Fortinet udostępnił aktualizację dla produktu FortiOS z rodziny 7.0! Najnowsza wersja 7.0.10 rozwiązuje problem z nadmiernym wykorzystaniem pamięci przez proces WAD, co prowadziło do przejścia urządzenia w tryb conserve mode. Rozwiązano problem z błędnym zachowaniem urządzenia podczas gdy skonfigurowane były polityki routingu. Rozwiązano również problem z połączeniami RDP realizowanymi za pomocą VPN SSL Web.
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
| FortiGate VM | FG-ARM64-AWS, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Rozwiązane problemy:
Firewall
| Bug ID | Description |
|---|---|
| 865661 | Standard and full ISDB sizes are not configurable on FG-101F. |
Proxy
| Bug ID | Description |
|---|---|
| 818371 | WAD process crashes with some URIs. |
| 855882 | Increase in WAD process memory usage after upgrading. |
| 856235 | The WAD process memory usage gradually increases over a few days, causing the FortiGate to enter into conserve mode. |
Routing
| Bug ID | Description |
|---|---|
| 847037 | When the policy route has a set gateway, the FortiGate is not following the policy route to forward traffic and sends unreasonable ARP requests. |
Security Fabric
| Bug ID | Description |
|---|---|
| 839258 | Unable to add another FortiGate to the Security Fabric after updating to the latest patch. |
SSL VPN
| Bug ID | Description |
|---|---|
| 746230 | SSL VPN web mode cannot display certain websites that are internal bookmarks. |
| 848067 | RDP over VPN SSL web mode stops work after upgrading. |
System
| Bug ID | Description |
|---|---|
| 724085 | Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected. |
| 824543 | The reply-to option in the email server settings is no longer visible in a default server configuration on FortiOS 7.2.0. |
| 827240 | FortiGate in HA may freeze and reboot. Before the reboot, softIRQ may be seen as high. This leads to a kernel panic. |
| 847077 | Can't find xitem. Drop the response. error appears for DHCPOFFER packets in the DHCP relay debug. |
| 853794 | Issue with the server_host_key_algorithm compatibility when using SSH on SolarWinds. |
| 855573 | False alarm of the PSU2 occurs with only one installed. |
| 856202 | Random reboots and kernel panic on NP7 cluster when the FortiGate sends a TCP RST packet and IP options are missing in the header. |
| 859717 | The FortiGate is only offering the ssh-ed25519 algorithm for an SSH connection. |
Upgrade
| Bug ID | Description |
|---|---|
| 850691 | The endpoint-control fctems entry 0 is added after upgrading from 6.4 to 7.0.8 when the FortiGate does not have EMS server, which means the endpoint-control fctems feature was not enabled previously. This leads to a FortiManager installation failure. |
Znane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 818092 | CDR archived files are deleted at random times and not retained. |
| 845960 | Flow mode opens port 8008 over the AV profile that does not have HTTP scan enabled. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 730767 | The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.
Workaround: delete the EMS Cloud entry then add it back. |
| 834168 | FortiGates get deauthorized on EMS.
Workaround: manually authorize the affected FortiGates every ten minutes (approximately). |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 823319 | Authentication hard timeout is not respected for firewall users synchronized from WAD user. |
| 865135 | Multipart boundary parsing failed with CRLF before the end of boundary 1. |
Firewall
| Bug ID | Description |
|---|---|
| 728734 | The VIP group hit count in the table (Policy & Objects > Virtual IPs) is not reflecting the correct sum of VIP members. |
| 794901 | Unable to create a geography type address object and get a Can not be geography address when it is a member of addrgrp used by ipsec_tunnel! error. |
| 840689 | Virtual server aborts connection when ssl-max-version is set to tls-1.3. |
| 847086 | Unable to add additional MAC address objects in an address group that already has 152 MAC address objects. |
| 852714 | Making a full HTTP session is sometimes bypassed if ssl-hsts is enabled for a server-load-balance VIP. |
| 854901 | Full cone NAT (permit-any-host enable) cause TCP session clash. |
| 860480 | FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later. |
| 861990 | Increased CPU usage in softIRQ after upgrading from 7.0.5 to 7.0.6. |
GUI
| Bug ID | Description |
|---|---|
| 440197 | On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly. |
| 677806 | On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status. |
| 685431 | On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.
