Producent urządzeń FortiGate przedstawił nowe wydanie FortiOS 7.0.12, które wprowadza wiele zmian. Najważniejszymi z nich jest wyeliminowanie podatności:
- CVE-2022-43953
- CVE-2023-29178
- CVE-2023-27997
- CVE-2023-29180
- CVE-2023-29181
- CVE-2023-29179
Podatności, dotyczą różnych aspektów FortiGate i mogą prowadzić do awarii usług, wykonania zdalnego kodu lub eskalacji uprawnień atakującego. Ważne jest, aby pilnie zaktualizować systemy FortiGate i stosować łatki udostępnione przez producenta w celu wyeliminowania tych podatności. Aktualizacja wprowadza również zmiany w nazewnictwie ról w klastrze HA, zmiany dotyczą nazwy master na primary i slave na secondary. Więcej szczegółów w artykule poniżej.
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG-400F, FG-401F, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
| FortiFirewall | FFW-3980E, FFW-VM64, FFW-VM64-KVM |
| FortiGate VM | FG-ARM64-AWS, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Special branch supported models
The following models are released on a special branch of FortiOS 7.0.12. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 0523.
| FG-80F-DSL | is released on build 6689. |
| FG-1000F | is released on build 6681. |
| FG-1001F | is released on build 6681. |
| FG-3200F | is released on build 6675. |
| FG-3201F | is released on build 6675. |
| FG-3700F | is released on build 6675. |
| FG-3701F | is released on build 6675. |
| FG-4800F | is released on build 6675. |
| FG-4801F | is released on build 6675. |
| FGR-70F | is released on build 6685. |
| FGR-70F-3G4G | is released on build 6685. |
Rozwiązane problemy:
Application Control
| Bug ID | Description |
|---|---|
| 857632 | Unable to access to some websites when application control with deep inspection is enabled. |
DNS Filter
| Bug ID | Description |
|---|---|
| 871854 | DNS UTM log still presents unknown FortiGuard category even when the DNS proxy received a rating value. |
| 878674 | Forward traffic log is generated for allowed DNS traffic if the DNS filter is enabled but the policy is set to log security events only. |
Firewall
| Bug ID | Description |
|---|---|
| 804603 | An httpsd singal 6 crash occurs due to /api/v2/monitor/license/forticare-resllers. |
GUI
| Bug ID | Description |
|---|---|
| 750727 | Applying a negate for the Application Name column in the log viewer is not working as expected. |
| 827893 | Security rating test for FortiCare Support fails when connected to FortiManager Cloud or FortiAnalyzer Cloud. |
| 862474 | IPsec tunnel interface Bandwidth widget inbound is zero and outbound value is lower than the binding interface. |
| 890683 | GUI being exposed to port 80 on the interfaces defined in the ACME settings, even if administrative access is disabled on the interface. |
| 897004 | On rare occasions, the GUI may display blank pages when the user navigates from one menu to another if there is a managed FortiSwitch present. |
| 899434 | A super_admin login is logged in the console logs when remotely logging in to a FortiGate with the FortiCloud portal using a prof_admin profile. |
HA
| Bug ID | Description |
|---|---|
| 846015 | First ICMP redirected from FGSP secondary is dropped on FGSP primary when UTM is enabled. |
| 868622 | The session is not synchronized after HA failover by detecting monitored interface as down. |
| 872686 | Configuration backup on standby unit fails when using SFTP. |
| 881847 | HA interfaces flapping on FG-3401E. |
| 883546 | In HA, sending lot of CLI configurations causes the creation of a VDOM on the secondary unit. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 839170 | IPS engine may crash (SIGALRM)) when the system is busy because it might not receive enough run time. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 788751 | IPsec VPN Interface shows incorrect TX/RX counter. |
| 855705 | NAT detection in shortcut tunnel sometimes goes wrong. |
| 858681 | When upgrading from 6.4.9 to 7.0.6 or 7.0.8, the traffic is not working between the spokes on the ADVPN environment. |
| 873097 | Phase 2 not initiating the rekey at soft limit timeout on new kernel platforms. |
| 885818 | If a tunnel in an IPsec aggregate is down but its DPD link is on, the IPsec aggregate interface may still forward traffic to a down tunnel causing traffic to drop. |
| 891462 | The Peer ID field in the IPsec widget should not show a warning message that Two-factor authentication is not enabled. |
| 892699 | In an HA cluster, static routes via the IPsec tunnel interface are not inactive in the routing table when the tunnel is down. |
| 898456 | NP7 devices become unresponsive until power cycle with rcu_sched self-detected stall on CPU because phase 2 is not initiating rekey at soft limit timeout. |
Log & Report
| Bug ID | Description |
|---|---|
| 823183 | FortiGates are showing Logs Queued in the GUI after a FortiAnalyzer reboot, even tough the queued logs were actually all uploaded to FortiAnalyzer and cleared when the connection restores. |
| 837116 | FortiCloud log statistics chart on the Log Settings page shows incorrect data. |
| 838253 | FortiAnalyzer log statistics chart on the Log Settings page shows incorrect data. |
| 857573 | Log filter with negation of destination IP display all logs. |
| 860141 | Syslog did not update the time after daylight saving time (DST) adjustment. |
