Firewall should not be evaluated when an interface bandwidth widget is added to the dashboard.
552329	NP6 sessions dropped after any change in GUI.
554329	Schedule policy is not activated on time.
558689	Traffic dropped by anti replay in ECMP with IPS.
558690	Session timer left at half-open value once established in an ECMP with IPS context.
563471	HTTP load balancing doesn’t work after rebooting in Transparent mode.
563928	SFTP connection failure when SSH DPI and app-ctrl are enabled.
564990	Captive-portal-exempt is not supported in consolidated policy.
566951	Unexpected reverse path check failure on IPv6.
570468	FortiGate randomly not processing some NAT64 packets.
570507	Application control causing NAT hairpin traffic to be dropped. Workaround: Create a new firewall policy from scratch and the default application control can be applied again.
571022	SNAT before encryption in policy-based VPN for local traffic after upgrade from 5.6.8 to 6.0.5.
571832	Provide different protocol/port list when the same ISDB object is used as source/destination.
577752	Policy with a VIP with a destination interface of a zone is dropping packets.

FortiView

Bug ID	Description
527540	Cannot click the Quarantine Host option on a registered device.
537819	FortiView All Sessions page: tooltip of geography IP show 'undefined’.
553627	FortiView pages cannot load with Failed to retrieve FortiView data.

GUI

Bug ID	Description
445074	The MMS profiles pages have been removed from the FortiOS Carrier GUI. Workaround: You can configure MMS profiles from the CLI using the config firewall mms-profile command.
479692	GUI shows error Image file doesn’t match platform even when the user is uploading correct image.
486230	GUI on FGT3800D with 5.6.3 is very slow – configuration with numerous policies.
493704	While accessing the FortiGate page, PC browser memory usage keeps spiking and finally PC hangs.
502740	Remove GUI instructions for Dialup-FortiClient VPN.
504829	GUI should not log out if there is 401 error on downstream device.
513157	Cannot filter on hit count „0” for policy match.
523403	GUI Protocol Port Mapping configuration should be rejected when an invalid port number such as -1 is entered.
526254	Interface page keep loading when VDOM admin have netgrp permission.
528649	vpngrp read or read-write access profile doesn’t work properly.
540056	Error message enhancement while creating packet capture in GUI with filter set to high port range.
540737	Should show warning and block user to use no-inspection SSL-SSH profile when any UTM profile is used.
543487	Collected Email Monitor page cannot list the wireless client if connected from captive-portal+email-collection.
543637	Not able to filter the policy by multiple ID.
544313	GUI SD-WAN Monitor page keep loading.
548653	SSO_admin (super_admin) can’t open CLI window from GUI. Error says too many concurrent connection.
552552	Personal Privacy in FortiGuard category based filter mistranslated.
555121	Context menu of AP Group has unsupported actions enabled after change view on Managed FortiAPs page.
559799	Webhook automation host header incorrect.
560430	Some app-category cannot be listed on security policy editing page and get JS error.
561334	GUI SSID main passphrase and MPSK minimum length should be flexible according to new „wfa-compatibility” setting.
563053	Warning message for third-party transceivers were removed for 6.2.1 to prevent excessive RMA or support tickets. 6.2.2 re-added the warning for third-party transceivers.
563445	Upgrade NGFW VDOM from v6.2.0, security policy should support virtual-wan-link interface.
564201	After OSPF change via GUI, password for virtual-link will completely disappear and must be re-entered.
564601	Remove the license requirement to upload FortiGuard packages through the GUI when in USG mode.
565109	Add Selected button does not appear under Application Control slide-in when VDOM is enabled.
566666	AP comments do not appear on the columns for Managed AP page.
568176	GUI response is very slow when accessing Route-Monitor page in GUI.
569080	SD-WAN rule GUI page doesn’t show red exclamation mark for DST-negate enabled, like firewall policy.
569259	Fabric SAML with FortiManager management. Downstream FortiGate login with SAML super admin only have read-only access on most pages.
571674	GUI config changes generate misleading config event logs.
571828	GUI admin password injected as PSK when adding phase2 configuration on Chrome.
572027	In Log View/FortiView, GUI cannot list logs from FortiAnalyzer on FGT/FWF boxes.
573070	Interface widget not loading fully (keeps spinning) when a VDOM „prof_admin” is used.
573869	Log search index files are never deleted when the logdisk is out of space.
574239	AWS/AWSONDEMAND missing dropdown selection box for HTTPS server and WiFi certificates in GUI.
575756	Port Link speed option is missing on the FortiGate GUI after upgrading the managed FortiSwitch to 6.2.1.
579259	Firewall User Monitor shows „Failed to retrieve info” and no entries if session-based proxy authentication is used.
583760	After adding few Web Rating Overrides via GUI to an already existing long list of URIs, Web Rating Overrides page is not loaded and keeps spinning.

