Fortinet udostępnił najnowszą wersję oprogramowania FortiOS 6.4.3! W tej aktualizacji producent naprawił dotychczasowe problemy, między innymi problem z serwerem proxy HTTP, który blokował dostęp i powiadamiał o naruszeniu zasad dostępu. Aktualizacja skorygowała wiele błędów dotyczących SSL VPN, naprawiła problemy z dostępem do stron internetowych oraz błędy z adresami URL. W samym routingu poprawiono reguły SD-WAN, które znacznie lepiej działają po aktualizacji. Po więcej informacji zapraszamy do dalszej części artykułu.

AKTUALNIE WSPIERANE MODELE:

FortiGate	FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-201E, FG‑300D, FG-300E, FG-301E, FG‑400D, FG‑400E, FG‑401E, FG‑500D, FG‑500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG‑3810D, FG-3815D, FG-5001D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1
FortiWiFi	FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F
FortiGate Rugged	FGR-60F
FortiGate VM	FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG‑VM64-GCPONDEMAND, FG-VM64-HV, FG‑VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN

Rozwiązane problemy:

Anti Virus

Bug ID	Description
560044	Secondary device blades occasionally report critical log event `Scanunit initiated a virus engine/definitions update`. Affected models: FG-5K, 6K, and 7K series.
635365	FortiGate enters conserve mode.

Data Leak Prevention

Bug ID	Description
616918	DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS.

DNS Filter

Bug ID	Description
649985	FortiGuard SDNS server rating timeout.

Explicit Proxy

Bug ID	Description
644121	Explicit proxy error 504, DNS fails for a specific domain.
650540	FortiGate sends traffic to an incorrect port using a wrong source NAT IP address.
654211	When the category proxy address is applied in a proxy policy, if SOCKS traffic passes through the web proxy, when matching the SOCKS traffic with the proxy address, the WAD will crash with signal 11 at wad_url_choose_cate. Browsers may send SOCKS traffic in the background from time to time.
660703	Using the HTTP explicit proxy denies access to non-HTTP traffic and displays a policy violation.

Firewall

Bug ID	Description
586764	Abnormal prolonged CPU spike with cmdbsvr and WAD processes when making change to large policy list (10 000+ policies).
586995	Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary.
609027	SCTP secondary path not working in ECMP context; incorrect expectation session created from auxiliary session.
616220	ICMP reply packets dropped by the FortiGate.
635074	Firewall policy `dstaddr` does not show virtual server available based on virtual WAN link member.
643446	Fragmented UDP traffic is silently dropped when fragments have different ECN values.
644225	Challenge ACK is being dropped.
647410	`append` command allows mixing VIP and firewall address as destination objects in a firewall policy.
648951	External threat feed entry `0.0.0.0/0` shows as invalid but it blocks traffic.
650700	There should be an event log when there are internet service remove/merge entries.
650867	Firewall does not track UDP sessions on the same port.
656678	Different ciphers for SSL/HTTPS virtual servers.
659142	TNS connection request limited to 500 per second when client is trying to reach database server through the firewall.
660461	Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU.

FortiView

Bug ID	Description
643198	Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives Failed to retrieve FortiView data error.

