FortiOS 6.2.4 - B&B Bezpieczeństwo w biznesie

Fortinet publikuje aktualizację systemu operacyjnego dedykowanego dla FortiGate oznaczonego numerem wersji 6.2.4. Nowa wersja według producenta pozbawiona jest błędów które powodowały niestabilność połączeń RDP. Dotyczy to zarówno web-portalu jak i połączenia poprzez FortiClient. Dodatkowo producent usprawnił wiele procesów związanych z SSL VPN, routingiem oraz IPsec VPN. Standardowo producent wyeliminował błędy zgłoszone przez administratorów w poprzedniej wersji firmware’u. Gorąco zachęcamy do aktualizacji jeśli korzystasz z poprzednich wersji rodziny 6.2! Więcej informacji w artykule!

Rozwiązane problemy:

Anti Virus

Bug ID	Description
557998	Quarantined CDR files cannot be downloaded. Encountered 404 error when clicking Archived File.
563250	Shared memory does not empty out properly under /tmp.
594696	Sample file eicar.exe cannot pass through SMTPS, POP3S, or IMAPS with deep inspection and flow enabled on IPv6 policy.

Data Leak Prevention

Bug ID	Description
563447	Cannot download DLP archived file from GUI for HTTPS, FTPS, SMTP and SMTPS.
571171	Excessive false positives for credit card DLP profiles.
574722	DLP blocks Gmail with deep inspection.
591178	WAD fails to determine the correct file name when downloading a file from Nextcloud.

Explicit Proxy

Bug ID	Description
589166	EPSV does not work when using an FTP proxy.
594580	FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message.
594598	Enabling proxy policies (+400) increases memory by 30% and up to 80% total.
603707	The specified port configurations of `https-incoming-port` for `config web-proxy explicit` disappeared after rebooting.
605209	LDAP ignores `source-ip` with web proxy Kerberos authentication.

Firewall

Bug ID	Description
593103	When a policy denies traffic for a VIP and `send-deny-packet` is enabled, ICMP unreachable message references the mapped address, not the external.
595044	Get new CLI signal 11 crash log when performing `execute internet-service refresh`.
596218	ISDB ID is missing when configuring internet service group objects.
598559	ISDB matches all objects and chooses the best one based on their weight values and the firewall policy.
599253	GUI traffic shaper Bandwidth Utilization should use KBps units.
600051	Cannot establish the connection to the real servers using VIP server load-balancing after upgrading to FortiOS 6.2.2.
600644	IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies.
601331	Virtual load-balance VIP and intermittent HTTP health check failures.
604886	Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.
611840	Firewall policy search with decimal in the name fails in GUI.

FortiView

Bug ID	Description
592309	FortiView physical topology page cannot load; get Failed to get FortiView data error message.

GUI

Bug ID	Description
557786	GUI response is very slow when accessing IPsec Monitor (api/v2/monitor/vpn/ipsec is taking a long time).
565309	Application groups improvements.
579711	Cannot run Security Rating due to disk issue (`diagnose security-rating clean` fails).
584314	NGFW mode should have a link to show all applications in the list.
585055	High CPU utilization by httpsd daemon if there are too many API connections.
585924	Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages.
589709	Status icon in Tunnel column on IPsec Tunnels page should be removed.
593624	GUI behavior is different with local user using super admin profile and TACACS user using super admin profile.
593899	Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error.
598247	One-minute memory; CPU and Sessions widgets stopped updating after system entered and exited conserve mode.
598725	Login page shows random characters when system language is not English.
599284	`pyfcgid` crashed with `signal 11 (Segmentation fault) received`.
599401	FortiGuard quota category details displays No matching entries found for local category.
599612	GUI should allow user to create redundant IPsec tunnel over different interface to the same remote gateway.
601653	When deleting an AV profile in the GUI, there is no confirmation message prompt.
602637	Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3.
602692	Security Rating result for SSL VPN certificate fails when using a 384-bit elliptic curve certificate.
603583	Data source is missing in child table entries in a complex type property.
603913	GUI should add interface value check when creating a new zone.
605493	Admin cannot log in to FortiGate GUI.
605677	System goes into conserve mode when editing ISDB entries through GUI.
606074	Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3.
606394	DPD setting in GUI cannot be reflected correctly when Dialup User and On Demand are set by the IPsec wizard.
607972	FortiGate enters conserve mode when accessing Amazon AWS ISDB object.
609064	Revoke Token in GUI reports URL not found on server.
610181	FG-OPC-ONDEMAND (FGVMPG license) shows FortiCare is not supported even though the license was registered in FortiCare.
610573	When saving configuration under global interface, explicit proxy settings are removed.
611436	FortiGate displays a hacked web page after selecting an IPS log.
615085	Slow GUI response with httpsd intermittently consuming high CPU when GUI is accessed.
615462	GUI takes 10-15 seconds to load Device Inventory, IPv4 Policy, and Interfaces pages.
617364	GUI does not list AliCloud SDN address filter.

