Fortinet publikuję aktualizację dla FortiOS o oznaczeniu 6.4.4. W nowej wersji pojawi się udogodnienie dla urządzeń Cisco, gdzie skonfigurowanie wielu adresów IP będzie możliwe, lecz tylko jeden będzie aktywny, a pozostałe adresy będą służyć jako zapasowe. Po aktualizacji został naprawiony problem z długim czasem autoryzacji użytkowników, gdzie problem dotyczył połączeń z serwerem FSSO. Wersja 6.4.4 skorygowała błędy dotyczące urządzenia FortiGate 101F, problemy dotyczyły głównie informacji o statusie wentylatora i BGP. Dzięki aktualizacji rozwiązało się wiele błędów dotyczących wirtualizacji, między innymi problem z serwerami HTTP został poprawiony błąd z komunikacją. Po więcej informacji o aktualizacji zapraszam do dalszej części artykułu.

Aktualnie wspierane modele:

Rozwiązane problemy:

DNS Filter

Bug ID	Description
653581	Cannot pass DNS traffic through FortiGate or DNS traffic originated from FortiGate when external blocklist (threat feed) is updated.

Endpoint Control

Bug ID	Description
664654	EMS host tags are not synced with the FortiGate when the user connects to a tunnel mode SSID.

Explicit Proxy

Bug ID	Description
662931	Browsers change default SameSite cookie settings to Lax, and Kerberos authentication does not work in transparent proxy.
664548	When the FortiGate is configured as an explicit proxy and AV is enabled on the proxy policy, users cannot access certain FTP sites.

File Filter

Bug ID	Description
676485	File filter rule set with the msc file type was removed after upgrading.

Firewall

Bug ID	Description
651321	sflowd is crashing due to invalid custom application category.
653828	When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds.
661777	Source NAT port reuses ports too quickly, and GCP/API fails to establish due to endpoint independence conflict.
665739	HTTP host virtual server does not work well when real server has the same IP but a different port.
666612	Get internet service name configuration error on version 7.01011 when FortiGate reboots or upgrades.
667696	Reputation settings in policies not working as expected.
669665	All ISDB groups are lost when upgrading from 6.2.5 to 6.4.2.

GUI

Bug ID	Description
490396	System administrator account profile overwrite does not work in the GUI if the remote administrator has 2FA enabled (CLI is OK).
567996	Slow load times for the Managed FortiSwitch and FortiSwitch Ports pages when there is a large number of FortiSwitches.
650708	When the client browser is in a different time zone from the FortiGate, the Guest Management page displays an incorrect expiry time for guest users. The CLI returns the correct expiry.
652394	GUI cannot change action for the web-based email category in DNS filter profile.
662873	Editing the LDAP server in the GUI removes the line set server-identity-check disable from the configuration.
663351	Connectivity test for RADIUS server using CHAP authentication always returns failure.
665444	Columns for log details do not resize, and they cover existing columns.
666500	The Confirm version downgrade option is not displayed after uploading a previous version’s firmware file.
668020	Support displaying disclaimer users in the Firewall Users widget.
672906	GUI does not prompt system reboot progress page after successfully restoring configuration.
675170	In the WiFi Clients drilldown, applications and destinations are same for two different stations.
680541	The logtype_mask filter in the IoC drilldown is not support on the FortiAnalyzer side.

HA

Bug ID	Description
615001	LAG does not come up after link failed signal is triggered.
650624	HA GARP sending was delayed due to lots of transceiver reading
653095	Inband management IP connection breaks when failover occurs (only in virtual cluster setup).
677246	Unable to contact TACACS+ server when using HA dedicated management interface in 6.4.3.

Intrusion Prevention

Bug ID	Description
671322	IPS engine reloads, or FortiGate reboots and displays CMDB __bsearch_index() duplicate value insertion errors.

