Producent Fortinet, opublikował najnowszą aktualizację dla oprogramowania FortiOS o oznaczeniu 7.0.4. Dzięki nowej aktualizacji, zostały poprawione działania procesów WAD, które odpowiadają za filtrowanie sieci i procesy proxy. Ponadto technologia SLL VPN, została skorygowana pod względem wielu problemów, lecz między innymi połączenia VNC będą działać bezproblemowo. Od wersji 7.0.4, usprawniono procesy związane z interfejsem graficznym, gdzie błędy dotyczyły przekierowań adresów, lecz również logowań użytkowników FSSO. Nowe oprogramowanie udoskonaliło integrację z urządzeniami FortiSwtich jak i również z środowiskiem ZTNA. Po więcej szczegółowych informacji, zapraszam do dalszej części artykułu.

Aktualnie wspierane modele:

FortiGate	FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-5001E, FG‑5001E1
FortiWiFi	FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
FortiGate Rugged	FGR-60F, FGR-60F-3G4G
FortiGate VM	FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN

Rozwiązane problemy:

Anti Virus

Bug ID	Description
665173	Crash logs are sometimes truncated/incomplete.
723686	The partial fetch handling in the IMAP proxy only detects and scans the first fetched section, which allows threats in subsequent fetched sections to go through the firewall undetected.

Application Control

Bug ID	Description
752569	Per IP shaper under application list does not work as expected for some applications.

Data Leak Prevention

Bug ID	Description
763687	If a filter configured with set archive enable matches a HTTP post, the file is not submitted for archiving (unless full-archive proto is enabled).

DNS Filter

Bug ID	Description
748227	DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.
751759	DNS filter breaks DNS zone transfer because the client socket might close prematurely (in which there is still some data in the user space) if the server side closed the connection.

Endpoint Control

Bug ID	Description
744613	EMS endpoint IP and MAC addresses are not synchronized to the ZTNA tags on the FortiGate.
747303	Some tagged endpoints’ registration is lost on the FortiGate.

Explicit Proxy

Bug ID	Description
664380	When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error.
747840	When configuring authentication schemes to negotiate and NTLM (mix), Firefox may not show the authentication pop-up with an explicit proxy.
754259	When an explicit proxy policy has a category address as destination address, the FortiGate needs to check if the address is a Google Translate URL for extra rating. This will trigger a keyword match. However, if a web filter profile is not set yet, WAD will crash. The fix will delay the keyword match until a web filter profile is present.
755298	SNI ssl-exempt result conflicts with CN ssl-exempt result when SNI is an IP.

Firewall

Bug ID	Description
732604	TCP zero window advertisements not occurring in proxy mode and causing premature server disconnects.
739949	In HA vcluster scenario, the Bytes counter on the Firewall Policy page always shows 0 B for the secondary while the Edit Policy page shows the correct Total bytes in the statistics.
746891	Auto-update script sent from FortiOS GUI has a policy ID of zero, which causes FortiManager to be out of synchronization.
747190	When auto-asic-offload is enabled in policy, IP-in-IP sessions show as expired while tunnel traffic goes through the FortiGate.
752411	Kernel panic occurs and device reboots due to pba_map_index overflow.
752899	Multicast packet is forwarded from non-VWP port to a VWP port.
754240	After a session updates its shaping policy, if the new shaping policy does not configure a per-IP shaper, the session will still use the old per-IP shaper from the previous shaping policy.
767226	When a policy denies traffic for a VIP and send-deny-packet is enabled, the mappedip is used for the RST packet’s source IP instead of the external IP.

FortiView

Bug ID	Description
546312	Application filter does not work when the source is ISDB or unscanned.