HA

Bug ID	Description
530215	`application hasync` returns „* signal 11 (Segmentation fault) received *”.
588908	FG-3400E hasync reports the network is unreachable.
596575	HA active-active master attempts to steer HTTP and SMTP sessions to slave unit over NPU-VLINK interfaces.
596837	Deleting tunnel on master via API call will not delete it from the slave unit.
598937	Local user creation causes HA to be out of sync for several minutes.
601550	Application `hasync` crashes several times.
602266	The configuration of the SD-WAN interface gateway IP should not sync.
602406	In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the slave unit.
613714	HA failover takes over one minute when monitored aggregate interface goes down on master.
621621	Ether-type HA cannot be changed.

Intrusion Prevention

Bug ID	Description
605610	Security Policy page is slow to load due to empty security firewall statistic returning from IPS engine.
608501	IPS forwards attacks that are previously identified as dropped.

IPsec VPN

Bug ID	Description
516029	Remove the IPsec global lock.
557812	IPsec does not support the new `interface-subnet` type in its `phase2-interface` and `ipv4-split-include` settings for dialup VPN.
589096	In IPsec after HA failover, performance regression and IKESAs are lost.
590633	Packet loss observed after ADVPN shortcut is created.
594962	IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a non-FortiGate in a remote peer gateway.
595810	Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection.
596429	Traffic unable to pass through for certain phase 2 selectors when there is double SA.
597748	L2TP/IPsec VPN disconnects frequently.
599471	IKEv2 responder can delete static selectors when local narrowing occurs.
602240	IKEv2 EAP-TLS handshake detected retransmit of client, but FortiGate does not retransmit its response.
604334	L2TP disconnection when transferring large files.
604923	IKE memory leak when IKEv2 certificate subject alternative name/peer ID matching occurs.
607212	IKEv2 DPD is not triggered if network overlay network ID was mismatched when first configured.
609033	After two HA failovers, one VPN interface member of SD-WAN cannot forward packets.
611148	L2TP/IPsec does not send framed IP address in RADIUS accounting updates.
612319	MTU calculation of shared dynamic phase 1 interface is too low compared to its phase 2 MTU and makes fragmentation high.
615360	OCVPN secondary hub cannot register.
622506	L2TP over IPsec tunnel established, but traffic cannot pass because wrong interface gets in route lookup.

Log & Report

Bug ID	Description
593557	Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address.
595151	Log filter for user name in UPN format is not consistent when the log location is set to FortiAnalyzer and local disk.
602459	GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion.
605174	Incorrect `sentdelta/rcvddelta` in traffic log statistics for RTSP sessions.

Proxy

Bug ID	Description
561552	WAD crashed with signal 6 (MAPI/RPC).
594829	FTP connection is not working with AV profile in proxy inspection mode when FTP user name contains an @.
610466	Multiple WAD crash on FG-500D after upgrading from 6.2.3 ( `wad_url_filter_user_cat_load_entry.constprop.7` ).