IPsec VPN

Bug ID	Description
566076	IKED process signal 11 crash in an ADVPN and BGP scenario.
655895	Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).
663126	Packets for the existing session are still forwarded via the old tunnel after the routing changed on the ADVPN hub.
663648	BGP over dynamic IPsec VPN tunnel with net-device enable not passing through traffic after rebooting.
667129	In ADVPN with SLA mode, traffic does not switch back to the lowest cost link after its recovery.
673258	FortiGate to Cisco IKEv2 tunnel randomly disconnects after rekey.

Log & Report

Bug ID	Description
587916	Logs for local-out DNS query timeout should not be in the DNS filter UTM log category.
670741	Unable to configure syslog filter data size more then 512 characters.

Proxy

Bug ID	Description
657905	Firewall policy with UTM in proxy mode breaks SSL connections in active-active cluster.
661063	If a client sends an RST to a WAD proxy, the proxy can close the connection to the server. In this case, the relatively long session expiration (which is usually 120 seconds by default) could lead to session number spikes in some tests.

Routing

Bug ID	Description
537354	BFD/BGP dropping when outbandwidth is set on interface.
628896	DHCP relay should follow SD-WAN rules.
654032	SD-WAN IPv6 route tag command is not available in the SD-WAN services.
659409	FortiGate blocks IPv6 but allows IPv4 for traffic that looks asymmetric with asymroute is disabled.
663396	SD-WAN route changes and packet drops during HTTP communication, even though preserve-session-route is enabled.
667469	SD-WAN members and OIFs keep reordering despite the health check status being stable.
668982	Possible memory leak when BGP table version increases.
670017	FortiGate as first hop router sometimes does not send register messages to the RP.
673603	Only the interface IP in the management VDOM can be specified as the health check source IP.
675442	Weight-based load-balance algorithm causes local-in reply traffic egress from wrong interface.
676685	VRRP does not consider VRF when looking up destination in routing table.

Security Fabric

Bug ID	Description
660624	FortiAnalyzer Cloud should be taken into consideration when doing CLI check for CSF setting.
666242	Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.
669436	Filter lookup for Azure connector in subnet and virtual network does not show all results.

SSL VPN

Bug ID	Description
586035	The policy script-src 'self' will block the SSL VPN proxy URL.
615453	WebSocket using Socket.IO could not be established through SSL VPN web mode.
646339	SSL-SSH inspection profile changes to no-inspection after device reboots.
653349	SSL VPN web mode not working for Ec***re website.
661290	https://mo***.be site is non-accessible in SSL VPN web mode.
662871	SSL VPN web mode has problem accessing some pages on FortiAnalyzer 6.2.
664276	SSL VPN host check validation not working for SAML user.
665330	SDT application can no longer load secondary menu elements in SSL VPN web mode.
665408	Occasionally, 2FA SSL VPN users are unable to log in when two remote authentication servers with the same IP are used.
666855	FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients.
667780	Policy check cache should include user or group information.
667828	SSL VPN web mode authentication problem when accessing li***.com.
668574	Unable to load a video in SSL VPN web mode
669144	HTTPS access to ERP Sage X3 through web mode fails.
669497	Cannot view TIFF files in SSL VPN web mode.
669685	Split tunneling is not adding FQDN addresses to the routes.
669707	The jstor.org webpage is not loading via SSL VPN bookmark.
670042	Internal website, http://si***.ar, does not load a report over SSL VPN web portal.
670803	Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode.
675878	When matching multiple SSL VPN firewall policies, SSL VPN checks the group list from bottom to top, and the user is mapped to the incorrect portal.
676345	SSL VPN web mode is unable to open some webpages on the internal site, https://vi***.se, portal.
677167	SSL VPN web mode has problem accessing Sapepronto server.

Switch Controller

Bug ID	Description
671135	flcfg crashes while configuring FortiSwitches through FortiLink.

