Fortinet opublikował nową wersję oprogramowania FortiOS dla rodziny 6.4! Aktualizacja 6.4.1 zawiera kilka nowości, między innymi możliwość uwierzytelniania dwuskładnikowego do VPN IKEv2 dla zdalnych użytkowników RADIUS i LDAP oraz implementację dodatkowych informacji dla logów dotyczących użytkowników uwierzytelnionych za pomocą serwera Radius czy logów dotyczących klientów Wi-Fi. Oprócz tego wyeliminowano problemy związane z VLANami podpiętymi pod interfejs Fortilink czy nieprawidłowo działającymi funkcjonalnościami SSL VPN.
Aktualnie wspierane modele:
| FortiGate | FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-61E, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-101E, FG-140E, FG-140E-POE, FG-200E, FG-201E, FG‑300D, FG-300E, FG-301E, FG‑400D, FG‑400E, FG‑401E, FG‑500D, FG‑500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG‑3810D, FG-3815D, FG-5001D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-61E |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG‑VM64‑GCP, FG‑VM64-GCPONDEMAND, FG-VM64-HV, FG‑VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Nowości oraz ulepszenia w wersji 6.4.1:
| Bug ID | Description |
|---|---|
| 613155 | Add two-factor authentication support to VPN IKEv2 for remote RADIUS and LDAP users. |
| 618812 | Populate source and destination user fields in traffic logs using RADIUS accounting information from authenticated RSSO users. |
| 621046 | FortiIPAM is a new IP address management service that helps manage IP addresses within a Security Fabric. FortiGates can use FortiIPAM to automatically assign IP addresses based on the configured network size for the FortiGate interface. The interface’s DHCP server settings can be automatically configured to offer addresses within the same subnet. |
| 623821 | For WiFi clients associated with a bridge SSID on a FortiAP that is connected to an Ethernet interface of a FortiGate, the DHCP Monitor widget can indicate the AP bridge and the SSID name in the Interface column of those clients’ IP leases.
In the CLI, config wireless-controller vap
edit VAP01
set dhcp-option43-insertion {enable | disable}
next
end
By default, |
| 625063 | In a scenario where transferring the device to another FortiCloud/FortiCare account is needed, users cannot do this directly on the FortiGate GUI if they have credentials to access to both accounts. |
| 626075 | Support Signal Strength and Signal Strength/Noise values by WiFi client IPs in the logs. |
| 630238 | Allow configuration of up to 16 FGSP standalone peers in system standalone-cluster. |
Rozwiązane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 582368 | URL threat detection version show a large negative number after the FortiGate reboots. |
Data Leak Prevention
| Bug ID | Description |
|---|---|
| 582480 | scanunit crashes with signal 11 in dlpscan_mailheader when AV scans files via IMAP. |
| 611513 | DLP triggers scan unit watchdog timer and does not block the files. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 617934 | Web proxy should support forward server on TLS 1.3 certificate inspection connection. |
Firewall
| Bug ID | Description |
|---|---|
| 622045 | Traffic not matched by security policy when using service groups in NGFW policy mode. |
| 622258 | Move command in firewall service category does not work. |
FortiView
| Bug ID | Description |
|---|---|
| 615524 | FortiView > All Sessions should be supported as a standalone dashboard widget in navigation bar. |
GUI
| Bug ID | Description |
|---|---|
| 401862 | Monitor page display incorrect virtual server entries for IPv6, VIP46, and VIP64; right-clicking gives and error. |
| 493819 | Reorder function on Authentication Rules page does not work. |
| 528145 | BGP configuration gets applied on the wrong VDOM if user switches VDOM selection in between operations (slow GUI). |
| 557786 | GUI response is very slow when accessing IPsec Monitor (api/v2/monitor/vpn/ipsec is taking a long time). |
