Fortinet opublikował nową wersję oprogramowania FortiOS dla rodziny 6.4!
Aktualizacja 6.4.2 to w ukłon w stronę modeli serii F (FG-40F, FG-100F), gdyż ta wersja oprogramowania wspiera tę serię urządzeń. Nowa wersja przynosi kilkanaście „pomniejszych” nowości bądź ulepszeń, na przykład możliwość skonfigurowania automatyzacji za pomocą akcji Quarantine za pośrednictwem FortiNAC podczas ustawiania wyzwalaczy dla zagrożonego hosta lub przychodzącego elementu webhook. Po uruchomieniu automatyzacji komputer kliencki zostanie poddany kwarantannie z wyłączonym adresem MAC w skonfigurowanym FortiNAC.
Oprócz tego dodano również obsługę konfiguracji FortiSwitch do wysyłania wielu wartości atrybutów RADIUS w ramach jednego żądania dostępu, czy obsługę konfiguracji jawnego powiadomienia o przeciążeniu (ECN) dla zarządzanego FortiSwitch. Warto wspomnieć również o wyeliminowaniu podatności która umożliwiała ominięcie podwójnej autoryzacji podczas logowania użytkownika do SSL VPN!
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-201E, FG‑300D, FG-300E, FG-301E, FG‑400D, FG‑400E, FG‑401E, FG‑500D, FG‑500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG‑3810D, FG-3815D, FG-5001D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-61E |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-AZURE, FG-VM64-AZUREONDEMAND, FG‑VM64‑GCP, FG‑VM64-GCPONDEMAND, FG-VM64-HV, FG‑VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Nowości oraz ulepszenia w wersji 6.4.2:
| Bug ID | Description |
|---|---|
| 480717 | Add config system dedicated-mgmt to all FortiGate models with mgmt, mgmt1, and mgmt2 ports. |
| 556054 | With the newly-added compression methods used in the CIFS messages, FortiGates can now scan these compressed messages in proxy mode. |
| 573076 | FortiGate generates a UUID for every managed FortiAP (WTP entry). A new BLE profile, fortiap-discovery, can facilitate iBeacon UUID deployment over FortiAP devices. |
| 596002 | Add two new tables to the FortiOS enterprise MIB: FgSwDeviceEntry for details about connected FortiSwitches and FgSwPortEntry for port related information. |
| 596870 | Add kernel support for the IEEE 802.1ad (QinQ) standard. Previously, the 802.1Q standard allowed a single VLAN header to be inserted into an Ethernet frame. This new feature allows one more VLAN tag to be inserted into a single frame. |
| 597301 | Display information about autoscale members in the GUI and CLI, such as their serial number, IP address, instance ID, and transit gateway (AWS only). |
| 600037 | BSS coloring support on FAP-U431F/U433F (802.11ax AP). |
| 608557 | Support proxy server for push service. |
| 610596 | Users can define IPv6 MAC addresses and apply them in a firewall policy, virtual wire pair policy, and other policy types. |
| 610990 | Add IPv6 only and IPv4v6 dual stack support for GTPv1 and GTPv2 on FortiOS Carrier. |
| 614924 | Users can configure automation with the Quarantine via FortiNAC action when setting triggers for Compromised Host or Incoming Webhook. When the automation is triggered, the client PC will be quarantined with its MAC address disabled in the configured FortiNAC. |
| 617640 | Add new filter keys servicetag and region in Azure SDN connector to filter out IP ranges of service tags. This can be applied to dynamic firewall addresses. |
| 620994 | For FortiAP models with three radios, spectrum analysis can be performed on the thrid radio on all channels from the 2.4 GHz and 5 GHz bands. On FortiAPs with two radios operating in AP mode, spectrum analysis can be performed on operating channels. |
| 621714 | For the purpose of communicating timing precision between two ends, transparent clock can be enabled to measure the overall path delay. This feature allows the FortiGate to configure this setting for supported FortiSwitch models. |
| 621742 | Add support to configure the FortiSwitch to send multiple RADIUS attribute values within a single RADIUS access request. |
| 621746 | Support explicit congestion notification (ECN) configuration for managed FortiSwitch. |
| 621757 | Add support to configure switch ports to enable inter-operability with rapid PVST+ on managed FortiSwitches. |
| 622291 | Health metrics calculations are standardized in the backend, and consistent colors are used to represent good, fair, and poor metrics. In addition, the health data is now available through a REST API. |
| 623821 | For WiFi clients associated with a bridge SSID on a FortiAP that is connected to an Ethernet interface of a FortiGate, the DHCP Monitor widget can indicate the AP bridge and the SSID name in the Interface column of those clients’ IP leases.