REST API

Bug ID	Description
599516	When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access.

Routing

Bug ID	Description
580207	Policy route does not apply to local-out traffic.
593951	Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based.
597733	IPv6 ECMP routes cannot be synchronized correctly to HA slave unit.
598665	BGP route is in routing table but not in FIB (kernel routing table).
599667	OSPF over ADVPN flapping after shortcut tunnel established.
599884	Traffic not following SD-WAN rules when one of the interfaces is VLAN.
600332	SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.
600830	SD-WAN health check reports have packet loss if response time is longer than the check interval.
600995	Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2.
602223	SD-WAN route is not added in routing table when the SD-WAN interface members are IPv4 over IPv6 IPsec.
602679	Prevent BGP daemon crashing when peer breaks TCP connection.
603063	Locally originated traffic on non-default VRF may follow route on VRF 0 when there are routes with the same prefix on both VRFs.
604390	FortiOS 6.2.3 by default drops reply packets received from a different interface (unlike 6.2.2).

Security Fabric

Bug ID	Description
586024	Automation stitch cannot execute shutdown command when FortiGate enters kernel conserve mode.
588262	IP address Threat Feed fabric connector not working.
599474	FortiGate SDN connector not seeing all available tag name-value pairs.
604670	Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system’s timezone configuration.

SSL VPN

Bug ID	Description
556657	Internal website not working through SSL VPN web mode.
561585	SSL VPN does not correctly show Windows Admin center application.
563022	SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy.
582115	Third-party (Ultimo) web app does not load over SSL VPN web portal.
582265	RDP sessions are terminated (disconnect) unexpectedly.
587300	In web mode, third-party webpage stuck on loading animation; JavaScript error in console.
587732	The SSL VPN web mode SSH widget is not connecting to the SSH server.
588066	SSO for HTTPS fails when using „\” (backslash) with the domain\username format.
588587	Different portals of SIPLAN COMPESA do not show properly in web mode.
593367	SSL VPN bookmark does not load after clicking from the portal.
593621	Website not fully loading through web portal bookmark; loads correctly with iPad user agent.
595627	Cannot access some specific sites through SSL VPN web mode.
596296	SSL VPN fails 90% when connecting with FortiClient.
596352	SAML user name is not correctly recorded in logs when logging in to SSL VPN portal via SSO entry, and history cannot be shown.
596412	Not possible to download PDF file after connecting to portal through SSL VPN bookmark.
596441	FortiOS does not correctly re-write the Exchange OWA logoff URL when accessed via SSL VPN bookmark.
596757	SSL VPN connection stuck at 95% or 98%.
596846	Unable to deauthenticate FSSO user in GUI, but it works in CLI.
597336	Webpage does not load properly through SSL VPN web mode (fails to show CAPTCHA).
597566	Add SSL VPN SSO user logged in from SAML response.
597634	In SSL VPN web mode, internal web services not working and tunnel mode is working fine.
597658	Internal custom web application page running on Apache Tomcat is not displaying in SSL VPN web mode.
598659	SSL VPN daemon crash.
598660	Internal website is not accessible from SSL VPN as the URL is being modified.
599394	SSL VPN web portal bookmarks are not full loading for Vivendi SelfService application.
599658	GUI is not rendered well by SSL VPN portal when using domain and user to log in.
599668	In SSL VPN web mode, page keeps loading after user authenticates into internal application.
599671	In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.
599777	Problem with ratm.avanzasa.com portal accessed via SSL VPN web mode.
599960	RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed.
600029	Sending RADIUS accounting interim update messages with SSL VPN client framed IP are delayed.
600103	Sslvpnd crashes when trying to query a DNS host name without a period (.).
601084	Site in .NET framework 4.6 or 4.7 not loading in SSL VPN web mode.
601867	SSL VPN web mode cannot open DFS share subdirectories, gives invalid HTTP request message.
602392	Cannot access remote site using SSL VPN web mode after upgrading to FOS 6.2.2.
602645	SSL VPN synology NAS web bookmark log in page does not work after upgrading to 6.2.3.
603518	Internal website not working in SSL VPN web mode; cannot load ESS/MSS page.
603779	Chinese characters are garbled when downloading from SMB/CIFS in SSL VPN web mode.
603817	Internal website is not shown properly in SSL VPN web mode.
603957	SSL VPN LDAP authentication does not work in multiple user group configurations after upgrading the firewall to 6.0.7.
604882	Internal SAP website not working in SSL VPN web mode.
605110	Mobile token is not required when LDAP user and LDAP group are set in SSL VPN policy together.
605699	Internal HRIS website dropdown list box not loading in SSL VPN web mode.
607413	SMB/CIFS bookmark name gets scrambled if it contains special characters like space, backslash, colon, etc.
608453	Internal website is not accessible from SSL VPN due to some Sage X3 JS files with errors.
610564	RDP over web mode SSL VPN to a Windows Server changes the time zone to GMT.
616879	Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer.
613641	SSL VPN web mode custom FortiClient download URL with %s causing sslvpnd to crash.
621270	SSL VPN user groups are corrupted in auth list when the user is a member of more than 100 groups.
624197	SSL VPN web mode does not completely load the redirected corporate SSO page when accessing an internal resource.
624904	The Saudi Arabian Airlines website is not shown properly in SSL VPN web mode.
625338	sslvpnd crashing with signal 7 on get_free_idx.
625554	SSL VPN connection was used when the DTLS UDP packet process failed and connection was destroyed.