HA

Bug ID	Description
543602	Unnecessary syncing process started during upgrade when it takes longer.
554187	HA slave gets FW Signature un-certified after upgrading image from the master.
555056	Enable 2-factor using vcluster in GUI gets overwritten (sync) by slave.
555998	Load balanced (A-A) slave-session doesn’t forward traffic after session is dirtied due to FortiManager policy install.
557277	FortiGate FGSP configured with standalone-config-sync will sync the FortinAlayzer source-IP configuration to the slave.
557473	FGSP found checksum mismatch after replaced one of the units in the cluster.
559172	VLAN in VDOM in virtual cluster not showing virtual MAC for the vcluster.
560096	Restoring config fails on slave when using TACACS+ (master OK).
560107	Cluster upgrade from 5.6.7 build 1653 to SB 5.6.8 build 3667 takes longer than normal.
563551	HASYNC aborts on slave unit.
569629	HA A-A local FQDN not resolving on slave unit.
574564	In an HA configuration with HA uninterruptible upgrade enabled, some signature database files may fail to synchronize upon upgrading from 5.6.9 and earlier to 5.6.10.
575715	Unable the sync the Local-GW in FGSP.
576638	HA cluster GUI change does not send logs to the slave immediately.
577115	Master unit console keeps showing message [ha_auth_set_logon_msg:228] buffer overflow.
578475	FortiGate HA reports not synced if firewall policy of master and slave does not contain the same VIP.

Intrusion Prevention

Bug ID	Description
545823	Creating/editing a DoS-Policy takes a long time. GUI hangs or displays Error 500: Internal Server Error.
561623	IPS engine 5.009 crashes when updated new FFDB has different size from the old one.

IPsec VPN

Bug ID	Description
449212	New dialup IPsec tunnel in policy mode/mode-cfg overwrites previously established tunnel.
537450	Site-to-site VPN policy based with DDNS destination fail to connect.
553759	ESP packets are sent to the wrong MAC after a routing change when IPsec SA is offloaded.
558693	FW90D VPN becomes unresponsive after changing VPN DDNS/Monitor.
559180	The command include-local-lan gets disabled after firewall is rebooted.
560223	Add support for EdDSA certificates for proxy-based deep-inspection / virtual-server when using TLS 1.3. This is resolved by: 0560223, 0561319, 0561820, 0561821, 0561822, 0561823, 0564510.
564237	After configuring SD-WAN and creating SD-WAN rule based on bandwidth criteria, the bandwidth value for tunnel interface is not calculated correctly.
569586	IPsec certificate based IKEv2 VPNs fail to read out certificate subject as username if ECC certificate is involved.
571209	Traffic over VLAN sub-interface pushed through the IPsec policy based VPN interface.
574115	PKI certificates with OU and/or DC as subject fail for PKI user filters.
575238	Redirected traffic on the same interface (ingress and egress interface are the same) is dropped.
575477	IKED memory leak.
577502	OCVPN cannot register – status 'Undefined’.