In the CLI, config wireless-controller vap
edit VAP01
set dhcp-option43-insertion {enable | disable}
next
end
By default, |
| 629530 | Support running BYOL FortiGate VMs on IBM Cloud platform. |
| 630238 | Allow configuration of up to 16 FGSP standalone peers in system standalone-cluster. |
| 631818 | Add new OIDs to support SNMP queries for IPv4 and IPv6 IPsec tunnels, and SNMP queries for license details. |
| 635717 | Monitoring FortiAP antenna (per Rx chain) status and logging wireless events upon antenna defect detection. |
| 635795 | The ARRP profile improves upon DARRP by enabling more factors to be considered for optimizing channel selection among FortiAPs. |
| 637946 | Replace previous slide-out terminal with a full page masking terminal. Allow admins to open multiple CLI consoles that can be minimized. |
| 638975 | SD-WAN and policy route now allow users to choose the device MAC address object as source. In addition, the FABRIC_DEVICE object can also be used in SD-WAN and policy route. |
| 639590 | In NGFW mode application control logs will be generated when an application, application category, or application group is selected on a security policy and log traffic is set to UTM or all. In addition, when one signature is accepted under the security policy, all child signatures are assessed and logged correspondingly. |
| 640320 | Add FortiAP platform support for FAP-231F. |
| 641152 | New bandwidth-limited VM licenses allow VM deployments with limited bandwidth usage per interface. Dedicated management interfaces are exempt from calculation. |
| 642898 | The following options are configurable in the flow-based web filter security profile in NGFW policy mode, and they can be applied to a security policy:
|
| 643616 | Support FortiAP to query FortiGuard IoT service through FortiGate to determine device details. |
| 643912 | Sometimes it is necessary to map a VIP to an FQDN address. This setting can now be configured from the GUI. |
| 644049 | Enhancements to multiple pre-shared key per SSID include the ability to batch generate or import MPSK keys, export keys to CSV, dynamically assign VLANs based on the MPSK used, and to apply an MPSK schedule in the GUI. |
| 645140 | Tunnel ID is added to traffic logs and GTP logs for GTP related traffic in order to correlate the sessions. |
| 648568 | In additional to servers added in 6.4.0, FortiGuard servers for GeoIP, DDNS, and FortiToken Mobile registration now support third-party CA signed certificates with OCSP stapling. |
| 648604 | For user location information (ULI) in GTP, it may contain more than one identity of different type. This log enhancement displays all identity information in GTP logs. |
Rozwiązane problemy:
Anti Spam
| Bug ID | Description |
|---|---|
| 497024 | Flow mode banned word spam filter log is missing the banned word. |
Anti Virus
| Bug ID | Description |
|---|---|
| 560044 | Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series. |
| 607432 | 500 internal error for some PDFs with AV applied. |
| 615805 | Device goes into conserve mode due to large files. |
| 635535 | Scanunit crashes with signal 14 at sys_fortiuser_cmd > get_iprope_mem_conserve. |
Application Control
| Bug ID | Description |
|---|---|
| 630075 | After upgrading, FortiGate faced an internet access issue when IPS and AC profiles are enabled and the outgoing interface is an npu_vlink. |
Data Leak Prevention
| Bug ID | Description |
|---|---|
| 629713 | DLP filters not matching in order if a file-type filter is configured. |
DNS Filter
| Bug ID | Description |
|---|---|
| 511729 | Domain filter entries whose action is set to allow should not be logged. |
| 613024 | DNS logs do not contain response code. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 640142 | FortiOS 6.4 cannot verify EMS cloud certificate. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 634515 | HTTP 1.1 host header is lost in FortiGuard web proxy requests. |
File Filter
| Bug ID | Description |
|---|---|
| 627795 | In flow mode, file filter log can show the file type, but when in proxy inspection mode, it only shows unknown file type. |
Firewall
| Bug ID | Description |
|---|---|
| 590039 | Samsung OEM internet browser cannot connect to FortiGate VS/VIP. |
| 595949 | Any changes to the security policy table causes the hit count to reset. |
| 596633 | In NGFW mode, IPS engine drops RPC data channel when IPS profile is applied to a security policy. |