GUI

Bug ID	Description
446427	Failed to update VDOM license in GUI if the new license has lower VDOM count than the current license.
543192	Source IP is not used if using the GUI to query FortiGuard filtering service.
547123	The help message of `gui-dynamic-profile-display` is not correct.
561889	Firewall address object in GUI is not displaying Invalid Subnet Mask error when it should.
588159	When disabling Allow Endpoint Registration, creating a FortiClient dialup VPN with the wizard gives Unable to setup VPN error after completing the wizard.
606814	Security profile group does not switch from certificate-inspection to no-inspection in the GUI.
612066	Entry not found error shown when adding SSL VPN tunnel interface to Multicast.
634550	GARP is not sent when moving a virtual cluster in the GUI.
638752	All httpsd stuck in zombie state and unable to access web GUI management.
645606	`virtual-wan-link` can be set as `dstinf` in an SSL VPN policy via CLI, but it is invisible in the GUI.
646327	GUI does not show URL filter when there is a large number of URL filters.
649027	CPU usage in FortiSwitch pane is shown as 90% but checking it in the CLI shows 25%.
650307	When an external FortiGuard category is set to SSL-exempt, after clicking Apply, the configuration is saved in the CLI and not in the GUI.
650800	Error when deleting multiple phase 2 selectors for VPN from the GUI.
651412	Print option on Guest Management page does not work; send options for SMS and email are OK.
651711	Unable to select address group under SSL VPN Source IP Pools.
652394	Unable to change web-based email category action in DNS filter.
652975	Cannot access FortiGate by IPv6 GUI after configuring IPv6 for the first time.
653240	Web Filtering and Anti-Spam status is down on FortiGuard page after refreshing the page.
653422	Unable to edit a remote user group for Administrators user management in global VDOM, and get Invalid LDAP server error.
654018	Quarantine monitor not showing quarantined IPs.
654186	In Device Inventory Monitor dashboard, no device information shown in inventory chart when visualization set to table.
654250	Firewall HTTPS/HTTP RADIUS authentication with password renewal does not work.
654256	Interfaces speed test fails and get Failed Dependency error when it has multiple VDOMs.
654339	Interface page keeps loading when doing a search.
654626	It is impossible to change the Action setting using the FortiGuard Category Based Filter on a DNS Filter Profile page.
655255	GUI IPv4 policy and other menus slow to load due to FortiGuard product API timing out.
655568	GUI does not allow users to deselect Administrative Access options for VLAN interfaces.
655891	Web CLI console does not work if port 8080 is being used.
656139	Table column is blank after changing an interface to any for multicast, NAT64, and NAT46 policies.
656429	FortiLink flapping and causing csfd and httpsd to crash while using high CPU.
656974	`ip6-mode` was changed from `delegated` to `static` after a parameter was changed from the GUI.
657322	`outbreak-prevention` setting is not automatically configured when enabling Use External Malware Block List in the GUI.
657545	Static route Dynamic Gateway toggle does not enable the dynamic gateway in the configuration.
661582	FortiGate Cloud logging Date/Time filter does not work.
663737	Add filtering facets back to FortiView widgets when using full screen or standalone mode.
663956	Unable to load web CLI console for LDAP admin with space in name.

HA

Bug ID	Description
421335	Get one-time hasync crash when running HA scripts for FIPS-CC.
637711	CSR on cluster primary is generating out-of-sync alerts on secondary and tertiary units.
640327	Duplicate logs are created by both primary and secondary devices for IPsec VPN.
643958	Inconsistent data from FFDB caused several confsyncd crashes.
647679	Inconsistent values for HA cluster inside the SNMP.
651674	Long sessions lost on new primary after HA failover.
654341	The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM.
656099	The mgmt interfaces are excluded for heartbeat interfaces (even if `dedicate-mgmt` is not enabled).
657376	VLAN interfaces are created on a different virtual cluster primary instead of the root primary do not sync.
662893	HA cluster goes out of sync if SAML SSO admin logs in to the device.

Intrusion Prevention

Bug ID	Description
655371	Logging is intermittent for FortiGate IDS passive in one-armed sniffer mode.
660111	SSL VPN web mode IPS detection with HTTP does not work, even though it works with HTTPS.

IPsec VPN

Bug ID	Description
592361	Cannot pass traffic over ADVPN if: `tunnel-search` is set to `nexthop`, `net-device disable`, `mode-cfg enable`, and `add-route disable`.
614483	Add IKEv2 phase 2 initiator traffic selector narrowing for Cisco compatibility.
638352	In extreme situations when thousands of tunnels are negotiating simultaneously (IKEv2), iked process gets exhausted and stuck.
638573	FortiGate is not deleting the shortcut tunnel for ISPA (primary ISP) when ISPA is down.
639806	User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject.
646012	IPsec over DHCP randomly does not work (`net-device disable`).
647285	After HA failover, not all tunnels come up; unknown SPI.
650599	IKE HA sync truncates phase 2 option flags after the first eight bits.
655739	`local-gw` is replaced with primary IP on a secondary device when the secondary IP is used as a `local-gw`.
659535	IPsec in SD-WAN and zone causes IKE crash.
660472	Could not locate phase 1 configuration for IPv6 dialup IPsec VPN.
666693	If NAT-T IP changes, the dynamic IPsec spoke add route entry is stuck on hub.