Log & Report

Bug ID	Description
387294	Country flags in Botnet C&C table and Top Destinations by Bandwidth table are all missing.
545948	FortiGate periodically stops sending syslog messages.
551459	srcintf is unknown-0 in traffic log for service DNS when action is IP connection error.
556199	No logs are generated when using local-in policy on ha-mgmt interface.
558702	miglogd not working until sysctl killall miglogd. Reboot does not help.
565216	Memory of miglogd increase and enter conserve mode.
565505	miglogd high CPU utilization.
566843	No log generated when traffic is blocked by setting tunnel-non-http in webproxy.
568795	Specific traffic type is not logged on FAZ/Memory.
576024	Set sniffer policy to only log logtraffic=utm but many traffic log stats are still generated in disk or FortiAnalyzer.

Proxy

Bug ID	Description
457347	WAD crashes in wad_http_client_body_done when ICAP is enabled.
544414	WAD handles transparent FTP/FTPS traffic.
551119	Certificate blacklist not working correctly in proxy mode.
559166	In firmware 6.0.5, WAD CPU usage on all cores reaches 100% in each around 30s.
562610	FortiGate generates WAD crash wad_mem_malloc.
563154	Can’t open a particular web page via explicit proxy with deep inspection and webfilter profile enabled.
566859	In WAD conserve mode 5.6.8, max_blocks value is high on some workers.
567796	WAD constantly crashes every few seconds.
567942	FortiGate cannot block blacklist certificate against TLS 1.3 if the blacklist certificate server address is exempt.
568905	WAD crashes due to RCX null.
572489	SSL handshake sometimes fail due to FortiGate replying back FIN to client.
573340	WAD causing memory leak.
573721	For FortiGate with client certificate inspect mode, traffic will trigger WAD crash.
573917	Certain web pages time out.
574171	Fail to connect https://drive.google.com by TLS 1.3.
574730	Wildcard URL filter stops working after upgrade.
576852	WAD process crashes in internet_svc_entry_cmp.
579400	High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.
581865	In Proxy inspection with Application control and certificate inspection, TLS error for certain web pages,in EDGE browser only.
582714	WAD might leak memory during SSL session ticket resumption.
583736	WAD application crashing in v6.2.1.

REST API

Bug ID	Description
566837	HTTPSD process crashes when using REST API.

Routing

Bug ID	Description
558979	ECMP-based session with auxiliary session and IPS is not offloaded in reply direction.
559645	Creating static route from GUI should set Dynamic Gateway disabled by default.
560633	OSPF route for AD-VPN tunnel interface flaps.
562159	ADVPN OSPF unable to ping over ADVPN linknet.
567497	FortiGate sends PIM register messages to RP for group 64.0.0.0 about nonexistent sources.
570686	FortiOS 6.2.1 introduces asymmetric return path on the HUB in SD-WAN after the link change due to SLA on the spoke.
571714	DHCPv6 relay shows no route to host when there are multiple paths to reach it.
573789	OSPF with virtual clustering not learning routes.
578623	Gradual memory increase with full BGP table.
581488	BGP confederation router sending incorrect AS to neighbor-group routers.