| 606962 | Timeout value is not reflected correctly to a new session when changing timeout value for system session-ttl on FortiGate-HV. |
| 628841 | Internet service entry not detected due to some IP ranges being duplicated. |
| 633856 | Sessions are marked dirty when IPsec dialup client connects/disconnects and policy routes are used. |
| 635007 | Updates causing conserve mode. |
| 643841 | DCE RPC helper cannot parse fragmented EPM packet. |
| 644638 | Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor. |
| 644865 | Query string parameters omitted (HTTP redirect, SSL offloading). |
| 645075 | Real server byte counter resetting. |
FortiView
| Bug ID | Description |
|---|---|
| 573138 | When the data source is FortiGate Cloud, there is no paging to load sessions; only entries 1-499 are rendered. |
| 615524 | FortiView > All Sessions should be supported as a standalone dashboard widget in navigation bar. |
| 639109 | Top Countries/Regions by Bytes widget keeps trying to load. |
| 640759 | Unable to filter FortiView sessions in FortiOS 6.4.x. |
GUI
| Bug ID | Description |
|---|---|
| 513694 | User cannot log in to GUI when password change is required and has pre-login or post-login banner enabled or FIPS mode. |
| 516031 | The following behaviors regarding security profiles have changed:
|
| 528145 | BGP configuration gets applied on the wrong VDOM if user switches VDOM selection in between operations (slow GUI). |
| 541042 | Log viewer Forward Traffic cannot support double negate filter (client-side issue). |
| 547697 | Inconsistency/confusion regarding Hostname field in FortiOS web filter log. |
| 567936 | Saved SMS phone number is missing + for country code. |
| 577991 | Dotted line shown between FortiGate and second tier switch in Managed FortiSwitch topology. |
| 592073 | LED indications for FortiSwitch ports do not auto-reflect the changes made on PoE. |
| 594534 | GUI shows Invalid LDAP server error while LDAP query successfully finished. |
| 594702 | When sorting the interface list by the Name column, the ports are not always in the correct order (port10 appears before port2). |
| 594991 | New service group for explicit proxy could not be saved from GUI. |
| 601568 | Interface status is not displayed on faceplate when viewed from System > HA page. |
| 601879 | Get The web page cannot be found error after factory reset. |
| 604682 | GUI takes two minutes to load VPN > IPsec Tunnels for 1483 tunnels. |
| 605030 | Send Logs to FortiCloud and Cloud Logging options not available in GUI for FG-900D. |
| 605496 | Configured overlapped subnet on GUI still shows error message after enabling subnet overlap. |
| 606967 | One-time schedules are not displayed correctly in Safari browser. |
| 607296 | Firewall address keeps loading addresses with read-write permission. |
| 607549 | GUI CMDB API to support case sensitive/insensitive filtering. |
| 612236 | RADIUS test in GUI does not use configured authentication method and test fails. |
| 615267 | In Firefox, SAML SSO admin cannot create additional SSO admins or normal admins via the GUI. |
| 616878 | DHCP relay IP address not showing on Network > Interfaces page for VLAN interface. |
| 618379 | Option for TLS in Fortinet FSSO connector does not change port to CA TLS port 8001. |
| 618617 | CLI parser error: shaper-profile default class with 0% bandwidth guarantee only possible in GUI. |
| 620854 | GUI should not add speed to virtual switch member port (FG-101F). |
| 621902 | Default gateway address of DHCP server setting does not follow the interface address when Same as Interface IP is selected. |
| 623109 | IPS Filter Details column is empty when All is used. |
| 623939 | Interface bandwidth widgets for WAN, PPPoE and VDOM link interfaces are not loading. |
| 624050 | FortiGuard page does not open with custom read-write permission in the account profile (403 forbidden error). |
| 624551 | On POE devices, several sections of the GUI take over 15 seconds to fully load. |
| 624662 | CLI panel allows read-only managed device to be configured by read-only admin. |
| 628373 | Software switch members and their VLANs are not visible in the GUI interfaces list. |
| 629139 | Security Rating reports should not run as a dependent of Topology reports on downstream FortiGates. |
| 630638 | Add a warning when Capture Packets is enabled in policy dialog. |
| 631734 | GUI not displaying PoE total power budget on FOS 6.2.3. |
| 633937 | GUI is not displaying DHCP configuration if the interface name includes the \ character. |