| 864219 | A miglogd crash occurs when creating a dynamic interface cache on an ADVPN environment. |
| 901545 | FG-40F/FWF-61F halts after upgrading. |
| 918571 | The log_se process resource utilization is causing a network outage. |
Proxy
| Bug ID | Description |
|---|---|
| 727629 | WAD encounters signal 11 crash. |
| 893022 | Proxy ARP returns no response. |
| 857507 | When a server sends a connection close response too early, traffic from the client may be interrupted inadvertently before the request is completed. |
| 874563 | User information attributes can cause disruption when they are not properly merged. |
| 901296 | WAD crash with HTTP forward request. |
Routing
| Bug ID | Description |
|---|---|
| 821149 | Early packet drop occurs when running UTM traffic on virtual switch interface. |
| 858299 | Redistributed BGP routes to the OSPF change its forward address to the tunnel ID. |
| 863318 | Application forticron signal 11 (Segmentation fault) occurs. |
| 864626 | FortiGate local traffic does not follow SD-WAN rules. |
| 883918 | Delay in joining (S,G) in PIM-SM. |
| 884372 | All BGP routes in dual ADVPN redundant configuration are not getting updated to the correct WAN interface post-rollback to WAN failover. |
| 890379 | After upgrading, SD-WAN is unable to fail over the traffic when one interface is down. |
| 897940 | Link monitor’s probe timeout value range is not appropriate when the user decreases the minimum interval. |
Security Fabric
| Bug ID | Description |
|---|---|
| 825291 | Security rating test for FortiAnalyzer fails when connected to FortiAnalyzer Cloud. |
| 853406 | External resource full certificate check does not validate certificate when URI is an IP address. |
SSL VPN
| Bug ID | Description |
|---|---|
| 781581 | Customer internal website is not shown correctly in SSL VPN web mode. |
| 868491 | SSL VPN web mode connection to VMware vCenter 7 is not working. |
| 871039 | Internal website is not displaying user-uploaded PDF files when visited through SSL VPN web mode. |
| 872745 | SSL VPN web mode to RDP broker leads to connection being closed. |
| 873313 | SSL VPN policy is ignored if no user or user group is set and the FSSO group is set. |
| 873995 | Problem with the internal website using SSL VPN web mode. |
| 877124 | RDP freezes in web mode with high CPU usage of SSL VPN process. |
| 884860 | SSL VPN tunnel mode gets disconnected when SSL VPN web mode is disconnected by limit-user-logins. |
| 896007 | Specific SAP feature is not working with SSL VPN web mode. |
System
| Bug ID | Description |
|---|---|
| 666664 | Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface. |
| 724085 | Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected. |
| 766834 | forticron allocates over 700 MB of memory, causes the FortiGate to go into conserve mode, and causes kernel panic due to 100 MB of configured CRL. |
| 796094 | Egress traffic on EMAC VLAN is using base MAC address instead. |
| 805122 | In FIPS-CC mode, if cfg-save is set to revert, the system will halt a configuration change or certificate purge. |
| 812957 | When setting the speed of 1G SFP ports on FG-180xF platforms to 1000full, the interface does not come up after rebooting. |
| 820268 | VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform. |
| 821000 | QSFP and QSFP+ Fortinet transceivers are not operational on FG-3401E. |
| 859795 | High CPU utilization occurs when relay is enabled on VLAN, and this prevents users from getting an IP from DHCP. |
| 869305 | SNMP multicast counters are not increasing. |
| 876403 | ACME auto-renewal is not performed after HA failover. |
| 878400 | When traffic is offloaded to an NP7 source MAC, the packets sent from the EMAC VLAN interface are not correct. |
| 881094 | FG-3501F NP7 is dropping all traffic after it is offloaded. |
| 882187 | FortiGate enters conserve mode in a few hours after enabling UTM on the policies. |
| 883071 | Kernel panic occurs due to null pointer dereference. |
| 887268 | Unable to configure dscp-based-priority when traffic-priority dscp is configured under system global. |
| 892195 | LAG interface has NOARP flag after interface settings change. |
| 899884 | FG-3000F reboots unexpectedly with NULL pointer dereference. |
| 909345 | Kernel panic occurs when receiving ICMP redirect messages. |
Upgrade
| Bug ID | Description |
|---|---|
| 900761 | FG-601E crashes randomly after upgrading to 7.0.8 and 7.0.11. |
Web Filter
| Bug ID | Description |
|---|---|
| 863728 | The urlfilter process causes a memory leak, even when the firewall policy is not using the web filter feature. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
| Bug ID | CVE references |
|---|---|
| 862346 | FortiOS 7.0.12 is no longer vulnerable to the following CVE Reference:
|
| 894631 | FortiOS 7.0.12 is no longer vulnerable to the following CVE Reference:
|
| 898402 | FortiOS 7.0.12 is no longer vulnerable to the following CVE Reference:
|
| 903303 | FortiOS 7.0.12 is no longer vulnerable to the following CVE Reference:
|
| 909716 | FortiOS 7.0.12 is no longer vulnerable to the following CVE Reference:
|
| 909722 | FortiOS 7.0.12 is no longer vulnerable to the following CVE Reference:
|
Znane problemy:
Anti Spam
| Bug ID | Description |
|---|---|
| 877613 | Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 730767 | The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.