SSL VPN

Bug ID	Description
476377	SSL VPN FortiClient login with FAC user FTM two-factor fail because it times out too fast.
478957	SSL VPN web portal login history is not displayed if logs are stored in FortiAnalyzer.
481038	Web application is not loading through SSL VPN portal.
491733	When SSL VPN receives multiple HTTPS post requests under web filter, read_request_data_f loops even when client is stopped, which causes the SSL VPN process to use 99% of CPU.
496584	SSL VPN bad password attempt causes excessive bind requests against LDAP and lockout of accounts.
515889	SSL VPN web mode has trouble loading internal web application.
525172	A web application accessed through SSL VPN web mode triggers Error 500 on Java server.
530509	Invalid HTTP Request when SMB via SSL VPN bookmark is executed with MS Server 2016, but works fine with MS server 2008R2.
531848	FortiSIEM WebGUI does not load on web portal.
537341	SSL bookmark is not loading SAP portal information.
545177	Web mode fails for SharePoint page.
549654	Citrix bookmarks should be disabled in SSL VPN portal.
549994	SSL VPN web mode logon page should not show Skip button for remote user with Force password change on next logon.
551695	Office365 applications through SSL VPN bookmarks.
555344	Downloading PDF file throigh SSL VPN portal.
555611	SSL VPN web mode web forward not working for video camera system after upgrade to 6.0.4.
556657	Internal website not working through SSL VPN web mode.
558076	In firmware 6.2.0, RDWeb (Windows Server 2016) via SSL web portal does not work.
558080	McAfee ESM 11 display issues in SSL VPN web portal.
558473	For FG-200E, after upgrading from 6.0.4 to 6.2.0, SSL VPN HTTPS bBookmark does not load (Secure Connection Failed).
559171	With SSL VPN web mode unable to get dropdown menu from internal web page.
559785	FortiMail login page with SSL VPN portal not displaying correctly.
560505	SharePoint 2019 page access fails using web mode.
560730	SSL VPN web mode SSO doesn’t work for some site like FAc login.
560747	The referer header is not correct, and some files are not loaded properly.
561585	SSL VPN doesn’t correctly show Windows Admin center application.
563147	Connection to internal portal freezes when using SSL VPN web bookmark.
563798	Redirect in bookmark is not loading.
564850	Object from CARL source not showing through SSL VPN web mode.
564871	SSL VPN users create multiple connections.
567182	In SSL VPN web mode, videos on internal website won’t display.
567626	SSL VPN still allows password expired users to change password and get access.
567628	SSL VPN banned-cipher SHA256 not completely working.
567987	In SSL VPN web mode, RDP disconnects when copying long text from remote to local.
568481	Internal website using java is not accessed using SSL VPN web mode.
568838	Internal website not working through SSL VPN web mode.
569030	SSL VPN tunnel mode can only add split tunneling of user’s policy with groups and its users in different SSL VPN policies.
569711	Error for proxy ssh database through SSL VPN.
570445	CMAT application through SSL VPN not working properly.
570620	SSL VPN web mode does not work properly for the website using JavaScript.
571005	NextCloud through SSL VPN behaving strangely.
571479	Cannot access sub-menus from the internal main website through the bookmark when using SSL VPN web mode.
571721	Local portal adzh-srop-nidm02.intern.cube.ch needs more than 10 min. to load via SSL VPN bookmark.
572653	Unable to access Qlik Sense URL via SSL VPN web mode .
573527	SSL web portal CSP v3 compatibility issue.
573853	TX packet drops on ssl.root interface.
574551	Subpages on internal websites are not working via SSL VPN web mode (Tunnel mode is OK).
574724	SSL VPN conserve mode on FWF-30E when FortiGate unit enters memory less than 25%.
575248	Synology DSM login page is not displayed when accessed via SSL VPN bookmark or connection tool.
575259	SSL VPN connection is being dropped intermittently.
576013	The SSL VPN web mode webserver link is not rewritten correctly after login.
576288	VIP customer – FSSO groups set in rule with SSL VPN interface.
578581	SSL web mode VPN portal freezing when opening some websites using JavaScript.
580182	The EOASIS website is not displayed properly using SSL VPN web mode.
580384	SSL VPN web mode not redirecting URL as expected after successful login.
581863	Accessing http://nlyte.ote.gr/nlyte/ configured with bookmark name 'NLYTE’ not getting authentication page.
582115	Third-party (Ultimo) web app does not load over SSL VPN web portal.
582161	Internal web application is not accessable through web SSL VPN.

Switch Controller

Bug ID	Description
557280	Need to add FSW port information on Security Fabric and device inventory the same as before 6.0.4.
563939	802-1X timer reauth-period option 0 doesn’t work.