| 634677 | User group not visible in GUI when editing the user with a single right-click. |
| 635538 | In FortiGate SAML authentication with Azure AD, SP configuration is grayed-out in the GUI. |
| 638034 | Ctrl + V does not paste command in GUI CLI console and Ctrl + C does not copy selected output in CLI console. |
| 638277 | Firewall address group object (including interface subnet) is invisible in Accessible Networks. |
| 638615 | SSO admin cannot open CLI console. |
| 638911 | IPS and application control actions cannot be modified to Quarantine. |
| 639129 | IPsec aggregate is not shown in Dashboard > Network > IPsec widget. |
| 639163 | GUI does not show user group information on firewall user widget. |
| 639288 | No historical sessions can be displayed when FortiView widget opens from Show in FortiView. |
| 639542 | The Edit pane for PAC File Content on the Explicit Proxy page cannot be opened. |
| 642028 | On some platforms (FG-60E-61E/81E), the CLI console in the GUI may not function immediately after bootup. |
| 642402 | LCP-1250RJ3SR-K transceiver shows a warning in the GUI even though it is certified. |
| 644999 | Fortinet-sold active direct attached cable (SP-CABLE-ADASFP+) is showing as not certified by Fortinet. |
HA
| Bug ID | Description |
|---|---|
| 595340 | hasync process consuming 80-95% CPU. |
| 609631 | Simultaneous reboot of both nodes in HA when gtp-enhance-mode enabled or disabled. |
| 627610 | When HA primary device is down, a time synchronization with NTP servers will be disabled after failback. |
| 627851 | After the HA peer node has been replaced, need a way to reset the HA health status back to OK. |
| 630070 | HA is failing over with crashes. |
| 631342 | FG-100D HA active-passive mode not syncing. |
| 634604 | SCTP sessions are not fully synchronized between primary and secondary devices in version 5.6.11 on FG-3240C. |
| 637843 | HA secondary device is reporting multiple events (DDNS update failed). |
| 638287 | private-data-encryption causes cluster to be periodically out of sync due to customer certificates. |
| 639307 | Both primary and secondary consoles keep printing get_ha_sync_obj_sig_4dir: stat /etc/cert/ca/5c44d531.0 error 2. |
| 640428 | SSL VPN related auth login user event logs do not require HA to be in sync. |
| 643958 | Inconsistent data from FFDB caused several confsyncd crashes. |
| 645293 | traceroute not working in asymmetric FGSP environment. |
| 645387 | HA pingsvr is in up state in spite of lnkmtd showing it as being in die state. |
| 648073 | HA cluster uses physical port MAC address at the time of HA failover. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 582936 | IPS traffic log and PCAP archive do not match. |
| 595062 | SSL offloading randomly does not work when UTM (AV/IPS) is enabled in firewall policy. |
| 617588 | Unable to open TCP application via IPsec tunnel when np-accel-mode is enabled. |
| 631381 | RDP NLA authentication blocked by FortiGate when enabling IPS profile in the security group (central NAT). |
| 638235 | Some IPS logs do not include direction field. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 516029 | Remove the IPsec global lock. |
| 610203 | Packet loss on IPsec tunnel. |
| 622959 | FortiGate does not send framed IPv6 address in RADIUS accounting records. |
| 631804 | OCVPN errors showing in logs when OCVPN is disabled. |
| 631968 | IKE daemon signal 6 crash when phase1 add-gw-route is enabled. |
| 634883 | IKE crashes at ike_hasync__xauth. |
| 635325 | Static route for site-to site VPN remains active even when the tunnel is down. |
| 645196 | IPsec routes are restored to the routing table automatically for tunnels that are not connected. |
Log & Report
| Bug ID | Description |
|---|---|
| 589782 | IPS sensor log-attack-context output truncated. |
| 605405 | IPS logs are recorded twice with TCP offloading on virtual server. |
| 607449 | Log searches being conducted in a FortiGate for logs stored on a FortiAnalyzer are only sent as case-sensitive. |
| 630769 | miglogd crashes when the FortiGate does a weekly log purge. |
| 634947 | rlogd signal 11 crashes. |
| 635013 | FortiOS gives wrong time stamp when querying FortiGate Cloud log view. |
| 637117 | Incomplete log field returned from CEF formatted syslog message. |
| 639807 | PBA logs show only 0 or 1 duration in logs; cannot answer data requests from law enforcement. |
| 641450 | miglogd processes bound to busy CPUs even though there are other completely idle CPUs available. |