GUI

Bug ID	Description
473841	Newly created deny policy incorrectly has logging disabled and can not be enabled when the CSF is enabled.
535794	Policy page should show new name/content for firewall objects after editing them from the tooltip.
663558	Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console.
698435	The Edit Virtual IP page should not display Conflicts with the External IP of another VIP when changing the source filter setting.
714455	CLI shows EMS tag object in the address select list, but it is not available in the GUI omni select list.
729324	Managed FortiAPs and Managed FortiSwitches pages keep loading when VDOM administrator has netgrp and wifi read/write permissions.
730466	The search does not work on the Policy & Objects > Addresses page if there is a non-EMS address group with an EMS tag (invalid configuration).
730533	On the Policy & Objects > Firewall Policy page, an unclear error message appears when a user creates a new SSL VPN policy with a web mode portal and a VIP or VIP group is used as the destination address.
735248	On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.
738027	The Device Inventory widget shows no results when there are two user_info parameters.
742626	The VDOM dropdown list in the banner should be scrollable.
746239	Unable to create new VIP when there is another VIP with same external IP and mapped IP ranges and different services.
746953	On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.
748530	A gateway of 0.0.0.0 is not accepted in a policy route.
749451	On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of diagnose sys sdwan intf-sla-log exceed 232-1.
750490	Firewall policy changes made in the GUI remove the replacement message group in that policy.
751219	Last Login in SSL-VPN widget is shown as NaN on macOS Safari.
751482	cmbdsvr signal 11 crash occurs when a wildcard FQDN is created with a duplicate ID.
752530	Sandbox status is shown as disabled on FortiGate Cloud widget when it is connected.
753000	Guest group that expires after first logon displays the duration variable as the Expires value. The value is correct if the administrator logs in and goes to Guest User Management.
753354	Interface migration wizard does not migrate all references.
753398	httpsd crashes after NGFW policy is deleted.
754539	On the Policy & Objects > Addresses page, filters applied on the Details column do not work.
755239	VIP with External IP configured to 0.0.0.0 is not showing in the GUI.
755625	Application control profile cannot be renamed from the GUI.
755893	Sometimes when changing the language from English to another language, the subcategories under the Dashboard menu do not change.
756420	On the Security Fabric > Fabric Connectors page, the connection to FortiManager is shown as down even if the connection is up. Workaround: check the status in the CLI using diagnose fdsm central-mgmt-status.
757130	After upgrading, the new ACME certificates configured in the GUI are using the staging environment.
757570	Path already in use error appears when adding new HTTPS ZTNA API gateway entry (the CLI allows this configuration).
757606	Failed to retrieve info error appears when viewing the Users & Devices dashboard.
758820	Unable to restore encrypted backup configuration to TFTP server in the GUI.
760863	PPPoE interface is not selectable if interface type is SSL-VPN Tunnel.
761615	Unable to see details of Apache.Struts.MPV.Input.Validation.Bypass log.
761658	Failed to retrieve information warning appears on secondary node faceplate.
761933	FSSO user login is not sorted correctly by duration on Firewall Users widget.
762683	The feature to send an email under User & Authentication > Guest Management is grayed out.
764744	On the Network > Explicit Proxy page, the GUI does not support configuring multiple outgoing IP addresses. Workaround: use the CLI.
770948	When using NGFW policy-based mode, the VPN > Overlay Controller VPN option is removed.
772311	On the LDAP server page, when clicking Browse beside Distinguished Name and then clicking OK after viewing the query results, the LDAP server page is missing fields containing the server settings.

HA

Bug ID	Description
701367	In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.
711521	When HA failover happens, there is a time difference between the old secondary becoming the new primary and the new primary’s HA ID getting updated. If a session is created in between, the session gets a wrong HA ID, which indicates incorrectly that the session’s traffic needs to be handled by the new secondary.
729719	When enabling ha-direct, some invalid configurations should be reset and hidden.
730770	After a hasync crash, the FGFM process stops sending keepalives.
731570	VDOMs added and deleted on the FGCP secondary device with the REST API are not synchronized between the FGCP cluster.
732201	VDOM restore on an already configured VDOM causes high CPU sometimes on the primary.
738934	No GARP is being sent out on the VWP interface upon HA failover, causing a long failover time.
740933	HA goes out of synchronization when uploading a local certificate.
747270	When the HA secondary device relays logs to the primary device, it may encounter high CPU usage.
750004	The secondary FortiGate shows a DHCP IP was removed due to conflict, but it is not removed on the primary FortiGate.
752892	PPPoE connection gets disconnected during HA failover.
752928	fnbamd uses ha-mgmt-interface for certificate related DNS queries when ha-direct is enabled.
753295	Configuration pushed from FortiManager does not respect standalone-config-sync and is pushed to all cluster members.
754599	SCTP sessions are not fully synchronized between nodes in FGSP.
757494	Unable to add a member to an aggregate interface that is down in a HA cluster.
760562	hasync crashes when the size of hasync statistics packets is invalid.
761581	Tunnel to Fortimanager is down log message is generated on the secondary FortiGate unit (without HA management interface).
766842	Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled.