| 564849 | HA warning message, This FortiGate has taken over for the master, remains after master takes back control. |
| 589709 | Status button in Tunnel column on IPsec Tunnels page should be removed. |
| 592854 | When editing a firewall address or address group created in the VPN wizard, invalid characters in the comments block submitting the change. |
| 594702 | When sorting the interface list by the Name column, the ports are not always in the correct order (port10 appears before port2). |
| 601568 | Interface status is not displayed on faceplate when viewed from System > HA page. |
| 607549 | GUI CMDB API to support case sensitive/insensitive filtering. |
| 611857 | Custom admin profile not showing logs as expected. |
| 614056 | Disabling the Idle Logout toggle on the SSL-VPN Settings page does not change the idle timeout setting, so the change does not persist after clicking Apply. |
| 617937 | Cannot add wildcard FQDN address into group in Edit SSL/SSH Inspection Profile page. |
| 622510 | Page gets stuck and message field is blank when doing policy lookup with a non-IP protocol. |
| 623939 | Interface bandwidth widgets for WAN, PPPoE and VDOM link interfaces are not loading. |
| 624551 | On POE devices, several sections of the GUI take over 15 seconds to fully load. |
| 625747 | Server certificate does not load into IPS after configuring SSL inspection profile in replace mode. |
| 628373 | Software switch members and their VLANs are not visible in the GUI interfaces list. |
| 631734 | GUI not displaying PoE total power budget on FOS 6.2.3. |
| 634677 | User group not visible in GUI when editing the user with a single right-click. |
HA
| Bug ID | Description |
|---|---|
| 610324 | HA sync has high CPU due to large number of IPv6 routes. |
| 620093 | Connectivity issue between Azure App and MySQL server. FortiGate is marking the SYN packet with ECN=CE flag. |
| 621583 | HA cannot display status in GUI when heartbeat cables reconnect. |
| 621621 | Ether-type HA cannot be changed. |
| 623642 | It takes up to 10 seconds to get NPU VDOM link up when rebooting master unit. |
| 626715 | Out of sync issue caused by firewall address group member is either duplicated or out of order. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 622741 | Traffic was blocked during the test with flow UTMs enabled. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 610558 | ADVPN cannot establish after primary ISP has recovered from failure and traffic between spokes is dropped. |
| 622506 | L2TP over IPsec tunnel establishes but traffic cannot pass because wrong interface gets in route lookup. |
| 623238 | ADVPN shortcut cannot establish if both spokes are behind NAT. |
| 631804 | OCVPN errors showing in logs when OCVPN is disabled. |
| 631968 | IKE daemon signal 6 crash when phase1 add-gw-route is enabled. |
Log & Report
| Bug ID | Description |
|---|---|
| 608187 | Five fields (devtype, devcategory, mastersrcmac, srcmac, srcserver) are not included in the traffic log. |
| 611778 | FG-AWS unable to view log from FortiAnalyzer. |
| 616485 | Log ID 20114 missing in FGT_log_reference.xml and text.html. |
| 622954 | Inconsistent log output relating to the local-in policy. |
| 628358 | Logs are not generated in GUI and CLI after checking the file system (after power cable disconnected). |
Proxy
| Bug ID | Description |
|---|---|
| 578850 | Application WAD crash several times due to signal alarm. |
| 601493 | ISDB static route cannot be active for proxy policy. |
| 612333 | In FortiGate with squid configuration (proxy chain), get ERR_SSL_PROTOCOL_ERROR when using Google Chrome with certificate/deep inspection. |
| 615791 | Abbreviated handshake randomly receives fatal illegal_parameter against zendesk.com services/sites. |
| 616577 | WAD failed to do an error handling for bypass case. |
| 617099 | WAD crashes every few minutes. |
| 617373 | AV profiles block WSUS service. |
| 619637 | In transparent proxy policy with authentication on corporate firewall, it shows Access Denied after authentication. |
