Producent oprogramowania Fortinet udostępnił najnowszą wersję oprogramowania z rodziny 6.4 o numerze wersji 6.4.8. W najnowszej wersji naprawiono błędy związane z certyfikatem ROOT na FortiGate oraz problemem z ważnymi certyfikatami stron internetowych które były oznaczane jako błędne lub wygasłe. Aby przywrócić poprawne i w pełni bezpieczne działanie FortiGate należy cofnąć ustawienia omijające problem zastosowane w trakcie wystąpienia awarii certyfikatu.
Instrukcja przywrócenia pełni Funkcjonalności z certyfikatem SSL
Cofnięcie konfiguracji DNS Blackhole:
Zmiana rekomendowana przez Fortinet w trakcie awarii:
config system dns-database
edit „1”
set domain „identrust.com”
config dns-entry
edit 1
set hostname „apps”
set ip 127.0.0.1
next
end
next
end
Cofnięcie zmian:
config system dns-database
delete 1
end
W przypadku zmian w inspekcji SSL:
Zmiana rekomendowana przez Fortinet w trakcie awarii:
config firewall ssl-ssh-profile
edit „certificate-inspection”
config https
set expired-server-cert allow
set untrusted-server-cert allow
end
Cofnięcie zmian:
config firewall ssl-ssh-profile
edit „certificate-inspection”
config https
set expired-server-cert block
set untrusted-server-cert block
end
Po więcej ciekawych informacji zachęcamy do przeczytania dalszej części artykułu.
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-81E, FG-81E-POE, FG-81F, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG‑300D, FG-300E, FG-301E, FG‑400D, FG‑400E, FG-400E-BP, FG‑401E, FG‑500D, FG‑500E, FG-501E, FG-600D, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG‑3810D, FG-3815D, FG-5001D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
| FortiGate VM | FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG‑VM64-GCPONDEMAND, FG-VM64-HV, FG-VM64-IBM, FG‑VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
| FG-80F-POE | is released on build 5042. |
| FG-81F-POE | is released on build 5042. |
| FWF-80F-2R | is released on build 5042. |
| FWF-81F-2R | is released on build 5042. |
| FWF-81F-2R-POE | is released on build 5042. |
Rozwiązane problemy:
User & Authentication
| Bug ID | Description |
|---|---|
| 750551 | DST_Root_CA_X3 certificate is expired. |
| 757883 | FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid. |
Znane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 665173 | Crash logs are sometimes truncated/incomplete. |
| 752420 | If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 607230 | Percent encoding is not converted in FTP over HTTP explicit proxy. |
| 721039 | Short disconnections of streaming applications (Teams and Whereby) through explicit proxy. |
Firewall
| Bug ID | Description |
|---|---|
| 719311 | FortiGate is partially not showing policies after upgrading from 6.2.7 to 6.4.5. |
| 729245 | HTTP/1.0 health check should process the whole response when http-match is set. |
| 738584 | Firewall is using the wrong NAT IP address to send out traffic after removing the VIP and its associated policy. |
| 745853 | FortiGate stops sending logs to Netflow traffic because the Netflow session cleanup routine runs for too long when there are many long live sessions in the cache. |
FortiView
| Bug ID | Description |
|---|---|
| 683654 | FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view. |
GUI
| Bug ID | Description |
|---|---|
| 440197 | On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly. |
| 608770 | When there is no IP/IPv6 address setting for Zone, the GUI incorrectly displays 0.0.0.0/0.0.0.0 for IP/Netmask and ::/0 for IPv6 Address. |
| 610572 | Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user’s account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user’s current login session is not subject to the configured expiration time.
Workaround: do not click on the OK button. Click the Cancel button to close the page. |
| 653952 | The web page cannot be found is displayed when a dashboard ID no longer exists.
Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again. |
| 688016 | GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy. |
| 695163 | When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.
Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs. |
| 696573 | Firewall policy is not visible in GUI when using set internet-service src enable. |
| 699508 | When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in. |
| 704618 | When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.
Workaround: refresh the browser. |
| 713529 | When FortiAnalyzer is configured, the HTTPS daemon may crash when processing some FortiAnalyzer log requests. There is no apparent impact on the GUI operation. |
| 720613 | The event log sometimes contains duplicated lines when downloaded from the GUI. |
| 720657 | Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.
Workaround: use the CLI. |
| 733375 | On the VPN > SSL-VPN Settings page, after clicking Apply, source-address objects become source-address6 objects if IPv6 is enabled. |
| 735248 | On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.
Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis. |
| 742561 | On the Network > Interfaces page, after upgrading to FortiOS 6.4.7, a previously valid VLAN switch VLAN ID of 0 now displays the error message The minimum value is 2. |
| 743477 | On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work. |
| 745325 | When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default. |
| 745998 | An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used. |
HA
| Bug ID | Description |
|---|---|
| 662978 | Long lasting sessions are expired on HA secondary device with a 10G interface. |
| 680753 | admin-restrict-local feature does not work on management interface in HA cluster. |
| 717788 | FGSP has problem at failover when NTurbo or offloading is enabled (IPv4) with virtual wire pair traffic. |
| 725240 | HA cluster goes out of sync due to mismatched vpn.certificate.crl checksum. |
| 732201 | VDOM restore on an already configured VDOM causes high CPU sometimes on the primary. |
| 740743 | When enabling lag-out-port-select, both cluster units simultaneously reboot. |
| 744826 | API key (token) on the secondary device is not synchronized to the primary when standalone-config-sync is enabled. |
| 746008 | DNS may not resolve on the correct blade in a 6K/7K virtual cluster environment. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 654307 | Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode. |
| 665755 | The global UTM profiles named with a g- prefix are shared between all VDOMs and logically do not belong to any VDOM. When they are changed, the ipshelper cannot always refresh its configuration because the ipshelper tries to check each VDOM profile. |
| 682071 | IPS signatures not working with VIP in proxy mode. |
| 746467 | IPS engine crashes when IPS injects packets to vNP and vNP/DPDK fails to restart (crashes and sometimes is out of service). |
IPsec VPN
| Bug ID | Description |
|---|---|
| 668997 | Duplicate entry found error shown when assigning multiple dialup IPsec tunnels with the same secondary IP in the GUI. |
| 691178 | Exchanging IPs does not work with multiple dynamic tunnels. |
| 691718 | Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers. |
| 715671 | Traffic is failing on dialup VPN IKEv2 with EAP authentication. |
| 717082 | FortiGate keeps initiating DHCP SA rekey after lifetime expires. |
| 726450 | Local out dialup IPsec traffic does not match policy-based routes. |
| 729760 | The ADVPN forwarder does not currently track the shortcut query that it forwards. Shortcut queries and replies are forwarded or terminated solely based on the route lookup. |
| 735430 | TCP SYN-ACKs are silently dropped if the traffic is sourced from a dialup IPsec tunnel and UTM is enabled. |
| 743732 | If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake. |
| 752947 | The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate. |
Log & Report
| Bug ID | Description |
|---|---|
| 724827 | Syslogd is using the wrong source IP when configured with interface-select-method auto. |
| 731154 | SSL VPN tunnel down event log (log ID 39948) is missing. |
Proxy
| Bug ID | Description |
|---|---|
| 568905 | WAD crashes due to RCX having a null value. |
| 582464 | WAD SSL crash due to wrong cipher options chosen. |
| 604681 | WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.
Workaround: disable SoC SSL acceleration under the firewall SSL settings. |
| 712584 | WAD memory leak causes device to go into conserve mode. |
| 726999 | WAD crash on wad_hash_map_del. |
| 728641 | SSL renegotiation fails when Firefox offers TLS 1.3, but the server decides to use TLS 1.2. |
| 733760 | Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app. |
| 744756 | Web proxy forward server group could not recover sometimes if the FQDN is not resolved. |
REST API
| Bug ID | Description |
|---|---|
| 743743 | httpsd crashes due to GET /api/v2/log/.../virus/archive request when the mkey is not provided. |
Routing
| Bug ID | Description |
|---|---|
| 670031 | LDAP traffic that originates from the FortiGate is not following SD-WAN rule. |
| 693988 | For DSL interface, adding static route with set dynamic-gateway enable does not add route to routing table. |
| 723726 | BGP session drops between virtual wire pair with auto-asic-offload enabled in policy. |
| 724574 | BFD neighborship is lost between hub and spoke. One side shows BFD as down, and other side does not show the neighbor in the list. |
| 725322 | Improve the help text for distance to indicate that 255 means unreachable. |
| 729002 | PIM/PIM6 does not send out unicast packet with the correct source IP if interface is not specified. |
| 731941 | Disconnected from FortiAnalyzer events reported when the interface-select-method is set to specify, and the interface port_<x> is set to an interface that does not have the highest priority in the SD-WAN interface selection. |
| 746000 | Multicast streams sourced on SSL VPN client are not registered in PIM-SM. |
| 748733 | Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop. |
Security Fabric
| Bug ID | Description |
|---|---|
| 614691 | Slow GUI performance in large Fabric topology with over 50 downstream devices. |
| 635183 | ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector. |
| 670451 | ACI SDN connector (connected by aci-direct) shows curl error 7 when updating from second VDOM. |
| 738344 | When CSF root synchronizes a large automation setting (over 16000) to the downstream FortiGate, csfd crashes while trying to process the relay message. |
| 741346 | The variable %%date%% resolves into 1900-01-00 instead of actual date when the schedule trigger type is used. |
| 742743 | Security rating Issue with unused deny policies. |
| 745263 | AV & IPS DB Update automation trigger is not working when clicking Update Licenses & Definitions Now in the GUI. |
| 746950 | When an Azure network interface ID contains upper case letters, the Azure SDN connector may not retrieve that network interface. |
SSL VPN
| Bug ID | Description |
|---|---|
| 676673 | Ciphers with ARIA, AESCCM, and CHACHA cannot be banned for SSL VPN. |
| 677057 | SSL VPN firewall policy creation via CLI does not require setting user identity. |
| 693519 | SSL VPN authentication fails for PKI user with LDAP. |