Proxy
| Bug ID | Description |
|---|---|
| 586281 | WAD memory corruption. |
| 603195 | Multiple WAD crashes with signal 11. |
| 623108 | FTP-TP reaches high memory usage and triggers conserve mode. |
| 624245 | WAD crashes when all of these conditions are met: policy is doing deep inspection, SNI in client hello is in the exempt list, server certificate CNAME is not in the exempt list. |
| 631542 | WAD signal 11 crash logs SSL/TLS errors and disconnects with the OCSP stapling. |
| 633175 | WAD crash observed, wad_http_pattern_match_response + 0x0045, on FG-80E-POE during regression testing. |
| 636508 | FortiGate blocks traffic in transparent proxy policy, even if the traffic matches the proxy address. |
| 637389 | The WAD process is crashing multiple times. |
| 640427 | Web proxy WAD crash under WAN Opt auto-active mode. |
| 643725 | The IMAP proxy crashes with signal 7 (SIGBUS). |
| 645943 | Memory usage spike (all WAD workers) without bandwidth spike. |
Routing
| Bug ID | Description |
|---|---|
| 624621 | Log traffic to remote servers does not follow SD-WAN rules. |
| 627951 | NTP and FSSO not following SD-WAN rules. |
| 628896 | DHCP relay to follow SD-WAN rules. |
| 633463 | DRother firewall in OSPFv3 generates neighbor state is less than Exchange log for the LSA update from a DCother neighbor. |
| 633600 | BGP hold time and keepalive timers are not updated on spokes after changing on the hub side. |
| 635716 | FortiGuard web filter traffic also needs to follow SD-WAN service. |
| 639834 | Inconsistency in source IP-based ECMP for IPv6. |
| 641022 | Multiple duplicate routes in kernel causing conserve mode. |
| 641928 | Wrong behavior with SD-WAN routing on FG-60F. |
| 646418 | SD-WAN information available in session list is confusing. |
Security Fabric
| Bug ID | Description |
|---|---|
| 619696 | Automation stitch traffic is sent via mgmt with ha-direct to AWS Lambda after upgrading from 6.0.9 to 6.2.3 |
| 622032 | SSH as automation action is not working as expected. |
| 626691 | FG-60F unable to join Security Fabric, unknown CA. |
| 631607 | CSF root FortiGate cannot listen to loopback interface. |
| 641006 | Automation stitch causes HA sync failure. |
SSL VPN
| Bug ID | Description |
|---|---|
| 505986 | On IE 11, SSL VPN web portal displays blank page titled {{::data.portal.heading}} after authentication. |
| 573853 | TX packet drops on SSL root interface. |
| 604772 | SSL VPN tunnel is unexpectedly down sometimes when certificate bundle is updated. |
| 608464 | Get 305 error when browsing website through SSL VPN web mode bookmark and sslvpnd crashes. |
| 611498 | SMB/CIFS traffic via SSL VPN web mode not using correct SNAT IP (IP pool). |
| 613612 | Important GUI pages in 6.4.0 are not rendered well by SSL VPN portal. |
| 620508 | CLI command get vpn ssl monitor displays users from other VDOM. |
| 622110 | SSL VPN disconnected when importing or renaming CA certificates. |
| 623076 | Add memory protection for web mode SSL VPN child process (guacd). |
| 623217 | Website pop-up error using SSL VPN web mode. |
| 623379 | Memory corrupt in some DNS callback cases causes SSL VPN crash. |
| 624283 | Customer has to manually add domain in SMB share login through SSL VPN portal. |
| 624899 | Log entry for tunnel stats shows wrong tunnel ID when using RDP bookmark. |
| 626228 | Bookmark does not load though SSL VPN web mode. |
| 626237 | SAP portal link is not working in SSL VPN web mode. |
| 627150 | SSL VPN web mode unable to load custom web application JavaScript parts. |
| 627456 | Traffic cannot pass when SAML user logs in to SSL VPN portal with group match. |
| 628059 | SSL VPN web mode gets redirected out of SSL VPN proxy. |
| 628597 | Unable to load the SSL VPN bookmark internal website https://fi***. |
| 628801 | Internal web application is not opened after the login. |
| 628821 | Internal aixws7test2 portal is not loading in SSL VPN web mode. |
| 629190 | After SSL VPN proxy, some JS files of hapi website could not work. |
| 629373 | SAML login button is lost on SSL VPN portal. |
| 630432 | Slides in website https://re***.nz are displayed in SSL VPN web mode. |
| 631050 | ERR_EMPTY_RESPONSE while accessing internal portal’s webpages in SSL VPN web mode. |
| 631130 | Internal site http://va***.com not completely loading through SSL VPN web mode bookmark. |
| 631402 | Website (https://uj***) is not accessible in SSL VPN web mode. |