Workaround: use the CLI to configure policies. |
| 707589 | System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed. |
| 708005 | When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.
Workaround: use Chrome, Edge, or Safari as the browser. |
| 722358 | When a FortiGate local administrator is assigned to more than two VDOMs and tries logging in to the GUI console, they get a command parse error when entering VDOM configuration mode. |
| 755177 | When upgrading firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path. |
| 773258 | FortiAP icon cannot be moved once placed on the WiFi map. |
| 810225 | An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms. |
| 821030 | Security Fabric root FortiGate is unable to resolve firewall object conflicts in the GUI. |
| 827893 | Security rating test result incorrectly shows Failed for FortiManager Cloud FortiCare support. |
| 833306 | Intermittent error, Failed to retrieve FortiView data, appears on real-time FortiView Sources and FortiView Destination monitor pages. |
| 843554 | The ALL service object is changed when a new object is created. |
| 845513 | On G-model profiles, changing the platform mode change from single 5G (dedicated scan enabled) to dual 5G is not taking effect. |
| 853352 | On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries. |
HA
| Bug ID | Description |
|---|---|
| 662978 | Long lasting sessions are expired on HA secondary device with a 10G interface. |
| 777394 | Long-lasting sessions expire on the HA secondary in large session synchronization scenarios. |
| 810175 | set admin-restrict-local is not working for SSH. |
| 810286 | FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect. |
| 813207 | Virtual MAC address is sent inside GARP by the secondary unit after a reboot. |
| 818432 | When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures. |
| 830879 | Running execute ha manage 0 <remote_admin> fails and displays a Permission denied, please try again. error if the 169.254.0.0/16 local subnet is not in the trusted host list. |
| 835331 | Communication is disrupted when HA switching is performed in an environment where the VDOM is split to accommodate two IPoE lines. |
| 837888 | CLI deployment of a configuration to the secondary unit results in an unresponsive aggregate interface. |
| 840305 | Static ARP entry is removed after reboot or HA failover. |
| 854445 | When adding or removing an HA monitor interface, the link failure value is not updated. |
| 860497 | Output of diagnose sys ntp status is misleading when run on a secondary cluster member. |
| 864226 | FG-2600F kernel panic occurs after a failover on both members of the cluster. |
Hyperscale
| Bug ID | Description |
|---|---|
| 782674 | A few tasks are hung on issuing stat verbose on the secondary device. |
| 795853 | VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM. |
| 807476 | After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled. |
| 811109 | FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG. |
| 836976 | Traffic impact on changing from log to hardware to log to host during runtime (with PPA enabled). |
| 838654 | Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic. |
| 839958 | service-negate does not work as expected in a hyperscale deny policy. |
| 842659 | srcaddr-negate and dstaddr-negate are not working properly for IPv6 traffic with FTS. |
| 843132 | After dynamically adding an ACL policy, the existing matched session is not cleared immediately. |
| 843197 | Output of diagnose sys npu-session list/list-full does not mention policy route information. |
| 843266 | Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM. |
| 843305 | Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up. |
| 844421 | The diagnose firewall ippool list command does not show the correct output for overload type IP pools. |
| 846520 | NPD/LPMD process killed by out of memory killer after running mixed sessions and HA failover. |
| 877696 | Get KTRIE invalid node related error and kernel panic on standby after adding a second device into A-P mode HA cluster. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 761754 | IPsec aggregate static route is not marked inactive if the IPsec aggregate is down. |
| 810833 | IPsec static router gateway IP is set to the gateway of the tunnel interface when it is not specified. |
| 822651 | NP dropping packet in the incoming direction for SoC4 models. |
Log & Report
| Bug ID | Description |
|---|---|
| 838357 | A deny policy with log traffic disabled is generating logs. |