Log & Report

Bug ID	Description
642941	For URLs over 66 characters, the FortiGate replaces remaining characters with dots (.) in `dstname` field when forwarded to syslog/FortiAnalyzer.
643840	`vwlservice` should log the SD-WAN rule and not an internet service; impacts FortiAnalyzer SD-WAN monitor widgets and reports.
645914	Move `eventtime` field to the beginning of the log to save performance on Splunk or other logging systems.
647741	On FG-60F, logging and FortiCloud reporting incorrect IPv6 bandwidth usage for sessions with NPU offload.
650325	miglogd crashes with signal 11 (segmentation fault).
651581	FortiGate tried to connect to FortiGate Cloud with the primary IP after reboot, although the secondary IP is the source in the FortiGuard log.
654363	Traffic log shows Policy violation for traffic hitting the allow policy in NGFW policy mode.
658665	Cannot retrieve logs from FortiAnalyzer on non-root VDOM.

Proxy

Bug ID	Description
550350	Should not be able to set `inspection-mode proxy` with IPS-enabled only policy.
579902	SSL handshake not successful with 0xc02b cipher.
619707	WAD memory leak with explicit proxy and more than 30 users.
633108	Specific WAD crashes.
638039	Delete validation is not working for Protecting SSL Server profile.
648831	WAD memory leak on FortiOS 6.2.4.
653099	URL filter wildcard in proxy mode.
655356	Unable to access a published website when the firewall policy is in proxy mode.
656830	FortiGate should be in SSL bypass mode for TLS 1.2 certificate inspection with client certificate request.
658654	Cannot access specific website using proxy-based UTM with certification inspection.
660857	Unable to access some websites when proxy inspection is used in the policy.
663088	Application control in Azure fails to detect and block SSH traffic with proxy inspection.
666522	Proxy mode is blocking web browsing for some websites.
666686	Websites loading slowly with web filter applied in proxy mode.

Routing

Bug ID	Description
585816	SD-WAN route selection does not use the most specific route in the routing table when selecting the egress path.
613716	SSL VPN sends packet using wrong interface that causes disconnections.
639884	`diagnose ip proute match` gives wrong result when VRF is configured.
641050	Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route.
644461	Unable to redistribute BGP into OSPF based on community (in VRF 0).
649558	ISDB policy routes are not removed when the SD-WAN member is down.
654482	SD-WAN route tag is removed with multiple BGP paths in place.
655447	BGP prefix lifetime resets every 60 seconds when scanning BGP RIB.
655480	Upgrading to FortiOS 6.4.2 breaks all SD-WAN performance SLAs that use HTTP.
660285	Editing an existing route map rule to add `set-weight 0` results in `unset set-weight` behavior.
660300	Application vwl signal 11 (segmentation fault) received.
660311	Application vwl signal 6 (aborted) received.
661769	SD-WAN rule disappears when an SD-WAN member experiences a problem.
662655	The OSPF neighborship cannot be established; get MD5 authentication error.
662845	HA secondary also sends SD-WAN `sla-fail-log-period` to FortiAnalyzer.
663057	IPv6 routing does not work properly to be a dual stack.
666829	The bfdd process crashes.

Security Fabric

Bug ID	Description
649344	When viewing CSF child Dashboard > WiFi from parent FortiGate, GUI reports, Cannot read property 'spectrum_analysis’ of undefined.
652737	FortiGate does not send interface configuration to FortiIPAM.
653368	Root FortiGate fails to load Fabric topology if HA downstream device has a trusted device in both primary and secondary FortiGates.
660250	The ipamd process is causing high memory usage.