System

Bug ID	Description
521213	Read-only administrators should be able to run diagnose sniffer packet command.
606360	HQIP loopback test failed with configured software switch.
627236	TCP traffic disruption when traffic shaper takes effect with NP offloading enabled.
630861	Support FortiManager when private-data-encryption is enabled in FortiOS.
634202	STP does not work in transparent mode.
644782	A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.
651420	Add support for interface-shaping-offload under system npu on SoC3 and SoC4 models.
657629	FG-101F cannot retrieve power fan status and BGP status via SNMP.
660709	The sflowd process has high CPU usage when application control is enabled.
662681	Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes.
662687	Asynchronous SDK call may take a long time and cause HA A-P to have Kernel panic - not syncing error.
663083	Offloaded traffic from IPsec crossing the NPU VDOM link is dropped.
664268	No filename setting on BOOTP response when option 67 is set on the DHCP server.
664478	Kernel crash caused race condition on vlif accessing.
666030	Empty firewall objects after pushing several policy deletes.
666205	High CPU on L2TP process caused by loop.
666852	FortiGate local-out system DNS traffic for host names lookup continuously generates timeout DNS log if the primary server cannot resolve them.
668410	NP6lite SoC3 adapter drops packets after handed from kernel.
670838	It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%.
673263	High memory issue is caused by heavy traffic on the VDOM link.
673918	Read-only administrator with packet capture read-write permission cannot run diagnose sniffer command.
675418	FortiManager CLI script for 2FA FortiToken mobile push does not trigger activation code email.

User & Authentication

Bug ID	Description
643583	radius-vdom-override and accprofile-override do not work when administrator has 2FA enabled.
658794	FortiGate sent CSR certificate instead of signed certificate to FortiManager when retrieve is performed.
663685	The authd process truncates user names to a length of 35 characters (this breaks RADIUS accounting and logging for very long user names).
665391	The authd process gets stuck with high CPU due to slow route lookup when the routing table is big. FSSO stops processing new authentication events.
666268	The authd process may crash if the FSSO server connection is disconnected.

VM

Bug ID	Description
641038	SSL VPN performance problem on OCI due to driver.
656701	FG-VMX service manager enters conserve mode; cmdbsvr has high memory utilization.
659333	Slow route change for HA failover in GCP cloud.
669822	Hot adding multiple CPUs at once to Xen-flavored VMs can result in a kernel panic crash.
671279	FG-VM64-AZURE-PAYG license/serial number get lost after downgrading to 6.2.6 from 6.4.3.
672312	Azure SDN connector does not offer all service tags.

WiFi Controller

Bug ID	Description
643854	Client traffic was dropped by CAPWAP offloading when it connected from a mesh leaf Forti-AP managed by a FWF-61F local radio.
672920	CAPWAP tunnel traffic is dropped when offloading is enabled (with FAP managed by a VLAN interface).
673211	CAPWAP traffic drops on FG-300E when FortiAP is managed by VLAN interface.
674342	The cw_acd crashes after upgrading to 6.4.3 at cwAcLocal.
680503	The current Fortinet_Wifi certificate will expire on 2021-02-11.

Znane problemy:

Explicit Proxy

Bug ID	Description
664380	When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error.

Firewall

Bug ID	Description
667772	When NGFW mode is set to policy mode and a security policy is configured, the Quard daemon should start when either an anti-virus, web filter, application, IPS, or DLP profile is enabled.

FortiView

Bug ID	Description
628225	Compromised Hosts has error 500 when FQDN is set in config log fortianalyzer setting.
683413	Some FortiView pages/widgets fail to query data from FortiAnalyzer Cloud if the local FortiAnalyzer is not enabled. Affected pages/widgets: Compromised Hosts, FortiView Cloud Applications, FortiView VPN, FortiView Web Categories, Top Admin Logins, Top Endpoint Vulnerabilities, Top Failed Authentication, Top System Events, Top Threats, Top Threats – WAN, and Top Vulnerable Endpoint Devices.