System

Bug ID	Description
423311	200E/201E software switch span function does not work.
470875	OID seems to be COUNTER32 instead of GAUGE32.
498599	Can’t create loopback interface by VDOM admin if there’s no physical interface in VDOM.
520283	Can’t show global setting when VDOM admin run exec tac report command.
531675	SFP ports do not link down when SFP cat5 interface status of FortiGate on the other side goes down.
539970	Kernel panic on HA pair of 301E.
540083	Partial traffic outage with softirq on 100%.
545449	IPinIP traffic over another IPinIP is dropped in NP6-Lite when offloading is enabled.
550206	Memory (SKB) which is no longer needed is not released in NP6 and NP6lite drivers (100E, 140E, 3600D, 3800D).
551281	process_tunnel_timeout_notify:377, send timeout notify message error -1 1 message printed in console.
556408	Aggregate link doesn’t work for LACP mode active for 60E internal ports but works for wan1 and wan2 combination.
557172	When there are many application-control based Internet-service entries in SD-WAN, system performance is affected by high CPU usage of softirq.
557527	FortiGate as L2TP client does not negotiate correctly.
557798	High memory utilization caused by authd and WAD processes.
559467	Support four DNS records inside DHCP offer.
560411	3980E unresponsive with millions of sessions in TIME_WAIT.
560686	4x10G split-port does not work on FG-3700D rev 2.
561097	SD-WAN rule corrupted on reboot after ISDB update.
561234	FG-800D shows wrong HA, ALERM LED status.
561929	REST API cmdb/router/aspath-list is not inserting new values.
562049	TLS 1.3 resumption and Pre-Shared Key (PSK) fail if Hello Retry Request is received.
563232	Authorization fails when 0.0.0.0/0 is listed as the trusted host.
563497	The trust-ip-x feature on interface does not work.
564184	Split DNS not working. CNAME fails to resolve.
564579	Updated crash signal 14, object creation not allowed from cli errno=Resource temporarily unavailable.
564911	DHCPDISCOVERY NATed with TP management IP when sent to NAT VDOM .
565291	SD-WAN rule doesn’t work with nested firewall address group selected as source or destination.
565296	Wrong configuration transmitted by FOS to FortiManager under certain conditions.
565631	DHCP relay sessions are removed from the session table after applying any config change.
567487	CPU goes to 100% when modifying members of an addrgrp object.
567504	Speed test break the cluster.
568215	Kernel bug at net/core/skbuff.
569652	High memory utilization after FortiOS and IPSengine upgrade.
570227	FortiGate is not selecting an NTP server that has a clock time in the majority clique of other NTP servers.
570834	STP (Spanning Tree) flapping.
571207	DHCP with manual address does not provide subnetmask in DHCP ACK.
572411	Timezone for Canary Islands is missing.
572428	lldptx – Application Crashed – Signal 11 Segmentation Fault.
572707	Configuration is corrupted when restoring a VDOM.
572763	softirq causing high CPU when session increase in an acceptable way.
573177	GUI cannot save edits made on replacement messages in a VDOM. When using CLI, user gets logged out while editing.
574086	Kernel panic occurs after upgrading from 6.2.0 to 6.2.1.
574110	When adding admin down interface as a member of aggregate interface, it shows up and process the traffic.
574327	FortiGate CSR traffic to SCEP srv generated from the root VDOM instead of the VDOM we create the CSR.
574991	FortiGate can’t extract the user principal name UPN from user certificate when certificate contains UPN and additional names.
576063	Crashlog keeps having cid could not load sigs after FortiGate is authed into FortiManager.
577047	FortiGate takes a long time to reboot when it has many firewall addresses used in many policies.
577302	Virtual WAN Link process (vwl) memory usage keeps increasing after upgrading to 6.2.1.
578531	forticldd deamon resolved mgrctrl1.fortinet.com to wrong IP address.
578746	FortiGate does not accept FortiManager created country code and causes address install fails.
579524	DHCP lease is not stable and dhcpd process crashes.
580185	authd4 crashes when deleting a VDOM or rebooting the FortiGate.
580883	DNS servers acquired via PPPoE in non-management VDOMs are used for DHCP DNS server option 6.
582547	fgfmsd crash makes connection to FortiManager go down.

Upgrade

Bug ID	Description
550410	Cannot edit addrgrp which includes wildcardfqdn object after upgrade from v5.6.x.
556002	Some firewall policies were deleted after upgrade from FOS 6.0.4 to FOS 6.2.0.
558995	L2 WCCP stops working after upgrade to FOS 6.0.3 or newer.
562444	The firewall policy with internet-service enabled was lost after upgrade from 6.0.5.
580450	Policies removed after an upgrade in NGFW Policy Mode: maximum number of entries has been reached.