SSL VPN

Bug ID	Description
548599	SSL VPN crash on some special URLs.
613733	Access problem for website.
615453	WebSocket using Socket.IO could not be established through SSL VPN web mode.
620793	A page inside a bookmark not opening in SSL VPN web mode.
630771	SSL VPN rewrites the URL inside the emails sent in Outlook (webmail).
637217	Internal webpage, di***, is not loading in web mode.
641379	Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal.
642838	Redirected URLs do not work in web mode.
645973	Content from internal Microsoft Dynamics CRM cr***.local portal is not loading properly in SSL VPN web mode.
646295	When DNS domain is configured, requests with NTLM of host name-only bookmark could not get response from server.
647202	fas crashes when using FortiToken Cloud to access SSL VPN tunnel.
648433	Internal website loading issue in SSL VPN web portal.
649130	SSL VPN log entries display users from other VDOMs.
649193	Apache Guacamole is vulnerable to CVE-2020-9497 and CVE-2020-9498.
652060	BMC Remedy Mid Tier 9.1 web app is not displayed properly in SSL VPN web mode.
652070	BMC Remedy Mid Tier 8.1 web application elements are not displayed properly in SSL VPN web mode.
652762	SSL VPN web mode HTTPS bookmark fails to load (times out).
652880	SSL VPN crashes around the same time that LDAP connection errors are logged.
653349	SSL VPN web mode not working for internal website.
654534	SAML authentications occurring through SSL VPN web mode are not completing.
655374	SSL VPN web portal bookmark not loading internal web page after login credentials are entered.
657689	The system allows enabling split tunnel when the SSL VPN policy is configured with destination `all`. It is not consistent with 5.6.x and 6.0.x.
657890	Internal website, https://.da**.cz, is not working correctly in SSL VPN web mode due to source link error.
658036	When adding an FTP link to download FortiClient and accessing it through the portal, the colon is dropped from the string.
659234	FortiGate keeps replying to an ARP request for an IP address that was once assigned to an SSL VPN user, who has already disconnected and been deleted.
659312	Unable to load HTTPS bookmark in Safari (`TypeError: 'text/html'`).
659481	Internal websites not displayed successfully in SSL VPN web portal.
661372	SSL VPN incorrectly rewrites the script URL.
661835	ASUS ASMB9-iKVM application shows blank page in SSL VPN web mode.
662042	The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.
663298	The internal website is not working properly using SSL VPN.
663433	SSL VPN web mode cannot open DFS shared subdirectories, get Invalid HTTP request error as sslvpnd adds `NT`.
664804	User cannot use column header for data sorting (bookmark issue).
665879	When sslvpn processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML.
666194	WALLIX Manager GUI interface is not loading through SSL VPN web mode.

Switch Controller

Bug ID	Description
649913	HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager.
652745	Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber.

System

Bug ID	Description
581496	FG-201E stops sending out packets and NP6lite is stuck.
582536	Link monitor behavior is different between FGCP and SLBC clusters.
585882	Error in log, `msg="Interface 12345678001-ext:64 not found in the list!"`, while creating a long name VDOM in FG-SVM.
594577	Out-of-order packets for an offloaded multicast stream.
598464	Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.
603194	NP multicast session remains after the kernel session is deleted.
609660	NPU offloading enabled dropping traffic from IPsec VPN tunnel remote gateway.
627236	TCP traffic disruption when traffic shaper takes effect with NP offloading enabled.
627269	Wildcard FQDN not resolved on the secondary unit.
630146	FG-100F memory configuration check.
631132	Symantec connector does not work if management VDOM is not root vdom and root VDOM has no network connection.
631296	Forward or local bi-directional traffic from NPU inter-VDOM links through separate VDOMs is subject to high latency.
631689	FG-100F cannot forward fragmented packets between hardware switch ports.
633827	Errors during fuzzy tests on FG-1500D.
636999	LTE does not connect after upgrading from 6.2.3.
637014	Uncertified status of firmware after GUI upgrade, checksums are null.
637983	FG-100F memory configuration check fails because of wrong threshold.
642005	FortiGate does not send `service-account-id` to FortiManager via fgfm tunnel when FortiCloud is activated directly on the FortiGate.
642327	FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant interface with non-NPU port.
642958	FG-80E terminates the firewall session abruptly when the end-users download large files.
644380	FG-40F/60F kernel panic: `failure at mm/vmalloc.c:1341/__get_vm_area_node ()!`.
645723	Cannot set overlap IP on global level if `allow-subnet-overlap` on management VDOM is disabled.
648014	FortiGate DDNS failure every two months.
648083	cmdbsvr crashed with signal 11 (segmentation fault) received.
650878	DHCP relay will honor the broadcast flag set to 0 (unicast) in only one VDOM at a time in a multi-VDOM environment.
653289	FortiExtender virtual interface cannot get IP after rebooting the system.
654159	NP6Xlite traffic not sent over the tunnel when NPU is enabled.
654624	Error message shown (`get_ha_sync_obj_sig_4dir delete broken symbolic link /etc/cert/ca/5c44d531.0`) when upgrading from 6.4.1.
657632	IPv6 passes though the DNS filter with application control enabled.
659539	FortiGate running 6.4.2 GA cannot validate license via FortiManager due to FortiManager hardware missing Fortinet_CA2 and Fortinet_SUBCA2001.
661784	FortiGuard DDNS is unable to update the renewed public IP address to the FortiGuard server.
662208	Configuration changes take a long time and cmdbsrv processes use up to 100% CPU.
662239	FGR-60F-3G4G hardware switch span does not work.
665000	HA LED off issue on FG-1100E/1101E models in 6.0.x.
668218	SD-WAN HTTP health check does not work for URLs longer than 35 characters.

