Producent oprogramowania Fortinet udostępnił najnowszą aktualizację dla produktu FortiOS 6.4.11. Dzięki aktualizacji, został poprawiony problem przy połączeniach realizowanych za pomocą tunelu L2TP, gdzie urządzenia z oprogramowaniem Android po rozłączeniu się, dalej posiadały aktywne połączenie. Ponadto, od wersji 6.4.9 korzystanie z technologii DoS powodowało zawieszanie procesów npd ale nowsza wersja naprawiła ten problem. Na skutek aktualizacji, poprawiono wyświetlanie statystyk dotyczących przesyłu połączeń IPsec VPN, również skorygowano polecenie diagnostyczne ,,diagnose hardware info’’, gdzie dane dotyczące zasilania PSU były błędnie wyświetlane. Po więcej ciekawych informacji zapraszamy do dalszej części posta.

Aktualnie wspierane modele:

FortiGate	FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG‑5001E1
FortiWiFi	FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
FortiGate Rugged	FGR-60F, FGR-60F-3G4G
FortiGate VM	FG-ARM64-AWS, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN
Pay-as-you-go images	FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN

Rozwiązane problemy:

Anti Virus

Bug ID	Description
727067	FortiGate should fix the interface between FortiGate and FortiAnalyzer for the CDR file.
795784	Able to bypass FortiOS AV inspection on email traffic when manipulating a MIME attachment with junk and pad characters in Base64.
800731	Flow AV sends HTML files to the FortiGate Cloud Sandbox every time when HTML is not configured in file list.
805655	A scanunit crash with signal 11 occurs for SMTP and QP encoding.

DNS Filter

Bug ID	Description
790974	When the DNS static domain filter entry’s action set to allow, it skips DNS translation.
800497	In flow mode with set status disable in the static domain filter, the entry still works when enabled in the DNS filter.

Endpoint Control

Bug ID	Description
775742	Upgrade EMS tags to include classification and severity to guarantee uniqueness.
803198	Intermittent FortiOS failure when using a redundant EMS configuration because the EMS FQDN was resolved once before, and when DNS entry expires or the DNS is used for load balancing.
817140	Device is constantly unauthorized in EMS when using set interface-select-method sdwan.

Explicit Proxy

Bug ID	Description
794124	HTTPS websites are not accessible if certificate-inspection is set in a proxy policy.
803228	When converting an explicit proxy session to SSL redirect and if this session already has connected to an HTTP server, the WAD crashes continuously with signal 11.
816879	Explicit proxy is not working when certificate inspection is enabled.

Firewall

Bug ID	Description
677855	cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.
773035	Custom services name is not displayed correctly in logs with a port range of more than 3000 ports.
784766	Virtual server for exchange is returning ERR_EMPTY_RESPONSE message.
800730	When using NGFW policy-based mode, modifying a security policy causes all sessions to be reset.
808264	Stress test shows packet loss when testing with flow inspection mode and application control.
815565	Unable to connect to the reserved management interface allowed by the local-in policy.
824091	Promethean Screen Share (multicast) is not working on the member interfaces of a software switch.
827780	ISDB source matching is inconsistent between transparent and NAT modes.
829071	Geolocation block on VIP object failed with seemly correct configuration.
829664	Kernel panic occurs while collecting the debug flow.
830823	Traffic is dropped intermittently by the implicit deny policy, even though there is a valid policy on the FortiGate.
832217	Traffic is hitting the implicit deny policy when changes are made to a policy.

FortiView

Bug ID	Description
804177	When setting the time period to now filter, the table cannot be filtered by policy type.
811095	Threat type N/A – Static URL Filter is showing on sources that do not have the URL filter enabled.
819924	Information disappears after some time on the FortiView pages.

GUI

Bug ID	Description
729406	New IPsec design tunnel-id still displays the gateway as an IP address, when it should be a tunnel ID.
749843	Bandwidth widget does not display traffic information for VLAN interfaces when a large number of VLAN interfaces are configured.
777145	Managed FortiSwitches page incorrectly shows a warning about an unregistered FortiSwitch even though it is registered. This only impacts transferred or RMAed FortiSwitches. This is only a display issue with no impact on the FortiSwitch’s operation.
794757	Inbound traffic on the interface bandwidth widget shows 0 bps on the VLAN interface.
798161	System > Certificates page keeps spinning when trying to access it from Safari.
802292	Logs sourced from FortiAnalyzer Big Data show the incorrect time.
804584	On the policy dialog page, the Select Entries box for the Service field does not list all service objects if an IPv6 address is in the policy.
807197	High iowait CPU usage and memory consumption issues caused by report runner.
819272	When a VLAN belongs to a zone, and the zone is used in a policy, editing the VLAN ID changes the policy’s position in the table.
825377	Managed FortiSwitches page, policy pages, and some FortiView widgets are slow to load.
833774	GUI needs to allow the members of the software switch interface to be used in IPv4/IPv6 multicast policy.

