Fortinet właśnie udostępnił najnowsze oprogramowanie w wersji 6.2.7 dla produktu FortiGate. W najnowszej aktualizacji dodano komendę route-tag która pozwala na mapowanie BGP Community String do konkretnego tagu. Ciąg może odpowiadać określonej sieci, którą rozgłaszał router BGP. Za pomocą tego znacznika można użyć reguły usługi SD-WAN do zdefiniowania określonej obsługi ruchu w tej sieci. Rozwiązano też min. problem awarii procesu GUI, jeśli zarządzany FortiSwitch zwraca stan resetowania. Naprawiono również błąd klastra HA w którym synchronizacja drugiego urządzenia z urządzeniem głównym nie dochodziła do skutku, gdy FGSP był skonfigurowany jako równorzędny, ale funkcja hasync nie mogła powiązać gniazda. Naprawiono także błąd znikającej reguły SD-WAN, gdy członek SD-WAN doświadczał dynamicznej zmiany, na przykład podczas aktualizacji interfejsu PPPoE. Po więcej informacji zapraszamy do dalszej części artykułu.
Co nowego:
The route-tag is a mechanism to map a BGP community string to a specific tag. The string may correspond to a specific network that a BGP router advertised. With this tag, an SD-WAN service rule can be used to define specific traffic handling to that network. IPv6 route tags are now supported.
Rozwiązane problemy:
Firewall
| Bug ID | Description |
|---|---|
| 651321 | sflowd is crashing due to invalid custom application category. |
GUI
| Bug ID | Description |
|---|---|
| 656429 | Intermittent GUI process crash if a managed FortiSwitch returns a reset status. |
HA
| Bug ID | Description |
|---|---|
| 616345 | Secondary device failed to sync with primary device when FGSP is peer configured, but hasync fails to bind socket. |
| 671737 | HA is not syncing after upgrading to 6.2.5 due to failure to bind socket. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 668631 | IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 610203 | When an offloaded IPsec SA uses NP6 reserved space, it gets stuck and packets on the tunnel start to drop. |
| 645196 | Static routes added by iked in non-root VDOM are not removed when tunnel interface status is set to down by configuration change. |
| 663126 | Packets for the existing session are still forwarded via the old tunnel after the routing changed on the ADVPN hub. |
| 668554 | Upon upgrading to FortiOS 6.2.6, a device with IPsec configured may experience IKE process crashes when any configuration change is made or an address change occur on a dynamic interface. |
| 670025 | IKEv2 fragmentation-mtu option is not respected when EAP is used for authentication. |
| 673258 | FortiGate to Cisco IKEv2 tunnel randomly disconnects after rekey. |
Log & Report
| Bug ID | Description |
|---|---|
| 651581 | FortiGate tried to connect to FortiGate Cloud with the primary IP after reboot, although the secondary IP is the source in the FortiGuard log. |
Routing
| Bug ID | Description |
|---|---|
| 654032 | SD-WAN IPv6 route tag command is not available in the SD-WAN services. |
| 661769 | SD-WAN rule disappears when an SD-WAN member experiences a dynamic change, such as during a dynamic PPPoE interface update. |
| 668982 | Possible memory leak when BGP table version increases. |
| 670017 | FortiGate as first hop router sometimes does not send register messages to the RP. |
| 672061 | In IPsec topology with hub and ~1000 spokes, hundreds of spoke tunnels are flapping, causing BGP instability for other spokes. |
Security Fabric
| Bug ID | Description |
|---|---|
| 631607 | CSF root FortiGate cannot listen on loopback interface. |
| 669436 | Filter lookup for Azure connector in subnet and virtual network does not show all results. |
SSL VPN
| Bug ID | Description |
|---|---|
| 664121 | SCM VPN disconnects when performing an SVN checkout. |
| 666194 | WALLIX Manager GUI interface is not loading through SSL VPN web mode. |
| 667780 | Policy check cache should include user or group information. |
| 669685 | Split tunneling is not adding FQDN addresses to the routes. |
| 669707 | The jstor.org webpage is not loading via SSL VPN bookmark. |
| 670803 | Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode. |
Switch Controller
| Bug ID | Description |
|---|---|
| 671135 | flcfg crashes while configuring FortiSwitches through FortiLink. |
System
| Bug ID | Description |
|---|---|
| 634202 | STP does not work in transparent mode. |
| 635308 | factoryreset2 does not preserve all interfaces. |
| 637014 | FortiGate in LENC mode unable to pass firmware signature verification and shows as uncertified after GUI upgrade. |
| 657629 | ARM-based platforms do not have sensor readings included in SNMP MIBs. |
| 660709 | The sflowd process has high CPU usage when application control is enabled. |
| 663083 | Offloaded traffic from IPsec crossing the NPU VDOM link is dropped. |