GUI

Bug ID	Description
602397	FortiSwitch port page is noticeably slow for large topology.
665111	Unable use break function or other add a line break when editing replacement messages in the GUI.
673496	Red highlight appears when attempting to save phase 2 configurations using the Complete Section button.
676165	Script pushed from FortiManager 6.4.2 to FortiOS 6.4.2 to add address objects and address group succeeds. FortiOS GUI shows the new address group as empty.

HA

Bug ID	Description
540600	The HA hello-holddown value is divided by 10 in the hatalk daemon, which makes the hello-holddown time 10 times less than the configuration.
653642	FortiGate HA failover from FortiManager is not successful.
675781	HA cluster goes out of sync with new custom DDNS entry, and changes with respect to the ddns-key value.

Intrusion Prevention

Bug ID	Description
654307	Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.

IPsec VPN

Bug ID	Description
642543	IPsec did not rekey when keylife expired after back-to-back HA failover.
644780	Rectify the consequences if we cancel password renewal is canceled on FortiClient.
652774	OCVPN spoke-to-spoke communication intermittently fails with mixed topology where some spokes have two ISPs and some have one, but the hubs have two.
670025	IKEv2 fragmentation-mtu option is not respected when EAP is used for authentication.
673049	FortiGate not sending its external interface IP in the IKE negotiation (Google Cloud Platform).

Log & Report

Bug ID	Description
661040	Cyrillic characters not displayed properly in local reports.
667274	FortiGate does not have log disk auto scan failure status log.
675347	In local log search, results returned immediately when there are checked logs.

Proxy

Bug ID	Description
658257	StartTLS-SMTP traffic gets blocked by the firewall when certificate inspection (proxy mode) and the IPS sensor are enabled in a policy.

Routing

Bug ID	Description
672061	In IPsec topology with hub and ~1000 spokes, hundreds of spoke tunnels are flapping, causing BGP instability for other spokes.
677928	SD-WAN with sit-tunnel as a member creates an unwanted default route.

SSL VPN

Bug ID	Description
550819	guacd is consuming too much memory and CPU resources during operation.
610995	SSL VPN web mode gets error when accessing internal website at https://st***.st***.ca/.

System

Bug ID	Description
464340	EHP drops for units with no NP service module.
555616	When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.
607565	Interface emac-vlan feature does not work on SoC4 platform.
647309	HA kernel crash at filter4 module and subsequent loop of failure at mm/vmalloc.c:1341/__get_vm_area_node()!.
649937	The diagnose geoip geoip-query command fails when fortiguard-anycast is disabled.
651103	FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN.
668856	Offloaded traffic passing through two VDOMs connected with EMAC-VLANs is sometimes dropped.
669951	confsyncd may crash when there is an error parsing through the internet service database, but no error is returned.
672183	UDP 4500 inter-VDOM traffic not offloaded, causing BFD/IPsec to drop.
675508	When provisioning FortiGate and FortiSwitch with enforced 6.4.2 firmware in FortiManager, the physical port for FortiLink is down and cannot connect to the FortiSwitch.

User & Authentication

Bug ID	Description
580391	Unable to create MAC address-based policies in NGFW.

VM

Bug ID	Description
596742	Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.
617046	FG-VMX manager not showing all the nodes deployed.
639258	Autoscale GCP health check is not successful (port 8443 HTTPS).
646161	FG-VM8 does not recognize all memory allocated in Hyper-V.
668625	During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.
682420	Dialup IPsec tunnel from Azure may not be re-established after HA failover.

Web Filter

Bug ID	Description
675436	YouTube channel home page on blocklist is not blocked when directed from a YouTube search result.

WiFi Controller

Bug ID	Description
625630	FWF-60E hangs with looping kernel panic at WiFi driver.
662714	The security-redirect-url setting is missing when the portal-type is auth-mac.
672136	Log severity for wireless events in FortiWiFi and FortiAP should be reconsidered for CAPWAP teardown.
677994	Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

Notatki producenta-FortiOS 6.4.4

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

6.4.4 FortiGate FortiOS FortiOS 6.4.4