| 850519 | Log & Report > Forward Traffic logs do not return matching results when filtered with !<application name>. |
| 850642 | Logs are not seen for traffic passing through the firewall. |
| 860264 | The miglogd process may send empty logs to other logging devices. |
| 873987 | High memory usage from miglogd processes even without traffic. |
Proxy
| Bug ID | Description |
|---|---|
| 727629 | WAD encounters signal 11 crash. |
| 781613 | WAD crash occurs four times on FG-61F during stress testing. |
| 836101 | FortiGate is entering conserve mode due to a WAD memory leak. |
| 837724 | WAD crash occurs. |
Routing
| Bug ID | Description |
|---|---|
| 618684 | When HA failover is performed to the other cluster member that is not able to reach the BFD neighbor, the BFD session is down as expected but the static route is present in the routing table. |
| 708904 | No IGMP-IF for ifindex log points to multicast enabled interface. |
| 809321 | IS-IS LSP packets do not include the checksum and the authentication key ([Checksum: [missing]], [Checksum Status: Not present] and authentication "hmac-md5 (54), message digest]). |
| 848270 | Reply traffic from the DNS proxy (DNS database) is choosing the wrong interface. |
| 850862 | GUI does not allow an AS path to be to configured with multiple similar AS numbers. |
| 860075 | Traffic session is processed by a different SD-WAN rule and randomly times out. |
| 862165 | FortiGate does not add the route in the routing table when it changes for SD-WAN members. |
| 862418 | Application VWL crash occurs after FortiManager configuration push causes an SD-WAN related outage. |
| 865914 | When BSM carries multiple CRPs, PIM might use the incorrect prefix to update the mroute’s RP information. |
Security Fabric
| Bug ID | Description |
|---|---|
| 614691 | Slow GUI performance in large Fabric topology with over 50 downstream devices. |
| 794703 | Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results. |
| 801048 | During the FortiOS initialization process, there is a small chance that other services using UDP take the specific port that caused csfd initialization to fail. |
| 814674 | Failed to retrieve upgrade progress message appears when upgrading a FortiAP or FortiSwitch that is connected to a downstream FortiGate. |
| 825291 | FortiAnalyzer connection security rating fails for FortiAnalyzer Cloud. |
| 835765 | Automation stitch trigger is not working when the threshold based email alert is enabled in the configuration. |
| 870527 | FortiGate cannot display more than 500 VMs in a GCP dynamic address. |
SSL VPN
| Bug ID | Description |
|---|---|
| 783167 | Unable to load GitLab through SSL VPN web portal. |
| 803576 | Comments in front of <html> tag are not handled well in HTML file in SSL VPN web mode. |
| 810239 | Unable to view PDF files in SSL VPN web mode. |
| 819754 | Multiple DNS suffixes cannot be set for the SSL VPN portal. |
| 825810 | SSL VPN web mode is unable to access EMS server. |
| 828194 | SSL VPN stops passing traffic after some time. |
| 831069 | A blank page displayed after logging in to the back-end server in SSL VPN web mode. |
| 841788 | In policy-based NGFW mode, SSL VPN web mode access does not follow the firewall policy, accept for all destination addresses. |
| 850898 | OS checklist for the SSL VPN in FortiOS does not include macOS Ventura (13). |
| 852566 | User peer feature for one group to match to multiple user peers in the authentication rules is broken. |
| 854642 | Internal website with JavaScript is proxying some functions in SSL VPN web mode, which breaks them. |
| 863860 | RDP over SSL VPN web mode to a Windows Server changes the time zone to GMT. |
Switch Controller
| Bug ID | Description |
|---|---|
| 813216 | FortiLink goes down when CAPWAP offloading is enabled or disabled. |
System
| Bug ID | Description |
|---|---|
| 778794 | Incorrect values in NP7/hyperscale DoS policy anomaly logs. For packet rate-based meter log, the repeated numbers do not reflect the amount of dropped packets for a specific anomaly/attack; for the session counter meter log, the pps number is negative. |
| 784169 | When a virtual switch member port is set to be an alternate by STP, it should not reply with ARP; otherwise, the connected device will learn the MAC address from the alternate port and send subsequent packets to the alternate port. |
| 799487 | The debug zone uses over 400 MB of RAM. |
| 813162 | Kernel panic occurs after traffic goes through IPsec VPN tunnel and EMAC VLAN interface. |
| 813607 | LACP interfaces are flapping after upgrading to 6.4.9. |