User & Device

Bug ID	Description
547657	Disclaimer+Auth Guest portal RADIUS auth failing due to FAC trying to resolve 3rd party websites as access-points.
549394	fnbamd crashes frequently.
558332	CoA from FAC is not working for FortiGate wired interface based captive portal.
561289	User-based Kerberos Authentication not working in new VDOM.
561610	src-vis process memory leak.
562185	Disclaimer redirection to IP instead of FQDN results in Certificate/SSL warning.
562861	RADIUS CoA (disconnect request) not working with use-management-vdom.
567990	Hard-timeout setting not working for captive portal.

VM

Bug ID	Description
524052	Application cloudinitd has signal 11 crash on FortiGate-VM64-GCP.
561083	VPN tunnels not coming up after HA failover in GCP.
561909	Azure SDN connector try querying invalid FQDN when using Azure Stack Integrated systems.
567137	VM in Oracle cloud has 100% CPU usage in system space.
570176	HA cluster multi AZ does not failover IPsec VPN in AWS with TGW.
571652	OCI SDN connector gets HTTP response err:500 when enabling use-metadata-iam.
573952	FGT-VM with network driver vmxnet3 has lots of fragments when testing throughput.
575400	In Azure SDN, the firewall address filter cannot fetch the secondary public and private IP addresses of the NICs.
578727	FGTVM_OPC unable to failover the route properly during failover.
578966	OpenStack PCI passthru sub interface VLAN cannot received traffic.
580738	In the Cluster setup, slave unit can have different fingerprint for the OCI SDN connector, which can cause unit to fail to connect to OCI metatdata server properly.
580911	EIP assigned to the secondary IP address on the OCI do not 't fail over during HA failover.
577856	Add missing AWS HA failover error log and set firewall.vip/vip46/vip6/vip64 not sync’ing when cross zone HA is configured.

VoIP

Bug ID	Description
570430	SIP ALG generates a VoIP session with wrong direction.
580588	SDP information fields are not being natted in Multipart Media Encapsulation traffic.

WanOpt

Bug ID	Description
564290	FOS can’t collaborate web-cache with FortiProxy successfully.

Web Filter

Bug ID	Description
356487	When central-management is NONE, include-default-servers setting is not honored by rating.
549928	Block page images not loading for web sites protected by HSTS.
551956	Proxy web filtering blocks innocent sites due to urlsource="FortiSandBox Block".
565952	Proxy-based Webfilter breaks WCCP traffic.

WiFi Controller

Bug ID	Description
540027	FortiWiFi working as client mode cannot see and connect to the hotspot SSID from iOS devices.
569966	WPA2-Enterprise SSID authentication cannot utilize the source IP setting in RADIUS server configuration.
570745	FAPs detecting BSSIDs of others FAPs managed by the same WC as Fake-ap-on-air.
573024	FAP cannot be managed by FortiGate when admin trusthost is configured.

Znane problemy do rozwiązania:

Data Leak Prevention

Bug ID	Description
586689	Downloading a file with FTP client in EPSV mode will hang.

DNS Filter

Bug ID	Description
586526	Unable to change DNS filter profile category action after upgrading from 6.0.5 to 6.2.0.

FortiView

Bug ID	Description
582341	Fortiview > policies: Consolidate policy without name and tooltips, Security policy with tooltips are not working.