HA

Bug ID	Description
722703	ISDB is not updating; last update attempt is stuck at an older date.
750829	In large customer configurations, some functions may time out, which causes an unexpected failover and keeps high cmdbsvr usage for a long time.
750978	Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.
782734	Cluster is out-of-sync due to switch controller managed switch checksum mismatch.
785514	In some situations, the fgfmd daemon is blocked by a query to the HA secondary checksum, which causes the tunnel between the FortiManager and FortiGate to go down.
788702	Due to an HA port (Intel i40e) driver issue, not all SW sessions are synchronized to the secondary, so there is a difference.
803354	After HA-AP failover, the FortiExtender WAN interface of the new primary cannot get the LTE IP address from FortiExtender.
816883	High CPU usage on secondary device, and CPU lacks the AVX feature needed to load libdpdk.so.
817942	Secondary cluster member’s iprope traffic statistics are not updated to the original primary after an A-P HA failover.
819872	HA split brain scenario occurs after upgrading from 6.4.6 to 7.0.6, and HA heartbeats are lost followed by a kernel panic. Affected platforms: NP7 models.
822449	FGCP in standby sends GARP with physical MAC when it boots up.
823687	A cluster is repeatedly out-of sync due to external files (SSLVPN_AUTH_GROUPS) when there are frequent user logins and logouts.
824651	Certificate upload causes HA checksum mismatch.
826188	Secondary FortiGate FQDN is stuck in the queue, even if the primary FortiGate FQDN has already been resolved.
829390	When the internet service name management checksum is changed, it is out-of-sync when the auto-update is disabled on FortiManager.
830463	After shutting down the HA primary unit and then restarting it, the uptime for both nodes is zero, and it fails back to the former primary unit.

Hyperscale

Bug ID	Description
804742	After changing hyperscale firewall policies, it may take longer than expected for the policy changes to be applied to traffic. The delay occurs because the hyperscale firewall policy engine enhancements added to FortiOS 7.0.6 may cause the FortiGate to take extra time to compile firewall policy changes and generate a new policy set that can be applied to traffic by NP7 processors. The delay is affected by hyperscale policy set complexity, the total number of established sessions to be re-evaluated, and the rate of receiving new sessions.
805846	In the FortiOS MIB files, the trap fields fgFwIppStatsGroupName and fgFwIppStatsInusePBAs have the same OID. As a result, the fgFwIppStatsInusePBAs field always returns a value of 0.
810025	Using EIF to support hairpinning does not work for NAT64 sessions.
810379	Creating an access control list (ACL) policy on a FortiGate with NP7 processors causes the npd process to crash.
812833	FortiGate still holds npu-log-server related configuration after removing hyperscale license.
812844	Default static route does not work well for hypsercale VDOM.
836474	Changes in the zone configuration are not updated by the NPD on hyperscale.
837270	Disabling Block intra-zone traffic in a zone does not allow TCP/UDP traffic between interfaces of a zone.

ICAP

Bug ID	Description
832515	Bad gateway occurs using ICAP with explicit proxy under traffic load.

Intrusion Prevention

Bug ID	Description
695464	High IPS engine CPU usage due to recursive function call.
755859	The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.
771000	High CPU in all cores with device running with one interface set as a one-arm sniffer.
798961	High CPU usage occurs on all cores in system space in __posix_lock_file for about 30 seconds when updating the configuration or signatures.
809691	High CPU usage on IPS engine when certain flow-based policies are active.

