Producent oprogramowania udostępnił najnowszą aktualizację dla produktu FortiOS 6.4.11 o oznaczeniu 6.4.11. Dzięki aktualizacji został poprawiony problem przy połączeniach realizowanych za pomocą tunelu L2TP, gdzie urządzenia z oprogramowaniem Android po rozłączeniu się dalej miały aktywne połączenie. Ponadto, od wersji 64.9 korzystanie z technologii DoS powodowało zawieszanie procesów npd ale aktualizacja naprawiła ten problem. Na skutek aktualizacji poprawiono wyświetlanie statystyk dotyczących przesyłu połączeń IPsec VPN, również skorygowano polecenie diagnostyczne diagnose hardware info, gdzie dane dotyczące zasilania PSU były błędnie wyświetlane. Po więcej ciekawych informacji zapraszamy do dalszej części posta.
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG‑300D, FG-300E, FG-301E, FG‑400D, FG‑400E, FG-400E-BP, FG‑401E, FG‑500D, FG‑500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG‑3810D, FG-3815D, FG-5001D, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG‑VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-IBM, FG‑VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN |
| FortiFirewall | FFW-3980E, FFW-4200F, FFW-4400F, FFW-VM64, FFW-VM64-KVM |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Rozwiązane problemy:
Explicit Proxy
| Bug ID | Description |
|---|---|
| 803228 | When converting an explicit proxy session to SSL redirect and if this session already has connected to an HTTP server, the WAD crashes continuously with signal 11. |
Firewall
| Bug ID | Description |
|---|---|
| 815565 | Unable to connect to the reserved management interface allowed by the local-in policy. |
HA
| Bug ID | Description |
|---|---|
| 664929 | The hatalk process crashed when creating a disabled VLAN interface in an A-P cluster. |
| 722703 | ISDB is not updating; last update attempt is stuck at an older date. |
| 779587 | When an authentication log on length is longer than the hasync packet length and when there is a large number of logons, hasync is busy. |
| 788702 | Due to an HA port (Intel i40e) driver issue, not all SW sessions are synchronized to the secondary, so there is a difference. |
| 837200 | The hasync process is stuck with high CPU usage when a failover occurs, there is a large number of logons, and the authentication logon length is longer than hasync packet length. |
| 845572 | FGCP HA cannot synchronize because of a system.replacemsg-image checksum mismatch when upgrading from 6.2 to 6.4. |
Hyperscale
| Bug ID | Description |
|---|---|
| 763966 | FGSP synchronizes NP sessions of all VDOMs when syncvd is only set for hyperscale VDOM. |
| 771857 | VIP port forwarding (src-filter) does not work in a hyperscale policy. |
| 782674 | A few tasks are hung on issuing stat verbose on the secondary device. |
| 795853 | VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM. |
| 807476 | After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled. |
| 810025 | Using EIF to support hairpinning does not work for NAT64 sessions. |
| 839958 | service-negate does not work as expected in a hyperscale deny policy. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 707086 | Packets with DF bit set that does not need fragmentation are dropped with the message, fragmentation required but not allowed. |
| 757696 | Implementing the route-overlap setting on phase 2 configurations brings tunnels down until a reboot is not performed on the FGSP cluster. |
| 763205 | IKE crashes after HA failover when the enforce-unique-id option is enabled. |
| 830252 | IPsec VPN statistics are not increasing on the device. |
Proxy
| Bug ID | Description |
|---|---|
| 796910 | Application wad crash (Segmentation fault) , which is the first crash in a series. |
| 822271 | Unable to access a website when deep inspection is enabled in a proxy policy. |
Routing
| Bug ID | Description |
|---|---|
| 822659 | Secure SD-WAN Monitor in FortiAnalyzer does not show graphs when the SLA target is not configured in SD-WAN performance SLA. |
| 830254 | When changing interfaces from dense mode to sparse mode, and then back to dense mode, the interfaces did not show up under dense mode. |
SSL VPN
| Bug ID | Description |
|---|---|
| 830824 | Veeam Backup Enterprise website has SSL VPN access problem in web mode. |
System
| Bug ID | Description |
|---|---|
| 622803 | L2TP tunnel is not removed after Android client VPN disconnects. |
| 675558 | SFP port with 1G copper SFP always is up. |
| 735492 | Many processes are in a „D” state due to unregister_netdevice. |
| 764954 | FortiAnalyzer serial number automatically learned from miglogd does not send it to FortiManager through the automatic update. |
| 766906 | Hardware logs sent to syslog server with an incorrect timestamp in hyperscale mode. |
| 800333 | DoS offload does not work in 6.4.9 and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite. |
| 801040 | Session anomaly was incorrectly triggered though concurrent sessions on the FortiGate that were below the configured threshold. |
| 809030 | Traffic loss occurs when running SNAT PBA pool in a hyperscale VDOM. The NP7 hardware module PRP got stuck, which caused the NP7 to hang. |
| 810583 | Running diagnose hardware deviceinfo psu shows the incorrect PSU slot. |
| 818452 | The ifLastChange SNMP OID only shows zeros. |
| 826440 | Null pointer causing kernel crash on FWF-61F. |
User & Authentication
| Bug ID | Description |
|---|---|
| 822684 | When multiple FSSO CA connections are configured at the same time, only the last configured FSSO connection comes up. |
VM
| Bug ID | Description |
|---|---|
| 761736 | FG-AWS failover does not trigger the elastic IP or route move during an upgrade if the HA connection between the active and passive node breaks for a few seconds and reconnects. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 827902 | CAPWAP data traffic over redundant IPsec tunnels failing when the primary IPsec tunnel is down (failover to backup tunnel). |
| 831932 | The cw_acd process crashes several times after the system enters conserve mode. |
Notatki producenta: FortiOS 6.4.11
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