| 620453 | Application WAD crash several times due to signal alarm. |
| 621787 | Application WAD crash several times. |
| 623108 | FTP-TP reaches high memory usage and triggers conserve mode. |
| 623213 | Firewall does not handle 308 redirects properly for threat feed list. |
| 624245 | WAD crashes when all of these conditions are met: policy is doing deep inspection, SNI in client hello is in the exempt list, server certificate CNAME is not in the exempt list. |
Routing
| Bug ID | Description |
|---|---|
| 537354 | BFD/BGP dropping when outbandwidth is set on interface. |
| 580207 | Policy route does not apply to local-out traffic. |
| 608289 | Make SD-WAN a security zone by itself. |
| 616483 | Policy route should not kick in for destination exclude-member. |
| 617906 | With multiple PPPoE links, local traffic to a link will cause RPF check fail if priority of the route is higher than the distance. |
| 619343 | Cannot ping old VRIPs when adding new VRIPs. |
| 625345 | The single BGP update message contains the same prefix in withdrawn routes and NLRI (advertised route). |
| 626549 | SD-WAN rules created using ISDB do not match/forward via the correct interface. |
| 627901 | set dscp-forward option is missing when using maximize bandwidth strategy in SD-WAN rule. |
| 629521 | SD-WAN IPv6 default route cannot be redistributed into BGP using set default-originate-routemap6. |
Security Fabric
| Bug ID | Description |
|---|---|
| 609182 | Security Fabric Settings page sometimes cannot load FortiSandbox URL threat detection version despite FortiSandbox being connected. |
| 619696 | Automation stitch traffic is sent via mgmt with ha-direct to AWS Lambda after upgrading from 6.0.9 to 6.2.3 |
| 622032 | SSH as automation action is not working as expected. |
| 623689 | CSF branch FortiGate cannot successfully connect/verify certificate with remote EMS server. |
SSL VPN
| Bug ID | Description |
|---|---|
| 556314 | SSL VPN group bookmarks shown only for the first matched policy. |
| 602480 | Use jQuery to customize FortiGate SSL VPN log in page. |
| 604402 | SSL VPN web access prompts for certificate authentication irrespective of realm. |
| 607413 | SMB/CIFS bookmark name gets scrambled if it contains special characters like space, backslash, colon, etc. |
| 608453 | Internal website is not accessible from SSL VPN due to some Sage X3 JS files with errors. |
| 609358 | Host check related settings should not be skipped when IPv6 tunnel mode is enabled. |
| 610564 | RDP over web mode SSL VPN to a Windows Server changes the time zone to GMT. |
| 610905 | SSL VPN bypassing logon count limit with different case in user name. |
| 611190 | SSL VPN SNI realm check does not work as expected when accessing non-specified SNI. |
| 612540 | SSL VPN web mode has problem accessing EPX website. |
| 613612 | Important GUI pages in 6.4.0 are not rendered well by SSL VPN portal. |
| 615453 | Web socket using socket.io could not be established through SSL VPN web mode. |
| 616189 | Cannot access, read, or download SharePoint 2019 or OneDrive documents; times out. |
| 616429 | Local user assigned with FortiToken cannot log in to SSL VPN web/tunnel mode when password change is required. |
| 616879 | Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer. |
| 617170 | https://outlook.office365.com cannot be accessed in SSL VPN web portal. |
| 619296 | FortiGate reverts default values of text on buttons in SSL VPN log on page. |
| 619369 | SSL VPN web mode has access problem for engage.leithaeusl website. |
| 619914 | Split-tunnel information is not recognized by legacy FortiClient SSL VPN Linux tool. |
| 620221 | File downloaded from SFTP server of SSL VPN portal is sometimes falsified. |
| 621270 | SSL VPN user groups are corrupted in auth list when the user is a member of more than 100 groups. |
| 622068 | Adding FQDN routing address in split tunnel configuration injects single route in client for multiple A records. |