GUI

Bug ID	Description
282160	GUI does not show byte info for aggregate and VLAN interface.
438298	When VDOM is enabled, the interface faceplate should only show data for interfaces managed by the admin.
480731	Interface filter get incorrect result (EMAC VLAN, VLAN ID, etc.) when entries are collapsed.
510685	Hardware Switch Row is shown, indicating a number of interfaces but without any interfaces below.
514632	Inconsistent Refcnt value in GUI when using ports in HA session-sync-dev.
537307	Gets „Fail to retrieve info” for ha-mgmt-interface on GUI > interface page.
540098	GUI does not display the status for VLAN and loopback under status column at Network > interfaces.
541042	Log viewer Forward Traffic cannot support double negate filter (client side issue).
542544	In Log & Report, filtering for blank values (None) always show no results.
553290	The tooltip of VLAN interface displays Failed to retrieve info on GUI.
557786	GUI response is very slow when accessing IPSec-Monitor (api/v2/monitor/vpn/ipsec is taking a long time).
559866	When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via management tunnel.
565748	New interface pair consolidated policy added via CLI is not displayed on GUI policy page.
573456	FortiGate without disk Email Alert Settings page should remove Disk usage exceeds option.
574101	Empty firmware version in managed FortiSwitch from FortiGate GUI.
579711	An error occurs while running Security Rating.
583049	Internal Server Error while trying to create new interface.
584939	VPN event logs shows incorrectly when adding two action filters and if the filter action filter contains „-„.
586749	Enable/Disable Disarm and Reconstruction on GUI only takes effect on SMTP protocol in AV profile.

HA

Bug ID	Description
479780	Slave fails to send and receive HA heartbeat on config cfg-revert setting on FGT2500E.
575020	HA failing config sync on VM01 with error (slave and master have different hdisk status) when master is pre-configured.
581906	HA slave sending out GARP packets in 16-20 seconds after HA monitored interface failed.
586004	Moving VDOM via GUI between virtual clusters causes cluster to go out of sync but VDOM state work/standby doesn’t change.

IPsec VPN

Bug ID	Description
582251	IKEv2 with eap auth peerid validation doesn’t work.

Proxy

Bug ID	Description
573028	WAD crashes causing traffic interruption.
575224	WAD – high memory usage from worker process causing conserve mode and traffic issues.

REST API

Bug ID	Description
584631	REST API admin with token unable to configure HA setting (via login session can work).

Security Fabric

Bug ID	Description
578268	Downstream device shows offline.
586587	Security Fabric widget keep loading when FortiSwitch is in a loop or two FortiSwitches are in mclag mode.
587758	Invalid CIDR format shows as valid by Security Fabric threat feed.

SSL VPN

Bug ID	Description
505986	On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.
563022	SSL VPN LDAP group object matching only matches the first policy, isn’t 't consistent with normal firewall policy.
585754	An SSL VPN bookmark failed to load the GUI of proxmox GUI interface.

Switch Controller

Bug ID	Description
581370	FortiSwitch managed by FortiGate not updating RADIUS settings and user group in the FortiSwitch.
586299	Adding factory-reset device to HA fails with switch-controller.qos settings in root.

System

Bug ID	Description
464340	EHP drops for units with no NP_SERVICE_MODULE.
484749	TCP traffic with tcp_ecn tag cannot go through ipip IPv6 tunnel with NP6 offload enabled.
555616	TCP packets send wrong interface and high CPU.
562212	Management tunnel to devices goes down and cannot reclaim tunnel; so policy pushes get stuck.
570759	RX/TX counters for VLAN interfaces based on LACP interface are 0.
573973	ASIC offloading sessions sticking to interfaces after SD-WAN SLA interface selection.
575013	Errors in the FortiGate’s CLI 8 debug, when FortiManager is obtaining the HA status and mgmt-data status, if ha-mgmt-status enabled.
581998	Session clash event log found on FG-6500F when passing a lot of same source IP ICMP traffic over Load balance VIP.

User & Device

Bug ID	Description
569062	fnbamd takes high CPU usage and user cannot authenticate.

VM

Bug ID	Description
579013	FortiGate HA failover fails in Azure stack due to invalid authentication token tenant.
579708	Should replace GUI option to register to FortiCare from AWS PAYG with link to portal for registration.
587180	FGTVM64_KVM is unable to boot up properly when doing a hard reboot with the host.
587757	FG-VM image unable to be deployed on AWS with additional disk of type HDD(st1).

WiFi Controller

Bug ID	Description
555659	When FAP is managed across VDOM links, WiFi client can’t join SSID when auto-asic-offload is enabled.

FortiOS 6.2.2 – Notatki do wydania

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

6.2.0 6.2.2 FortiGate fortigate 6.2.2 fortios 6.2.2