Intrusion Prevention

Bug ID	Description
739272	Users cannot visit websites with an explicit web proxy when the FortiGate enters conserve mode with fail-open disabled. Block pages appear with the replacement message, IPS Sensor Triggered!.
751027	FortiGate can only collect up to 128 packets when detected by a signature.

IPsec VPN

Bug ID	Description
715671	Traffic is failing on dialup VPN IKEv2 with EAP authentication.
726326, 745331	IPsec server with NP offloading drops packets with an invalid SPI during rekey.
740475	Traffic cannot be sent out through IPsec VPN tunnel because SA is pushed to the wrong NP6 for platforms where NP6 is standalone. Affected models: FG-2000E and FG-2500E.
740624	FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.
743732	If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.
744598	Tunnel interface MTU settings do not work when net-device is enabled in phase 1.
748746	OCVPN is unable to retain set save-password enable option.
752947	The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.
760428	iked crashes due to responder child_sa creation failing in some cases.
762953	When the primary unit synchronizes the dialup mode-cfg assigned IP to the secondary unit, the mode-cfg IP is not marked as used in the IP pool. After a HA failover to the secondary unit, the new primary will assign the used IP to a new client. This caused a route clash, and the connection keeps getting flushed and re-established.
767945	In a setup with IPsec VPN IKEv2 tunnel on the FortiGate to a Cisco device, the tunnel randomly disconnects after updating to 7.0.2 when there is a CMDB version change (configuration or interface).
771302	Spoke cannot register to OCVPN when FortiGate is in policy-based NGFW mode.

Log & Report

Bug ID	Description
621329	Mixed traffic and UTM logs are in the event log file because the current category in the log packet header is not big enough.
745689	Unknown interface is shown in flow-based UTM logs.
747854	PDF report generation fails due to an HPDF API error when it is drawing a circle and there is only one entry in the SQL result.
749440	IPS malicious URL database (idsurldb, MUDB) update entry in FortiGate update succeeded log is delayed from the actual update timing.
749842	The miglogd process uses high CPU when handling a web rating error log that is reported with an invalid VDOM ID.
751358	Unable to set source IP for FortiCloud unless FortiCloud is already activated.
753904	The reportd process consumes a high amount of CPU.
754143	Add srcreputation and dstreputation fields in the forward traffic logs to provide the reputation level of the source and destination when the traffic matches an entry in the internet service database.
757703	Report suddenly cannot be generated due to no response from reportd.

Proxy

Bug ID	Description
568905	WAD crashes due to RCX having a null value.
712584	WAD memory leak causes device to go into conserve mode.
723764	Replacement page is not provided to client when blocking traffic from an application control profile.
729797	CLI should block or warn users if an API gateway with the same service (protocol) and path are declared on the same ZTNA server.
733135, 734840	Web filter is blocking websites in proxy mode due to SSL certificate validation failure, which is caused by an unreachable OCSP server.
738151	Browser has ERR_SSL_KEY_USAGE_INCOMPATIBLE error when both ZTNA and web proxy are enabled.
739627	diagnose wad stats policy list does not show statistics correctly when enabling certificate inspection and HTTP policy redirect.
743746	WAD encounters signal 11 crash when adding user information.
746796	Stream-based scanning has high CPU cost and a long wait time on GZIP and BZIP2 files.
747250	When a timeout happens while forticron is downloading a file, the original downloaded file is not be deleted, so the next successful download has extra data in front.
751674	Load balancer based on HTTP host is DNATing traffic to the wrong real server when the correct real server is disabled.
752744	Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.
754298	WAD crashes when adding user information.
754969	Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.
755294	Firefox gives SEC_ERROR_REUSED_ISSUER_AND_SERIAL error when ECDSA CA is configured for deep inspection.
755685	Trend Micro client results in FortiGate illegal parameter SSL alert response because the Trend Micro client sent a ClientHello that includes extra data, which is declined by the FortiGate according to RFC 5246 7.4.1.2.
756603	WAD memory spike when downloading files larger than 4 GB.
756616	High CPU usage in proxy-based policy with deep inspection and IPS sensor.
756887	WAD crashes if the certificate authentication request context is not closed in the following scenarios: when fnbamd returns a failure certificate authentication result or no response; and when the CA certificate is updated and the certificate cache is flushed.
757873	WAD crash in half-mode virtual server case and HTTP real server ZTNA case.
758122	WAD memory usage may spike and cause the FortiGate to enter conserve mode when downloading a large file fails.
758496	WAD crash for LDAP group looping.
758532	WAD memory usage may spike and cause the FortiGate to enter conserve mode.
764193	The three-way handshake packet that was marked as TCP port number reused cannot pass through the FortiGate, and the FortiGate relies with a FIN, ACK to the client.
765349	Once AV is enabled in proxy mode, traffic will be blocked in proxy mode.
768358	Failure to access certain AWS pages with proxy SSL deep inspection.