Upgrade

Bug ID	Description
646877	FortiOS allows the elimination of interfaces, although it still has a VIP reference used in firewall policies.
656869	FG-100F/101F may continuously boot upon upgrading from FortiOS 6.4.0. Workaround: back up the 6.4.0 configuration, perform a clean install via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration.

Bug ID

Description

646877

FortiOS allows the elimination of interfaces, although it still has a VIP reference used in firewall policies.

656869

FG-100F/101F may continuously boot upon upgrading from FortiOS 6.4.0.

Workaround: back up the 6.4.0 configuration, perform a clean install via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration.

User & Authentication

Bug ID	Description
643191	FSSO TS-Agent is not working properly when FortiGates use NGFW policy-based mode.
655422	A space after a comma within `CN` is incorrectly removed during the bind request causing authentication failure (LDAP).
656118	Password displayed as clear text in FortiManager installation log when resetting the system admin user password via FortiManager.
658794	FortiGate sent CSR certificate instead of signed certificate to FortiManager when retrieve is performed.
659456	REST API authentication fails for API user with PKI group enabled due to fnbamd crash.
662391	Persistent sessions for de-authenticated FSSO users.
663399	`interface-select-method` not working for RADIUS configuration.

VM

Bug ID	Description
640532	ESXi 6.0 gets `Kernel panic - not syncing: Attempted to kill init!` message.
645798	In FG-VM64-HV, `portX: can not set mac address(16).` error displayed in console after HA is enabled and all interfaces lose connections.
647800	Merge FIPS ciphers to 6.4.3 and 6.6 trunk (visible to AWS and Azure only).
652416	AWS Fabric connector always uses root VDOM even though it is not a management VDOM.
657785	On FG-AWS, changing health check protocol to `tcp-connect` causes kernel panic and reboot.
662969	Azure SDN connector filter count is not showing a stable value.
663276	After cloning the OCI instance, the OCID does not refresh to the new OCID.
663487	Should add router policy in `vdom-exception` list.
668131	EIP is not updating properly on FG-VM Azure.
670166	FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5 to 6.4.2.

Web Filter

Bug ID	Description
587018	Add URL flow filter counters to SNMP.
610553	User browser gets URL block page instead of warning page when using HTTPS IP URL.
650916	Loopback interface as source IP is not getting applied to FortiGuard web filter rating.
654160	Web filter profile count decreased after upgrading to 6.4.0 on FG-100F.
654675	Unable to get complete output of `diagnose test application ipsufd 1`.
655972	Custom category action set to allow in web filter profile causes the URL to use the FortiGuard category rather than the custom category.
661713	Global web filter profile is not applied after changes to allowed/blocked categories.

WiFi Controller

Bug ID	Description
647703	HTTPS server certificate is not presented when WiFi controller feature is disabled in Feature Visibility.
655689	Wireless hostapd daemon crashes upon WPA3-SAE connection.
656804	Spectrum analysis disable/enable command removed in CLI from `wtp-profile` and causing a bottleneck for APs, such as FAP-222C/223C at 100% CPU.
657391	FG-600E has cw_acd crash with `* signal 8 (Floating point exception) received *` in 6.2.4.
660991	FAP-U431F cannot view what channel is operating, and the override channel setting must be unset to change to a different channel.
665766	Client failed to connect SSID with WPA2-Enterprise and user group authentication.

Znane problemy:

Endpoint Control

Bug ID	Description
664654	EMS host tags are not synced with the FortiGate when the user connects to a tunnel mode SSID.