IPsec VPN

Bug ID	Description
757696	Implementing the route-overlap setting on phase 2 configurations brings tunnels down until a reboot is not performed on the FGSP cluster.
763205	IKE crashes after HA failover when the enforce-unique-id option is enabled.
765868	The packets did not pass through QTM, and SYN packets bypass the IPsec tunnel once traffic is offloaded. Affected platforms: NP7 models.
778243	When net-device is enabled on the hub, the tunnel interface IP is missing in the routing table.
778974	BGP route is inactive in the routing table after the hub’s IPsec tunnel binding interface bounces.
787949	FortiGate sends duplicate SNMP traps if the tunnel is brought down on the local side.
790486	Support IPsec FGSP per tunnel failover.
798045	FortiGate is unable to install SA (failed to add SA, error 22) when there is an overlap in configured selectors.
805301	Enabling NPU offloading in the phase 1 settings causes a complete traffic outage after a couple of ping packets pass through.
807086	ADVPN hub randomly initiates secondary tunnel to spoke, causing spoke to drop tunnel traffic for RPF check fail.
810988	GUI does not allow IP overlap for a tunnel interface when allow-subnet-overlap is enabled (CLI allows it).
814366	There are no incoming ESP packets from the hub to spoke after upgrading.
815253	NP7 offloaded egress ESP traffic that was not sent out of the FortiGate.
815969	Cannot apply dialup IPsec VPN settings modifications in the GUI when net-device is disabled.
824532	IPsec learned route disappears from the routing table.
825523	NP7 drops outbound ESP after IPsec VPN is established for some time.
827350	Dialup selector routes are not deleted after iked crash.
828467	The iked process is constantly crashing.
830252	IPsec VPN statistics are not increasing on the device.
836260	The IPsec aggregate interface does not appear in the Interface dropdown when configuring the Interface Bandwidth widget.

Limitations

Bug ID	Description
799831	Hyperscale fixed allocation CGN client is limited to 65 thousand addresses, and the CGN start port might be ignored.

Log & Report

Bug ID	Description
790893	Logging filters do not work as expected.
814427	FortiGate error in FortiAnalyzer connectivity test on secondary device after upgrade.
814758	Get an intermittent error when running execute log fortianalyzer-cloud test-connectivity.
821359	FortiGate appears to have a limitation in the syslogd filter configuration.
821494	Forward traffic logs intermittently fail to show the destination hostname.
837435	Syslogd failed to send logs for some log IDs, including traffic log IDs 3, 4, 5, 6, 7, and 11.

Proxy

Bug ID	Description
745701	An issue occurs with TLS 1.3 and the 0RTT process where Firefox cannot access https.google.com using proxy-based UTM with certification inspection.
768278	WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out.
780182	WAD crash at wad_http_fwd_msg_body.
793651	An expired certificate can be chosen when creating an SSL/SSH profile for deep inspection.
795360	Apple push notification service fails with proxy-based inspection.
799237	WAD crash at wad_http_srv_cancel when the TLS/SSL renegotiation encounters an error.
799381	WAD crash at wad_ssl_proxy_caps_on_clt_certs when TLS 1.2 receives the client certificate, and that server facing SSL port has been closed due to SSL bypass.
800125	Even if the policy is set to deny FTP_PUT, file uploads are permitted when the UTM feature is enabled.
803286	Inspecting all ports in deep inspection is dependent on previous protocol port mapping settings.
803380	Device is consuming high memory and going in conserve mode, possible due to a WAD memory leak.
807332	WAD does not forward the 302 HTTP redirect to the end client.
807431	File from AWS S3 fails to download with UTM, deep inspection, and proxy configured.
808831	Upgrading to 7.0.5 broke IM controls and caused Zalo chat file transfer issues.
809346	FTPS helper is not opening pinholes for expected traffic for non-standard ports.
811259	WAD memory leak occurs with IPS enabled.
813562	The wad_m_usr_info frees count is sometimes larger than the allocs count.
815313	WAD crash at wad_ssl_cert_check_auth_status once during stress testing.
822271	Unable to access a website when deep inspection is enabled in a proxy policy.
823247	WAD user_info process leaks memory.
825496	Explicit proxy traffic is terminated when IPS is enabled. The exact failure happened upon certificate inspection.
830166	WAD crash signal 11 occurs.
830450	WAD crash at wad_p2s_ciphers_filter.
830907	WAD crash at wad_mem_c_malloc.cold.
834314	ICAP client timeout issue causes WAD signal 11 crash after upgrading to 7.0.6 from 6.4.
837724	WAD crash at wad_port_general_update_dctx.

REST API

Bug ID	Description
836760	The start parameter has no effect with the /api/v2/monitor/user/device/query API call.