REST API

Bug ID	Description
743169	Update various REST API endpoints to prevent information in other VDOMs from being leaked.
768056	HTTPS daemon is not responsive when successive API calls are made to create an interface.

Routing

Bug ID	Description
720320	OSPF issues with spokes randomly showing Process is not up and losing some routes.
731941	Disconnected from FortiAnalyzer events reported when the interface-select-method is set to specify, and the interface port_<x> is set to an interface that does not have the highest priority in the SD-WAN interface selection.
745999	Routing issue occurs when one of the SD-WAN interfaces goes down.
748733	Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.
762258	When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down.
754636	Traffic sometimes does not match SD-WAN rules on some IPsec interfaces.
759711	OSPF E2 routes learned by Cisco routers are randomly removed from the routing table when the OSPF/OSPFv3 neighbor flaps.
759752	FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet.

Security Fabric

Bug ID	Description
748389	Security Fabric automation email action trigger shows multiple emails as one email with no separation between the addresses.
753056	Recommendation information for Failed Login Attempts security rating rule should display Lockout duration should be at least 30 minutes, instead of 1800 minutes.
755187	The security rating test for Unused Policies is incorrectly evaluated as Pass when there are unused policies with the accept action.
758493	SDN connector on FG-Azure stays stuck if it is alphabetically the first subscription that is not in the permission scope.
765525	The deleted auto-scripts are not sent to FortiManager through the auto-update and cause devices go out of sync.

SSL VPN

Bug ID	Description
673320	Pop-up window does not load correctly when accessing internal application at https://re***.wo***.nl using SSL VPN web mode.
677057	SSL VPN firewall policy creation via CLI does not require setting user identity.
684010	Internal page, https://vpn.ea***.***.**.us:10443, is not working in SSL VPN web mode.
695457	JS error thrown when accessing HTTPS bookmark (mk***.ag***.cp***.vw***) using SSL VPN web portal.
722329	After SSL VPN proxy rewrite, some Nuage JS files have problems running.
737894	If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.
746938	Unable to authenticate to outlook.com/owa/vw***.com website in SSL VPN web mode.
748085	Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.
748660	Unable to access Apache Guacamole web application using SSL VPN web mode.
749452	SSL VPN login authentication times out if primary RADIUS server becomes unavailable.
749815	Unable to access webmail server (https://9**.1**.9**.2**/) using SSL VPN web mode.
751028	SSL VPN proxy error in web mode for https://et***.ga***.gov.***/ due to requests to the loopback IP.
751366	JS error in SSL VPN web mode when trying to retrieve a PDF from https://vpn.ca***.com/.
751643	Jira server (cb***.com.au) cannot be displayed correctly using SSL VPN web mode.
751697	SSO login for SSL VPN bookmarks (https://za***.jo.za***.com) is not working.
751717	SAML user configured in groups in the IdP server might match to the wrong group in SSL VPN user authentication if an external browser is used.
752055	VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.
753515	DTLS does not work for SSL VPN and switches to TLS.
753590	Brickstream web interface is not loading properly when accessed using SSL VPN webmode.
755296	SSL VPN web mode has issues accessing https://e***.or***.kr.
756753	FQDN in firewall policy is treated case sensitive, which causes SSL VPN failure when redirecting or accessing a URL that contains capitalized characters.
758525	Users can modify the URL in SSL VPN portal to show connection launcher even when the Show Connection Launcher option is disabled.
759664	Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected.
760340	WebSocket using Pronto Xi could not be established through SSL VPN web mode.
760928	SSL VPN with RADIUS authentication does not work with an interface subnet address object.
761668	Empty webpage loads when accessing internal website, https://ba***.ba**.com:2222, in SSL VPN web mode.
762491	Unable to authenticate outlook.office.com using corporate domain email account.
763619	SAP Fiori webpage using JSON is not loading in SSL VPN web mode.
767869	SCADA portal will not fully load with SSL VPN web bookmark.
768994	SSL VPN crashed when closing web mode RDP after upgrading.
771145	SSL VPN web mode access problem occurs for web service security camera.
773254	SSL VPN web mode access is causing issues with MiniCAU.