| 622871 | SSL VPN web mode not displaying full customer webpage after logging in. |
| 623231 | Pages could not be shown after logging in to back-end application server. |
| 624145 | An internal website via SSL VPN web portal failed to load an external resource. |
| 624197 | SSL VPN web mode does not completely load the redirected corporate SSO page when accessing an internal resource. |
| 624288 | After SSL VPN proxy, one JS file runs with error. |
| 624477 | FortiClient SSL VPN split tunnel is not working from macOS Catalina. |
| 624904 | The Saudi Arabian Airlines website is not shown properly in SSL VPN web mode. |
| 625301 | Riverbed SteelCentral AppResponse login form is not displaying in SSL VPN web mode. |
| 625338 | sslvpnd crashing with signal 7 on get_free_idx. |
| 625554 | SSL VPN connection was used when the DTLS UDP packet process failed and connection was destroyed. |
| 626237 | SAP portal link is not working in SSL VPN web mode. |
| 626351 | Online Excel file could not be displayed in SSL VPN web mode. |
| 626816 | In web mode, after entering the username/password in back-end application server, logging in, and waiting for a while, the URL automatically changes to a direct connection to the back-end. |
| 627456 | Traffic cannot pass when SAML user logs in to SSL VPN portal with group match. |
Switch Controller
| Bug ID | Description |
|---|---|
| 613323 | FortiSwitch trunk configuration sync issue after FortiGate failover. |
| 622812 | VLANs on a FortiLink interface configured to use a hardware switch interface may fail to come up after upgrading or rebooting. |
System
| Bug ID | Description |
|---|---|
| 583472 | When system is in an extremely high memory usage state (~90%), a power supply status Power supply 1 AC is lost might be mistakenly logged. |
| 585053 | NP6 VLAN LACP-based interface RX/TX counters not increasing. |
| 589792 | Slave members of a redundant interface process frames creating duplicates when NP6 offload is enabled. |
| 594871 | Potential memory leak triggered by FTP command in WAD. |
| 600560 | SMC time has big drift after running a long time without rebooting. |
| 610900 | Low throughput on FG-2201E for traffic with ECN flag enabled. |
| 611512 | When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE. |
| 613136 | Uninitialized variable that may potentially cause httpsd signal 6 and 11 crash issue. |
| 615168 | Traffic with priority field fails to traverse NP6 shaper. |
| 615435 | Crashes might happen due to CMDB query allocation failure causing a segmentation fault. |
| 615451 | Empty VIP groups allowed when restoring a configuration file. |
| 617154 | Fortinet_CA is missing in FG-3400E. |
| 617409 | The FG-800D HA LED is off when HA status is normal. |
| 619023 | Proxy ARP configuration not loaded after interface shut/not shut. |
| 619234 | Purge policy is very slow when the number of policies is close to the maximum. |
| 623113 | FortiGate not entering A records in shadow DNS database for cross-subdomain CNAME requests. |
| 625053 | TCP SYN-ACK sent to different gateway when proxy-based UTM profiles are used. |
| 628124 | source-ip under system fortiguard is not taken for directregistration.fortinet.com when using Register with FortiCare window. |
| 636069 | Unable to handle kernel NULL pointer dereference at 000000000000008f. |
| 630658 | Auto-script output file size over 400 MB when configured output size is default 10 MB. |
Upgrade
| Bug ID | Description |
|---|---|
| 615972 | After upgrading from 6.2.2 to 6.2.3, the description field in the table has disappeared under DHCP reservation. |
User & Authentication
| Bug ID | Description |
|---|---|
| 544035 | Sessions authenticated by email time out by the policy timeout, which is much shorter than the timeout used by email/MAC authentication in the original pre-6.0 behavior. |
| 591170 | Sessions are removed from session table when FSSO group order is changed. |
| 604906 | FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2. |