| 663815 | Low IPS HTTP throughput on SoC4 platforms. |
| 664478 | Kernel crash caused race condition on vlif accessing. |
| 666205 | High CPU on L2TP process caused by loop. |
| 669951 | confsyncd may crash when there is an error parsing through the internet service database, but no error is returned. |
| 676697 | When a VRF is used on SoC4 platforms, nTurbo traffic is wrongly categorized as GTPU. |
User & Device
| Bug ID | Description |
|---|---|
| 667689 | Cannot select remote certificate imported from CLI for SAML IdP. |
| 682711 | TACACS users cannot log in via console. |
VM
| Bug ID | Description |
|---|---|
| 620654 | Spoke dialup IPsec VPN does not initiate connection to hub after FG-VM HA failover in Azure. |
| 682420 | Dialup IPsec tunnel from Azure may not be re-established after HA failover. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 609549 | In the CLI, the WTP profile for radio-2 802.11ac and 80 MHz channels does not match the syntax collection files. |
| 680503 | The current Fortinet_Wifi certificate will expire on 2021-02-11. |
Znane problemy:
DNS Filter
| Bug ID | Description |
|---|---|
| 582374 | License shows expiry date of 0000-00-00. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 540091 | Cannot access explicit FTP proxy via VIP. |
| 662931 | Browsers change default SameSite cookie settings to Lax, and Kerberos authentication does not work in transparent proxy. |
| 664548 | When the FortiGate is configured as an explicit proxy and AV is enabled on the proxy policy, users cannot access certain FTP sites. |
Firewall
| Bug ID | Description |
|---|---|
| 643446 | Fragmented UDP traffic is silently dropped when fragments have different ECN values. |
| 654356 | Traffic is not hitting the rule it should in policy-based NGFW mode. |
| 675353 | Security policy (NGFW mode) flow-based UTM logs are still generated when policy traffic log is disabled. |
FortiView
| Bug ID | Description |
|---|---|
| 628225 | Compromised Hosts has error 500 when FQDN is set in config log fortianalyzer setting. |
| 635309 | When choosing to view Compromised Hosts, FortiGate returns an error 500 when FQDN is set in config log fortianalyzer setting. |
GUI
| Bug ID | Description |
|---|---|
| 354464 | AntiVirus archive logging enabled from the CLI will be disabled by editing the AntiVirus profile in the GUI, even if no changes are made. |
| 514632 | Inconsistent reference count when using ports in HA session-sync-dev. |
| 529094 | When creating an anti-spam block/allowlist entry, Mark as Reject should be grayed out. |
| 535099 | The SSID dialog page does not have support for the new MAC address filter. |
| 541042 | Log viewer forwarded traffic does not support multiple filters for one field. |
| 584915 | OK button missing from many pages when viewed in Chrome on an Android device. |
| 584939 | VPN event logs are incorrectly filtered when there are two Action filters and one of them contains „–„. |
| 602397 | FortiSwitch port page is noticeably slow for large topology. |
| 621254 | The address group search function in GUI does not load address if there is a high amount of addresses. |
| 623773 | Security Fabric page loads slowly after adding multiple devices to FortiTelemetry. |
| 650708 | When the client browser is in a different time zone from the FortiGate, the Guest Management page displays an incorrect expiry time for guest users. The CLI returns the correct expiry. |
| 655255 | FortiGuard resource retrieval delay causes GUI pages to respond slowly. Affected pages include: Firewall Policy, Settings (log and system), Explicit Proxy (web and FTP), System Global, and System CSF. |
| 667863 | GUI does not display FortiSwitch ports when multiple FortiLink interfaces are configured. |
HA
| Bug ID | Description |
|---|---|
| 540600 | The HA hello-holddown value is divided by 10 in the hatalk daemon, which makes the hello-holddown time 10 times less than the configuration. |
| 596551 | Syncing problem after restoring one VDOM configuration. |
| 609631 | Both nodes in HA simultaneous reboot when gtp-enhance-mode is enabled or disabled. |
| 652507 | Sessions with syn_ses flags are not synced after reboot. |
| 657376 | VLAN interfaces are created on a different virtual cluster primary instead of the root primary do not sync. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 565747 | IPS engine 5.00027 has signal 11 crash. |
| 586544 | IPS intelligent mode not working when reflect sessions are created on different physical interfaces. |
| 587668 | IPS engine 5.00035 has signal 11 crash. |
| 590087 | When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 566076 | IKED process signal 11 crash in an ADVPN and BGP scenario. |
| 631804 | OCVPN errors showing in logs when OCVPN is disabled. |