| 818452 | The ifLastChange SNMP OID only shows zeros. |
| 819667 | 1G copper SFP port is always up on FG-260xF. |
| 826490 | NP7 platforms may reboot unexpectedly when unable to handle kernel null pointer de-reference. |
| 827241 | Unable to resolve sp***.saas.ap***.com on a specific VDOM. |
| 833062 | FortiGate becomes unresponsive, and there are many WAD and forticron crashes. |
| 841932 | The GUI and API stopped working after loading many interfaces due to httpsd stuck in a D state (kernel I/O socket). |
| 845736 | After rebooting the FortiGate, the MTU value on the VXLAN interface was changed. |
| 845781 | Kernel panic and regular reboots occur on NP7 platforms, which are caused by FortiOS trying to offload a receiving ESP packet from the EMAC VLAN interface and convert to an IPv6 destination address with NAT46 NPU offloaded sessions. |
| 847314 | NP7 platforms may encounter random kernel crash after reboot or factory reset. |
| 847664 | Console may display mce: [Hardware Error] error message after fresh image burn or reboot. |
| 849186 | Unexpected console error appears: unregister_netdevice: waiting for pim6reg1 to become free. Usage count = 3. |
| 850683 | Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF. |
| 850688 | FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs. |
| 853811 | Fortinet 10 GB transceiver LACP flapping when shut/no shut was performed on the interface from the switch side. |
| 870381 | Memory corruption or incorrect memory access when processing a bad WQE. |
Upgrade
| Bug ID | Description |
|---|---|
| 854550 | After upgrading to 7.0.8, replacemsg utm parameters are not taken over and revert to the default. Affected replacement messages under config system replacemsg utm: virus-html, virus-text, dlp-html, dlp-text, and appblk-html. |
User & Authentication
| Bug ID | Description |
|---|---|
| 765184 | RADIUS authentication failover between two servers for high availability does not work as expected. |
| 835859 | Incorrect source MAC address is used in LLDP TX packet when the interface has https in allowaccess. |
| 842517 | Adding a local user to a group containing many users causes a delay in GUI and CLI due to cmdbsvr (high CPU). |
| 851233 | FortiToken activation emails should include HTTPS links to documentation instead of HTTP. |
| 853793 | FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP. |
VM
| Bug ID | Description |
|---|---|
| 740796 | IPv6 traffic triggers <interface>: hw csum failure message on CLI console. |
| 856645 | Session is not crated over NSX imported object when traffic starts to flow. |
| 859165 | Unable to enable FIPS cipher mode on FG-VM-ARM64-AWS. |
| 860096 | CPU spike observed on all the cores in a GCP firewall VM. |
| 869359 | Azure auto-scale HA shows certificate error for secondary VM. |
WAN Optimization
| Bug ID | Description |
|---|---|
| 728861 | HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.
Workaround: set |
Web Filter
| Bug ID | Description |
|---|---|
| 766126 | Block replacement page is not pushed automatically to replace the video content when using a video filter. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 858653 | Invalid wireless MAC OUI detected for a valid client on the network. |
| 865260 | Incorrect source IP in the self-originating traffic to RADIUS server. |
| 868022 | Wi-Fi clients on a RADIUS MAC MPSK SSID get prematurely de-authenticated by the secondary FortiGate in the HA cluster. |
ZTNA
| Bug ID | Description |
|---|---|
| 832508 | The EMS tag name (defined in the EMS server’s Zero Trust Tagging Rules) format changed in 7.0.8 from FCTEMS<serial_number>_<tag_name> to EMS<id>_ZTNA_<tag_name>.
After upgrading, the EMS tag format was converted properly in the CLI configuration, but the WAD daemon is unable to recognize this new format, so the ZTNA traffic will not match any ZTNA policies with EMS tag name checking enabled. Workaround: unset the |
| 848222 | ZTNA TCP forwarding is not working when a real server is configured with an FQDN address type.
An FQDN address type that can resolve public IPs is not recommended for ZTNA TCP forwarding on real servers because the defined internal DNS database zone is trying to override it at the same time. By doing so, the internal private address may not take effect after rebooting, and causes a ZTNA TCP forwarding failure due to the real server not being found. |
| 865316 | Adding an EMS tag on the Policy & Objects > Firewall Policy edit page for a normal firewall policy forces NAT to be enabled. |
Notatki producenta: FortiOS 7.0.10
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