| 631510 | Some internal servers do not provide any content type or content length in response header; sslvpnd treats it as HTML file to handle and has problem to finish it. |
| 631809 | Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops. |
| 633047 | Cannot load local 1C application through web mode. |
| 633114 | Cannot access internal website pl***.fr using SSL VPN web mode. |
| 633812 | For guacd daemon generated for RDP session, it would sometimes be in an unknown state with 100% CPU and could not be released. |
| 634210 | SSL VPN daemon crash due to limit-user-login. |
| 634991 | Internal server error 500 while accessing contolavdip portal in SSL VPN web mode. |
| 635307 | Map could not be displayed correctly in SSL VPN web mode. |
| 635341 | SSL VPN not assigning IP from local IP pool when framed IP address is received with value 0xFFFFFFFE. |
| 635608 | Map could not be displayed correctly in SSL VPN web mode. |
| 635896 | The sa***.org website is not shown properly in SSL VPN web mode. |
| 635899 | SharePoint portal URL links for Office documents are not redirected over SSL VPN web mode in Firefox. |
| 635907 | AM*** website is not shown properly using SSL VPN web mode. |
| 636332 | With SSL VPN proxy JIRA web application, get one wrong URL without proxy path. |
| 636984 | Website (pr***.com) not loading properly in SSL VPN web mode. |
| 637018 | After the upgrade to 6.2.4/6.4.0 SSL VPN portal mapping/remote authentication is matching user into the incorrect group. |
| 637164 | The customer’s website (https://vpn.***.org) is not shown properly using SSL VPN web mode. |
| 638733 | Internal website hosted in bookmark https://in***.cat is not loading completely in SSL VPN web mode. |
| 639431 | Three of the internal applications/portal bookmarks do not load/partially work with SSL VPN web mode. |
| 639768 | Log in page loading with delays in web mode. |
| 639789 | Apache Guacamole page is redirected to direct link in SSL VPN web mode. |
| 640167 | The Run*** website is not displayed properly using SSL VPN web mode. |
| 642225 | The IC*** internal website is not displayed properly using SSL VPN web mode. |
| 643598 | Application is not working using SSL VPN web mode. |
| 643749 | SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters the wrong password. |
| 644506 | Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password. |
| 644607 | Sco*** internal portal webpage is not loading after logging in with web mode. |
| 645276 | After SSL VPN web mode proxy, some JS files of sthlm04 SCA*** website have problems. |
| 646429 | Update Telnet idle timeout setting and fix issue of Telnet not working. |
| 647296 | SSL VPN web mode problem with https://de***.com. |
| 648369 | Some JS files of ji***.v** could not run in SSL VPN web mode. |
| 649197 | Unable to use editor in Atlassian internal Confluence portal over SSL VPN web mode. |
| 649466 | SSL VPN authentication fails when all-usergroup is enabled in RADIUS server. |
Switch Controller
| Bug ID | Description |
|---|---|
| 633842 | FortiLink down with LACP mode set to active. |
System
| Bug ID | Description |
|---|---|
| 506485 | FortiOS get system interface cross-check command improvement. |
| 552788 | DSL route not removed when interface is down. |
| 567019 | CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120 and device reboots. |
| 572847 | The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series. |
| 594264 | NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session TTL expiry. |
| 594871 | Potential memory leak triggered by FTP command in WAD. |
| 596209 | Device has become unmanageable; receiving errno=Resource temporarily unavailable when trying to update objects. |
| 598928 | FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN. |
| 605723 | FG-600E stops sending out packets on its SPF and copper port on NP6. |
| 611512 | When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE. |
| 612302 | FortiOS is not sending out IPv6 router advertisements from the link-local addresses added on the fly. |
| 613017 | ip6-extra-addr does not perform router advertisement after reboot in HA. |
| 615586 | Incorrect IP/MAC address on ESXi hosts. |
| 617134 | Traffic not showing statistics for VLAN interfaces based on hardware switch. |
| 617154 | Fortinet_CA is missing in FG-3400E. |
| 618158 | DHCP client cannot get IP address when NTP server option in DHCP server settings is set to Same as System NTP. |
| 618762 | Fail to detect transceiver on all SFP28/QSFP ports. Affected platforms: FG-3300E and FG-3301E. |