Switch Controller

Bug ID	Description
740661	FortiGate loses FortiSwitch management access due to excessive configuration pushes.
766583	A bin/cu_acd crash is generated when cfg-revert is enabled and involves FortiSwitch.

System

Bug ID	Description
572847	The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series.
596942	SoC3 platforms may encounter kernel panic in cases when a PKCE IOCTL wait event is interrupted by WAD diagnose CLI commands.
639861	Support FEC (forward error correction) implementations in 10G, 25G, 40G, and 100G interfaces for FG-3400E and FG-3600E.
643558	System halts after running execute update-now in FIPS-CC mode.
651626	A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.
671116	Lack of null pointer check in NP6XLite driver may lead to kernel panic. Affected models: FG-40F, FG-60F, and FG-101F.
675558	SFP port with 1G copper SFP always is up.
679035	NP6 drops, and bandwidth is limited to under 10 Gbps in npu-vlink case.
683299	Port group members have different speeds after the port speed is changed using a CLI script.
687398	Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.
703219	Kernel panic on FG-101F due to lack of null pointer check on NP6XLite driver.
712156	Remote access management from FortiCloud login fails if trusted hosts are configured for the administrator account.
712258	SFP28 ports on FG-340xE/FG-360xE cannot receive or transmit packets when the speed is set to 1000full. This issue is triggered by warm rebooting the FortiGate/Cisco switch or disconnecting the fiber cable.
716341	SFP28 port flapping when the speed is set to 10G.
718307, 729078	Verizon LTE connection is not stable, and the connection may drop after a few hours.
720687	On FG-20xF, the RJ45 ports connected to Dell N1548 switch do not automatically have an up link for energy detect mode.
726705	After upgrading to 7.0.0, FG-60E hangs due to various CLI configuration errors starting with cli 102 die in an exception in line 4318: KV?.
738640	There is no I2C reading/writing handler in drivers for FGR-60F and FGR-60F-3G4G.
741359	As per IEEE 802.3, NP frames under 64 octets should be discarded on the RX.
741944	The forticron process has a memory leak if there are duplicated entries in the external IP range file.
744892	DNS query responses can be bumped when dealing with a high volume of visibility hostname log requests.
749250	Firewall does not use its ARP cache and is ARPing for client MAC addresses every 20 to 30 seconds.
749613	Unable to save configuration changes and get failed: No space left on device error.
749835	Traffic logs report ICMP destination as unreachable for received traffic.
750123	FG-100F/101F sensor list shows the following deficiencies: missing PSU reading, degree sign is not readable in some CLI windows, and spelling mistakes.
750171	Legitimate traffic is unable to go through with NP6 synproxy enabled.
750202	USB unmounts after configuration backup.
751227	The GA image becomes uncertified after backing it up on a flash disk.
751346	DNS server obtained via DHCPv6 prefix delegation is not used by DNS proxy.
751523	When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.
753421	Slow SNMP query performance of fgVpn2Tables OIDs when a large number of IPsec dialup tunnels are connected.
753602	FG-40F has a newcli signal 11 crash.
753862	DHCPc seconds not incrementing in DHCP DISCOVER, REQUEST, and INFORM packets.
754567	FortiGate receives Firmware image without valid RSA signature loaded error when loading the image from FortiCloud.
754951	Static ARP entry was removed while using DHCP relay.
755475	When a software switch has an intra-switch-policy set to implicit (the default setting), layer 2 traffic, such as LLDP or STP, is being forwarded when it should be denied by default.
755953	Direct CLI script from FortiManager fails due to additional end at the end of diagnose debug crashlog read.
756160	Unable to configure firewall access control lists on FG-20xF.
756445	Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if asic-offload is enabled.
756713	Packet Loss on the LAG interface (eight ports) in static mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.
757689	When creating a new interface with MTU override enabled, PPPoE mode, and a set MTU value, the MTU value is overridden by the default value.
757733	CP9 or SoC3/SoC4 kernel driver may crash while doing AES-GCM decryption.
757748	WAD memory leak could cause system to halt and print fork() failed on the console.
758545	Memory leak cause by leaked JSON object.
758815	Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.
760259	Outbound bandwidth in bandwidth widget does not adhere to the outbandwidth setting.
764989	Include an entry in SNMP OID that lists the number of octets for the IP type.