| 706646 | SolarWinds Orion NPM platform’s web application has issues in SSL VPN web mode. |
| 707792 | SSL VPN connection breaks when deleting irrelevant CA and PKI is involved. |
| 710657 | The dstaddr/dstaddr6 of an SSL VPN policy can be set to all when split tunnel mode is enabled and only the default portal is set. |
| 711974 | SSL VPN bookmarks are not working correctly with multiple SD-WAN zones. |
| 718133 | In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes. |
| 726338 | The wildcard matching method does not always work as expected because the kernel sometimes does not have the address yet. |
| 726576 | Internal webpage with JavaScript is not loading in SSL VPN web mode. |
| 730416 | Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode. |
| 731278 | Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode. |
| 737341 | Some links and buttons are not working properly when accessing them through SSL VPN web mode. |
| 737894 | If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy. |
| 738711 | FortiClient error message is not pertinent when the client does not meet host checking requirements. |
| 745499 | In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak. |
| 746990 | RADIUS accounting messages after SSL VPN do not include the Class attribute (Group name). |
| 747352 | Internal web server page, https://te***.ss***.es:10443, is not loading properly in SSL VPN web mode. |
| 749918 | Keyboard keys do not work with RDP bookmarks when PT-BR and PT-BR-ABNT2 layouts are chosen. |
System
| Bug ID | Description |
|---|---|
| 555616 | When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from. |
| 607565 | Interface emac-vlan feature does not work on SoC4 platform. |
| 639861 | Support FEC (forward error correction) implementations in 10G, 25G, 40G, and 100G interfaces for FG-3400E and FG-3600E. |
| 644616 | NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface. |
| 648085 | Link status on peer device is not down when the admin port is down on the FortiGate. |
| 679035 | NP6 drops, and bandwidth limited to under 10 Gbps. |
| 681322 | TCP 8008 permitted by authd, even though the service in the policy does not include that port. |
| 687398 | Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices. |
| 696556 | Support gtp-enhance-mode (GTP-U) on FG-3815D. |
| 699152 | QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E. |
| 702966 | There was a memory leak in the administrator login debug that caused the getty daemon to be killed. |
| 704981 | LLDP transmission fails if there are nested software switches. |
| 705878 | Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched. |
| 713835 | The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in. |
| 714805 | FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev. |
| 715978 | NTurbo does not work with EMAC VLAN interface. |
| 716341 | SFP28 port flapping when the speed is set to 10G. |
| 716483 | DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured. |
| 718571 | In cases where there are a lot of DHCP relay interfaces (such as 1000) and an interface is added or deleted, DHCP relay takes a long time to release and initialize all interfaces before it works again. |
| 721487 | FortiGate often enters conserve mode due to high memory usage by httpsd process. |
| 721789 | Account profile settings changed after firmware upgrade. |
| 722547 | Fragmented SKB size occurs if the tail room is too small to carry the NTurbo vtag, which causes packets to be dropped. |
| 724065 | Power supply 2 DC is lost log only appears when unplugging the power cable from power supply 2. |
| 728647 | DHCP discovery dropped on virtual wire pair when UTM is enabled. |
| 732633 | DNS query timeout log generated for first entry in DNS domain list when multiple domains are added. |
| 732760 | SNMP trap packets are sometimes not sent from the primary ha-direct interface to all SNMP managers after upgrading. |
| 740649 | FortiGate sends CSR configuration without double quote (") to FortiManager. |
| 745017 | get system checksum status should only display checksums for VDOMs the current user has permissions for. |
User & Authentication
| Bug ID | Description |
|---|---|
| 682394 | FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint. |
| 691838 | Memory leaks and crashes observed during stress long duration performance test when using FortiToken Cloud. |
| 701356 | When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.
Workaround: manually unset config system global
unset admin-server-cert
end
config system global
set admin-server-cert <scep_certificate>
end
|
| 722234 | FSSO AD polling mode connector does not work with LDAPS. |
| 725327 | FSSO user fails to log in with principal user name. |
| 739702 | There are unknown user logins on the FortiGate and the logs do not have any information for the unknown user. |
| 741403 | Unknown user log in to FortiGate does not provide any information for the unknown user. |
| 744014 | LLDP neighbors cannot be seen on virtual switch ports. |
VM
| Bug ID | Description |
|---|---|
| 596742 | Azure SDN connector replicates configuration from primary device to secondary device during configuration restore. |
| 617046 | FG-VMX manager not showing all the nodes deployed. |
| 639258 | Autoscale GCP health check is not successful (port 8443 HTTPS). |
| 668625 | During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available. |
| 722290 | Azure slow path NetVSC SoftNIC has stuck RX.
If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address. |
| 736067 | NSX connector stops updating addresses sometimes. |
| 739376 | vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp. |
Web Filter
| Bug ID | Description |
|---|---|
| 717619 | Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 662714 | The security-redirect-url setting is missing when the portal-type is auth-mac. |
| 677994 | Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band. |
| 733608 | FG-5001D is unable to display managed FortiAPs after upgrading. |
| 748154 | 802.1X clients are disconnected following FortiGuard update. |
| 748479 | cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin. |
Notatki producenta: FortiOS 6.4.8
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