| 626371 | Request to blocked signature with SSL mirrored traffic capture causes FG-500E to reboot. |
| 626785 | FG-101F should support the same WTP size (128) as the FG-100F. |
| 627054 | HTTPSD signal 6 crash in cases of long application lists that are greater or equal to the maximum size of 16. |
| 627409 | Cannot create hardware switch on FG-100F. |
| 627629 | DHCP client sent invalid DHCP-REQUEST format during INIT state. |
| 628642 | Issue when packets from same session are forwarded to each LACP member when NPx offload is enabled. |
| 630658 | Auto-script output file size over 400 MB when configured output size is default 10 MB. |
| 632353 | Virtual WAN link stops responding after 45 members. |
| 632407 | Cannot delete VDOM due to ssl.vdom1 interface after changing mode from split-task VDOM to multi VDOM. |
| 632635 | Frame size option in sniffer does not work. |
| 633102 | DHCPv6 client’s DUID generated on two different FortiGates match. |
| 633298 | 10G ports x1/x2 cannot be set as interfaces in firewall acl/acl6 policies. |
| 634415 | Speed of 100G in get system interface cross-check shown incorrectly as 34464 for Fortinet-authorized FINISAR CORP FTLC9551REPM. |
| 634494 | accprofile permission for config system link-monitor is not correct. |
| 634495 | accprofile permission for execute ping is not correct. |
| 636069 | Unable to handle kernel NULL pointer dereference at 000000000000008f. |
| 637420 | execute shutdown reboots instead of shutting down on SoC4 platforms. |
| 638041 | SFP28 port group (ha1, ha2, port1 and port2) missing 1000full speed option. Affected platforms: FG-220xE, FG-330xE, FG-340xE, and FG-360xE. |
| 638738 | In VDOM, config log syslogd xxx is not shown in show full-configuration. |
| 639623 | Possible conflicts between software switch VLAN setting and its member interface VLAN setting. |
| 641419 | FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632). |
| 643188 | Interface forward-error-correction setting not honored after reboot. |
| 645363 | SNMP monitoring does not provide the SD-WAN member interface name. |
| 647593 | After reboot, forward-error-correction value is not maintained as it should be. |
| 647718 | VDOM with long name cannot be deleted. |
| 647777 | FortiGate not responding to DHCP relay requests from clients behind a DHCP relay. |
| 649506 | Sometimes FortiGate does not boot when restoring configuration using private data encryption. |
Upgrade
| Bug ID | Description |
|---|---|
| 635589 | Upon upgrading to FortiOS 6.2.4, DoS policies configured on interfaces may drop traffic that is passing through the DoS policy configuration. Note that this can occur if the DoS policy is configured in drop or monitor mode.
Workaround: disable the DoS policy. |
User & Authentication
| Bug ID | Description |
|---|---|
| 597319 | In SSL VPN certificate authentication, add auth policies in base of LDAP group. |
| 605838 | Device identification scanner crashes on receipt of SSDP search. |
| 620941 | Two-factor authentication using FortiClient SSL VPN and FortiToken Cloud is not working due to push notification delay. |
| 625107 | No response when using FTM-PUSH because unable to set source IP for FTM-PUSH. |
| 627144 | Remote admin LDAP user login has authentication failure when the same LDAP user has local two-factor authentication. |
| 629487 | Older FortiGate models do not have CA2 and will cause EMS server authentication to fail. |
| 634580 | Peer users are matching every group instead of only groups based on the LDAP group membership. |
| 635385 | In HA cluster, RADIUS accounting not working with use-management-vdom enable. |
| 637577 | Inconsistent fnbamd LDAP group match result. |
| 638593 | Certificate verification fails if any CA in a peer-provided certificate chain expires, but its cross-signed certificate is still valid in the system trust store. |
VM
| Bug ID | Description |
|---|---|
| 587180 | FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host. |
| 603100 | Autoscale not syncing certificate among the cluster members. |
| 623376 | Cross-zone HA breaks after upgrading to 6.4.0 because upgrade process does not add relevant items under vdom-exception. |
| 624657 | Azure changes FPGA for Accelerated Networking live and VM loses SR-IOV interfaces. |
| 626705 | By assigning port1 as the HA management port, the HA secondary unit node is now able to send system information to the Azure portal through waagent so that up-to-date information is displayed on the Azure dashboard.