Switch Controller

Bug ID	Description
517663	On a managed FortiSwitch already running the latest GA image, Upgrade Available is shown.
601547	Unable to push user group configuration from FortiGate to FortiSwitch, and `user.group` configuration is deleted.
607707	Unable to push configuration changes from FortiGate to FortiSwitch.
608231	LLDP policy did not download completely to the managed FortiSwitch 108Es.
613323	FortiSwitch trunk configuration sync issue after FortiGate failover.

System

Bug ID	Description
515201	FortiGate cannot display the script name from FortiManager.
527459	SSDN address filter unable to handle space character.
576337	SNMP polling stopped when FortiManager API script executed onto FortiGate.
582498	Traffic can be offloaded to both NTurbo and NP6 when DOS policy is applied on ingress/egress interface in a policy with IPS.
585053	NP6 VLAN LACP-based interface RX/TX counters not increasing.
586990	Customer with FG-50E getting high CPU with 6.2.1.
589079	QSFP interface goes down when the `get system interface transceiver` command is interrupted.
589723	Wrong source IP is bound for `config system fortiguard`.
590021	Enabling `auto-asic-offload` results in keeping `action=deny` in traffic log with an accept entry.
590423	FortiManager needs patch and minor number to update global database when FortiGate firmware upgrade does not trigger an auto-retrieve configuration.
592148	Issue with TCP packets when traversing the virtual wire pair in transparent mode.
592570	VLAN switch does not work on FG-100E.
592827	FortiGate is not sending DHCP request after receiving offer.
593426	Remove DST for Brazil.
594018	Update daemon is locked to one resolved update server.
594577	Out of order packets for an offloaded multicast stream.
594865	`diagnose internet-service match` does not return the IP value of the IP reputation database object.
595338	Unable to execute `ping6` when configuring `execute ping6-options tos`, except for `default`.
595467	Invalid multicast policy created after transparent VDOM restored.
598527	ISDB may cause crashes after downgrading FortiGate firmware.
602523	DDNS `monitor-interface` uses the monitored interface if DDNS services other than FortiGuard DDNS are used.
602548	Some of the clients are not getting their IP through DHCP intermittently.
603194	NP multicast session remains after the kernel session is deleted.
603551	DHCPv6 relay does not work on FG-2200E.
604550	Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0.
604699	Header line that is not freed might cause system to enter conserve mode in a transparent mode deployment.
606597	When changing time zone on FG-101E, get Failed to set SMC timezone message.
607015	More than usual NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens quite often on some global NTP servers.
607452	Automatically logged out of CLI when trying to configure STP due to /bin/newcli crash.
610900	Low throughput on FG-2201E for traffic with ECN flag enabled.
610903	SMC NTP functions are enabled on some of the models that do not support the feature.
612113	xcvrd attaches shared memory multiple times causing huge memory consumption.
621771	FortiGate cannot be accessed by ping/telnet/ssh/capwap in transparent VDOM.
623113	FortiGate not entering A records in shadow DNS database for cross-subdomain CNAME requests.
626785	FG-101F should support the same WTP size (128) as FG-100F.