| 642543 | IPsec did not rekey when keylife expired after back-to-back HA failover. |
| 644780 | Rectify the consequences if password renewal on FortiClient is canceled. |
| 650599 | IKE HA sync truncates phase 2 options flags after the first eight bits. |
| 655895 | Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6). |
| 673049 | FortiGate not sending its external interface IP in the IKE negotiation (Google Cloud Platform). |
Log & Report
| Bug ID | Description |
|---|---|
| 606533 | User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI. |
| 654363 | Traffic log shows Policy violation for traffic hitting the allow policy in NGFW policy mode. |
| 677540 | First TCP connection to syslog server is not stable. |
Proxy
| Bug ID | Description |
|---|---|
| 603195 | Multiple WAD crashes with signal 11. |
| 620453 | Application WAD crash several times due to signal alarm. |
| 661063 | If a client sends an RST to a WAD proxy, the proxy can close the connection to the server. In this case, the relatively long session expiration (which is usually 120 seconds by default) could lead to session number spikes in some tests. |
| 675525 | No WAD sessions displayed when running diagnose wad filter. |
| 680651 | Memory leak when retrieving the thumbnailPhoto information from the LDAP server. |
REST API
| Bug ID | Description |
|---|---|
| 584631 | REST API admin with token unable to configure HA setting (via login session works). |
Routing
| Bug ID | Description |
|---|---|
| 537354 | BFD/BGP dropping when outbandwidth is set on interface. |
| 641928 | When BGP’s recursive next hop can be resolved by multiple routes, the recursive distance is not taken into account when installing the routes. Multiple ECMP paths can be installed with different recursive distances to the next hop. |
SSL VPN
| Bug ID | Description |
|---|---|
| 505986 | On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication. |
| 610905 | SSL VPN bypassing logon count limit with different case in user name. |
| 610995 | SSL VPN web mode gets error when accessing internal website at https://st***.st***.ca/. |
| 619296 | FortiGate reverts default values of text on buttons in SSL VPN log on page. |
| 628597 | Unable to load the SSL VPN bookmark internal website, https://fi***.co.nz. |
| 661290 | https://mo***.be site is non-accessible in SSL VPN web mode. |
| 666855 | FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients. |
Switch Controller
| Bug ID | Description |
|---|---|
| 588584 | GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM. |
| 605864 | If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting. |
System
| Bug ID | Description |
|---|---|
| 464340 | EHP drops for units with no NP service module. |
| 572847 | The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series. |
| 578031 | FortiManager Cloud cannot be removed once the FortiGate has trouble on contract. |
| 591078 | Get zip conf file failed -1 error message when doing cfg-save. |
| 600032 | SNMP does not provide routing table for non-management VDOM. |
| 607565 | Interface emac-vlan feature does not work on SoC4 platform. |
| 627629 | DHCP client sent invalid DHCPREQUEST format during INIT state. |
| 642005 | FortiGate does not send service-account-id to FortiManager via fgfm tunnel when FortiCloud is activated directly on the FortiGate. |
| 643033 | get system interface transceiver port1 should return RX power and TX power for all Ch0[1-4] with a 0 value or N/A when the admin port is down on one side and the link status is down. |
| 668856 | Offloaded traffic passing through two VDOMs connected with EMAC-VLANs is sometimes dropped. |
Upgrade
| Bug ID | Description |
|---|---|
| 658664 | FortiExtender status becomes discovered after upgrading from 6.0.10 (build 0365).
Workaround: change the config extender-controller extender
edit <id>
set admin enable
next
end
|
User & Device
| Bug ID | Description |
|---|---|
| 643583 | radius-vdom-override and accprofile-override do not work when administrator has 2FA enabled. |
VM
| Bug ID | Description |
|---|---|
| 587757 | FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type. |
| 596742 | Azure SDN connector replicates configuration from primary device to secondary device during configuration restore. |
| 605511 | FG-VM-GCP reboots a couple of times due to kernel panic. |
| 608881 | IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup. |
| 627106 | FG-VM64 console shows hw csum failure for VLAN interface on mlx5_core PF. |
| 640436 | FortiGate AWS bootstrapped from configuration does not read SAML settings. |
| 668625 | During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 638318 | FG-51E cannot authorize the FAP-C24JE. |
Notatki producenta: FortiOS 6.2.7
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