If port1 is not used as the HA management port, the Azure display and Azure Security Center alerts will not reflect the correct state of the node, which may result in unnecessary alarms. |
| 629709 | AWS VM stops processing traffic in some interfaces when running diagnose debug application ike -1. |
| 634245 | Dynamic address objects are not resolved to all addresses using Azure SDN connector. |
| 634499 | AWS FortiGate NIC gets swapped between port2 and port3 after FortiGate reboots. |
| 641038 | SSL VPN performance problem on OCI. |
| 653567 | Admin cannot log in to FortiGate VM GUI after license expired. |
VoIP
| Bug ID | Description |
|---|---|
| 643548 | SIP transfer calls fail when extensions are behind the same FortiGate (spoke). |
Web Filter
| Bug ID | Description |
|---|---|
| 576862 | Update urlfilteridx in traffic log to be webfilter.urlfilter.entry.id. |
| 611501 | Clarify meaning of urlfilteridx=0 log field when proxy-based inspection is used. |
| 621807 | Filtering Services Availability status is down on the GUI when HTTP/80 is used for web filtering rating service. |
| 625897 | Filtering Services Availability status is down on the GUI when HTTP/80 is used for web filtering rating service. |
| 629005 | foauthd has signal 11 crashes when FortiGate does authentication for a web filter category. |
| 630232 | Certain regex static URL entries stopped working in 6.2.3. |
| 636754 | If the last line in a threat feed does not end with \n, it is not parsed and is not displayed in the GUI. |
| 647227 | Externally imported list (custom threat feed) is matching incorrectly in web filter remote category. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 605937 | WiFi health monitor Client Count widget shows clients on the wrong band (on local standalone SSID). |
| 625326 | FortiAP not coming online on FG-PPPoE interface. |
| 638537 | Applications, Destinations, and Policies keep loading for WiFi Clients > Diagnostics and Tools drill-down. |
| 641811 | In FG-100F/101F with PPPoE interface, the FortiGate could not manage FortiAP. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
| Bug ID | CVE references |
|---|---|
| 558685 | FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:
|
| 634975 | FortiOS6.4.2 is no longer vulnerable to the following CVE Reference:
|
Znane problemy do rozwiązania:
Endpoint Control
| Bug ID | Description |
|---|---|
| 618718 | set certificate configuration missing in config endpoint-control fctems after rebooting. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 654211 | When the category proxy address is applied in a proxy policy, if SOCKS traffic passes through the web proxy, when matching the SOCKS traffic with the proxy address, the WAD will crash with signal 11 at wad_url_choose_cate. Browsers may send SOCKS traffic in the background from time to time. |
GUI
| Bug ID | Description |
|---|---|
| 651412 | Print option in Guest Management page does not work; send options for SMS and email are OK. |
| 654186 | In Device Inventory Monitor dashboard, no device information shown in inventory chart when visualization set to table. |
| 654256 | Interfaces speed test fails and get Failed Dependency error when it has multiple VDOMs. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 654307 | Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode. |
Security Fabric
| Bug ID | Description |
|---|---|
| 654215 | FortiAnalyzer Cloud Solutions links should redirect to the correct AWS/Azure/GCP URLs instead of the FortiGate IP address. |
Switch Controller
| Bug ID | Description |
|---|---|
| 607753 | CAPWAP is not updated to be a Fabric connection after upgrading from 6.4.0 Beta1 build 1519 to build 1538. |
| 621785 | user.nac-policy[].switch-scope may contain a data reference to switch-controller.managed-switch. When this reference is set by an admin, they need to remove this reference prior to deleting the managed-switch. |
System
| Bug ID | Description |
|---|---|
| 587824 | Member of virtual WAN link lost after upgrade if management interface is set dedicated-to management before. |
| 651103 | FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN. |
Upgrade
| Bug ID | Description |
|---|---|
| 618809 | Boot up may fail when downgrading from FOS 6.4.0 to 6.2.3. |
VM
| Bug ID | Description |
|---|---|
| 639258 | Autoscale GCP health check is not successful (port 8443 HTTPS). |
FortiOS 6.4.2 – Notatki do wydania
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