Upgrade

Bug ID	Description
618809	Boot up may fail when downgrading from FOS 6.4.0 to 6.2.3.

User & Device

Bug ID	Description
573317	SSO admin with a user name over 35 characters cannot log in after the first login.
592047	GUI RADIUS test fails with `vdom-dns` configuration.
593361	No source IP option available for OCSP certificate checking.
594863	UPN extraction does not work for particular PKI.
596844	Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device identification.
605404	FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy with thousands of address objects.
605437	FortiOS does not understand CMPv2 `grantedWithMods` response.
605950	RDP sessions are terminated (disconnect) unexpectedly.
609655	Captive portal exemption after upgrading the device from 6.2.2 to 6.2.3.

VM

Bug ID	Description
575346	`gui-wanopt` cache missing under system settings after upgrading a FortiGate VM with two disks.
594248	Enabling or disabling SR-IOV under vNIC creates duplicate MAC addresses and extra interfaces on the FortiGate.
597003	Unable to bypass self-signed certificates on Chrome in macOS Catalina.
598419	Static routes are not in sync on FortiGate Azure.
599430	FG-VM-AZURE fails to boot up due to `rtnl_lock` deadlock.
600975	Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing NETVSC offering and vPCI offering at the same time.
601357	FortiGate VM Azure in HA has unsuccessful failover.
601528	License validation failure log message missing when using FortiManager to validate a VM.
603365	HA slave member instance shuts down due to RAM difference after stopping/starting the cluster instances.
603599	VIP in autoscale on GCP not syncing to other nodes.
605103	E1000 network adapter will be deleted if there is a VMXNET3 network adapter.
605435	API call to associate elastic IP is triggered only when the unit becomes the master.
606439	License validation failure log message missing when using FortiManager to validate VM.
609283	IP pools are synchronized in FortiGate Azure HA.
612611	Very hard to download image for FG-AWSONDEMAND from FDS.
614544	AWS VM sometimes could not get fdsm image list from FDS.
622031	AZD keeps crashing if Azure VM contains more than 15 tags.

VoIP

Bug ID	Description
599117	`voipd` process crash.
601275	MGCP session helper does not NAT the MGCP body.

Web Filter

Bug ID	Description
551956	Proxy web filtering blocks innocent sites due to `urlsource="FortiSandBox Block"`.
593203	Cannot enter a name for a web rating override and save—error message appears when entering the name.
606965	Unable to whitelist specific YouTube channel when all other YouTube channels or videos are blocked.

WiFi Controller

Bug ID	Description
563630	Kernel panic observed on FWF-60E.
594170	FortiAPs not shown in the GUI.
595653	FortiGate in transparent mode cannot manage FortiAP devices successfully.
599690	Unable to perform COA with device MAC address for 802.1x wireless connection when `use-management-vdom` is enabled.
601012	When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country code.
608717	Packet loss over CAPWAP tunneled SSID.
615219	FortiGate cannot create WTP entry for FortiAP in transparent mode.

Znane problemy do rozwiązania:

DNS Filter

Bug ID	Description
582374	License shows expiry date of `0000-00-00`.