Workaround: delete the EMS Cloud entry then add it back. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 817582 | When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality. |
Firewall
| Bug ID | Description |
|---|---|
| 719311 | On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.
Workaround: rename the custom section to unique name between IPv4 and IPv6 policies. |
| 843554 | If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.
This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly. Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if config firewall service custom
edit "unused"
set tcp-portrange 1
next
move "unused" before "ALL"
end
|
| 897849 | Firewall Policy list may show empty sequence grouping sections if multiple policies are sharing the same global-label.
Workaround: drag and drop the policy to the correct sequence group in the GUI, or remove the
|
GUI
| Bug ID | Description |
|---|---|
| 440197 | On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly. |
| 677806 | On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status. |
| 685431 | On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.
Workaround: use the CLI to configure policies. |
| 707589 | System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed. |
| 708005 | When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.
Workaround: use Chrome, Edge, or Safari as the browser. |
| 755177 | When upgrading firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path. |
| 810225 | An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms. |
| 853352 | On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries. |
| 898902 | In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog.
Workaround: use the CLI to configure |
HA
| Bug ID | Description |
|---|---|
| 810286 | FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect. |
| 818432 | When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures. |
Hyperscale
| Bug ID | Description |
|---|---|
| 795853 | VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM. |
| 811109 | FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG. |
| 836976 | Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log-processor setting from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods. |
| 838654 | Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic. |
| 839958 | service-negate does not work as expected in a hyperscale deny policy. |
| 842659 | srcaddr-negate and dstaddr-negate are not working properly for IPv6 traffic with FTS. |
| 843132 | Access control list (ACL) policies added to a hyperscale firewall VDOM that is processing traffic may take longer than expected to become effective. During a transition period, traffic that should be blocked by the new ACL policy will be allowed. |
| 843197 | Output of diagnose sys npu-session list/list-full does not mention policy route information. |
| 843266 | Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM. |
| 843305 | Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up. |
| 844421 | The diagnose firewall ippool list command does not show the correct output for overload type IP pools. |
| 846520 | NPD/LPMD process killed by out of memory killer after running mixed sessions and HA failover. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 761754 | IPsec aggregate static route is not marked inactive if the IPsec aggregate is down. |
Log & Report
| Bug ID | Description |
|---|---|
| 850642 | Logs are not seen for traffic passing through the firewall. |
| 860822 | When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.
Workaround: use a double backslash (domain\\username) while filtering or searching by username only without the domain. |
Proxy
| Bug ID | Description |
|---|---|
| 836101 | FortiGate is entering conserve mode due to a WAD memory leak. |
| 837724 | WAD crash occurs. |
Security Fabric
| Bug ID | Description |
|---|---|
| 614691 | Slow GUI performance in large Fabric topology with over 50 downstream devices. |
| 794703 | Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results. |
System
| Bug ID | Description |
|---|---|
| 847664 | Console may display mce: [Hardware Error] error message after fresh image burn or reboot. |
| 884023 | When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out. |
| 900670 | QSFP/QSFP+ port23/port24 are down after upgrading to 7.0.11 on FG-3401E. |
| 903397 | After upgrading to 7.0.11, FortiOS cannot display QSFP+ transceiver information. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, and FG-360xE. |
User & Authentication
| Bug ID | Description |
|---|---|
| 765184 | RADIUS authentication failover between two servers for high availability does not work as expected. |
Web Filter
| Bug ID | Description |
|---|---|
| 766126 | Block replacement page is not pushed automatically to replace the video content when using a video filter. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 814541 | When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation. |
| 904349 | Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.
Workaround: use the CLI to update the profile to dual-5G mode. |
ZTNA
| Bug ID | Description |
|---|---|
| 848222 | ZTNA TCP forwarding is not working when a real server is configured with an FQDN address type.
An FQDN address type that can resolve public IPs is not recommended for ZTNA TCP forwarding on real servers because the defined internal DNS database zone is trying to override it at the same time. By doing so, the internal private address may not take effect after rebooting, and causes a ZTNA TCP forwarding failure due to the real server not being found. |