Upgrade

Bug ID	Description
743389	The dnsfilter-profile setting was purged from all DNS server entries upon upgrading from below 6.4.4.
744454	IPv6 delegated configuration is lost after upgrading from 7.0.1.

User & Authentication

Bug ID	Description
709964	Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.
719658	SCEP client does not work with virtual service.
739350	RADIUS response is sent even when the rsso-radius-response attribute is set to disable.
742244	Unable to receive token via email on configured local email server with authentication when the incoming SMTP response is incomplete.
747651	There is no LDAP-based authentication possible during the time WAD updates/reads group information from the AD LDAP server.
750551	DST_Root_CA_X3 certificate is expired.
753449	SCEP using execute vpn certificate local generate does not conform to HTTP 1.1 RFC 2616.
755302	The fnbamd process spikes to 99% or crashes during RADIUS authentication.
756763	In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement.
757883	FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.
765136	Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

VM

Bug ID	Description
691337	When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.
747221	Tags under VNET are not detected by SDN connector under Azure. The following issues have been fixed: IP of Azure network interface without an associated VM is not collected. Address prefix of Azure subnet is not collected. Tags on Azure virtual network scope cannot filter the IP address.
750889	DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID.
755016	In AWS, if the HA connection between active and passive nodes breaks for a few seconds and reconnects, sometimes the EIP will remain in the passive node.
759300	gcpd has signal 11 crash at gcpd_mime_part_end.
764184	Inconsistent TXQ selection degrades mlx5 vfNIC. Azure FortiGate interface has high latency when the IPsec tunnel is up.
769352	Azure SDN connector is unable to pull service tag from China and Germany regions.

VoIP

Bug ID	Description
757477	PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

WAN Optimization

Bug ID	Description
754378	When an AV profile is enabled in a WANOpt proxy policy on a server side FortiGate, EICAR sent over HTTPS will not get blocked.

Web Filter

Bug ID	Description
751693	WAD crashed with signal 6 when using WIPS for web filtering with Websense.

WiFi Controller

Bug ID	Description
578440	Wireless controller sends ARP request packets that are destined to the FortiGate back to all tunnel interfaces.
600257	FG-1000D and FG-1500D go in to conserve mode when wpad and cw_acd have a memory spike, which affects wireless user tunnel traffic.
675164	FWF-60F local radio shows WPA3 is not supported.
720497	MAC authentication bypass is not working for some clients
734801	Some Apple devices cannot handle 303/307 messages, and may loop to load the external portal page and fail to pass authentication. Some android devices cannot process JavaScript redirect messages after users submit their username and password.
744687	Client should match the new NAC policy if it is reordered to the top one.
745044	Optimize memory usage of wpad daemon in WiFi controller for large-scale 802.11r fast BSS transition deployment.
748479	cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.
751509	On FAP-U432F, the Radio 3 spectrum analysis should be disabled in the FortiGate GUI.
761996	If concurrent-client-limit-type is set to unlimited it is limited by the max-clients value in the VAP profile.
766652	FortiAP firmware status is inconsistent on System > Fabric Management page and upgrade slide.

ZTNA

Bug ID	Description
765813	ZTNA access is systematically denied for ZTNA rule using SD-WAN zone as an incoming interface.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID	CVE references
752134	FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference: CVE-2021-42757
752450	FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference: CVE-2021-44168

Notatki producenta: FortiOS 7.0.4

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

7.0.4 FortiOS FortiOS 7.0.4