| 605437 | FortiOS does not understand CMPv2 grantedWithMods response. |
| 609655 | Captive portal exemption after upgrading the device from 6.2.2 to 6.2.3. |
| 620097 | Persistent sessions for de-authenticated users. |
| 620941 | Two-factor authentication using FortiClient SSL VPN and FortiToken Cloud is not working due to push notification delay. |
| 621161 | src-vis crashes on receipt of certain ONVIF packets. |
| 624328 | Fix IoT daemon segfault crashes. |
| 626532 | fnbamd is not sending Calling-Station-Id in Acces-Request for L2TP/IPsec since 5.4.0. |
| 627144 | Remote admin LDAP user login has authentication failure when the same LDAP user has local two-factor authentication. |
VM
| Bug ID | Description |
|---|---|
| 606527 | GUI and CLI interface dropdown lists are inconsistent. |
| 613730 | Unable to update routing table for a resource group in a different subscription for Azure SDN. |
| 622031 | azd keeps crashing if Azure VM contains more than 15 tags. |
| 623376 | Cross-zone HA breaks after upgrading to 6.4.0 because upgrade process does not add relevant items under vdom-exception. |
| 624657 | Azure changes FPGA for Accelerated Networking live and VM loses SR-IOV interfaces. |
VoIP
| Bug ID | Description |
|---|---|
| 620742 | RAS helper does not NAT the port 1720 in the callSignalAddress field of the RegistrationRequest packet sent from the endpoint. |
| 630024 | voipd crashes repeatedly. |
Web Filter
| Bug ID | Description |
|---|---|
| 612217 | Remove XOR from FortiGuard communications from URL filter, spam filter, and AV query. |
| 616162 | Custom replacement message is not shown when using web filter. |
| 616681 | Separate file filter into its own profile. |
| 618153 | FSSO users cannot proceed on web filter warning page in flow-based inspection. |
| 620803 | Group name missing on web filter warning page in proxy-based inspection. |
| 621807 | Filtering Services Availability status is down on the GUI when HTTP/80 is used for web filtering rating service. |
| 625897 | Filtering Services Availability status is down on the GUI when HTTP/80 is used for web filtering rating service. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 604853 | Only the first Fortinet-Group-Name VSA is evaluated in authorized firewall WSSO users. |
| 618456 | High cw_acd usage upon polling a large number of wireless clients with REST API. |
Znane problemy do rozwiązania:
Endpoint Control
| Bug ID | Description |
|---|---|
| 618718 | set certificate configuration missing in config endpoint-control fctems after rebooting. |
FortiView
| Bug ID | Description |
|---|---|
| 639109 | Top Countries/Regions by Bytes widget keeps trying to load. |
Log & Report
| Bug ID | Description |
|---|---|
| 637117 | Incomplete log field returned from CEF formatted syslog message. |
Switch Controller
| Bug ID | Description |
|---|---|
| 607753 | CAPWAP is not updated to be a Fabric connection after upgrading from 6.4.0 Beta1 build 1519 to build 1538. |
| 621785 | user.nac-policy[].switch-scope may contain a data reference to switch-controller.managed-switch. When this reference is set by an admin, they need to remove this reference prior to deleting the managed-switch. |
System
| Bug ID | Description |
|---|---|
| 587824 | Member of virtual WAN link lost after upgrade if management interface is set dedicated-to management before. |
Upgrade
| Bug ID | Description |
|---|---|
| 618809 | Boot up may fail when downgrading from FOS 6.4.0 to 6.2.3. |
User & Authentication
| Bug ID | Description |
|---|---|
| 606327 | FTM push return traffic (mobile device to FortiGate) has TLS handshake failure; same device with 6.2.3 GA is OK. |
VM
| Bug ID | Description |
|---|---|
| 639258 | Autoscale GCP health check is not successful (port 8443 HTTPS). |
WiFi Controller
| Bug ID | Description |
|---|---|
| 638537 | Applications, Destinations, and Policies keep trying to load for WiFi client’s Diagnostics and Tools. |
FortiOS 6.4.1 – Notatki do wydania
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