Routing

Bug ID	Description
756955	Routing table does not reflect the new changes for the static route until the routing process is restarted when cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.
769330	Traffic does not fail over to alternate path upon interface being down (FGR-60F in transparent mode).
774136	VPN traffic is not being metered by DoS policy when using SD-WAN.
779113	A new route check to make sure the route is removed when the link-monitor object fails on ARM based platforms.
795213	On the Network > SD-WAN page, adding a named static route to an SD-WAN zone creates a default blackhole route.
796070	Incorrect SD-WAN kernel routes are used on the secondary device.
796409	GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.
805285	SIP-RTP fails after a route or interface change.
806939	Routing issue with ADVPN and SD-WAN if IPsec aggregate interfaces are configured.
808840	After cloning a static route, the URL gets stuck with "clone=true".
812982	SD-WAN performance SLAs on a dialup IPsec VPN tunnel do not work as expected.
822659	Secure SD-WAN Monitor in FortiAnalyzer does not show graphs when the SLA target is not configured in SD-WAN performance SLA.
823293	Disabling BFD causes an OSPF flap/bounce.
826797	When a dynamic address fails, it becomes 0.0.0.0/0 in the SD-WAN rule.
828121	In a BGP neighbor, the allowas-in 0 value is confusing and not accepted by the GUI for validation (1-10 required).
828345	Wrong MAC address is in the ARP response for VRRP IP instead of the VRRP virtual MAC.
830254	When changing interfaces from dense mode to sparse mode, and then back to dense mode, the interfaces did not show up under dense mode.

Security Fabric

Bug ID	Description
800986	A downstream FortiGate is sending the config rusted-list to FortiManager in the auto update.
803600	Automation stitch for a scheduled backup is not working.
814796	The threat level threshold in the compromised host trigger does not work.
815984	Azure SDN connector has a 403 error when the AZD restarts.
822015	Unable to resolve dynamic address from ACI SDN connector on explicit web proxy.

SSL VPN

Bug ID	Description
626311	SSL VPN users are remaining logged on past the auth-timeout value.
676278	Custom host check AV and firewall for macOS fails for FortiClient SSL VPN.
697142	SharePoint server (de***.sc***.gov.sa) is not working on web-based VPN.
767832	After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.
780765	High CPU usage in SSL VPN using libssh2.
784426	SSL VPN web mode has problems accessing ComCenter websites.
786056	VNC using SSL VPN web mode disconnects after 10 minutes.
789642	Unable to load Grafana application through SSL VPN web mode.
796768	SSL VPN RDP is unable to connect to load-balanced VMs.
799308	SSL VPN bookmark is not working.
805922	Unable to configure ssl.root as the associated-interface in a firewall address.
807268	Many SSL VPN users are disconnected periodically, and sslvpnd crashes.
809209	SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time.
809473	When sslvpnd debugs are enabled, the SSL VPN process crashes more often.
810715	Web application is not loading in the SSL VPN web mode.
811007	The auto-generated URL on the VPN > SSL-VPN Settings page shows the management IP of the FortiGate instead of the SSL VPN interface port IP as defined on the VPN > SSL-VPN Realms page when a realm is created.
811492	SSL VPN should not leak information while performing Telnet.
814040	SSL VPN bookmark configuration is added automatically after client logs in to web mode.
814708	The same SAML user failed to establish a tunnel when a stale web session exists with limit-user-logins enabled.
816716	sslvpnd crashed when deleting a VLAN interface.
816881	TX packet loss on ssl.root interface.
817843	Logging out of SSL VPN tunnel mode does not clear the authenticated list.
818196	SSL VPN does not work properly after reconnecting without authentication and a TX drop is found.
819296	GUI should not use <server_ip> as a sender to send the SSL VPN configuration (it should use value set in reply-to).
823054	Internal website with JavaScript lacks some menus in SSL VPN web mode.
829955	When using SSL VPN to do auto-reconnect without authentication, it always fails the second time it tries to reconnect.
834713	Getting re-authentication pop-up window for VNC quick connection over SSL VPN web proxy.
841705	SSL VPN web mode access is not working for specific configured URLs.

Switch Controller

Bug ID	Description
794026	FortiGates quarantines are stuck at 256.
803307	The Enable STP security control description should be reworded to mention that Edge ports should have STP enabled once the network topology is stable.
805154	Switch controller preconfiguration of FortiSwitch 108F-POE is incorrect.
810550	Send DHCP/ARP packet failed, and get errno = 6 in log when config-sync runs.
836604	The 40000cr4 port speed is not available under the switch-controller managed-switch port speed settings.

System

Bug ID	Description
675558	SFP port with 1G copper SFP always is up.
686135	The dnp process goes to 100% CPU usage as soon as the configuration is downloaded via SCP. Affected platforms: FGR-60F and FGR-60F-3G4G.
709679	Get can not set mac address(16) message after downgrading.
713951	Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E.
748409	Client traffic from VLAN to VXLAN encapsulation traffic is failing after upgrading.
751715	Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.
751870	User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.
764954	FortiAnalyzer serial number automatically learned from miglogd does not send it to FortiManager through the automatic update.
780315	Poor CPS performance with VLAN interfaces in firewall only mode (NP7 and NP6 platforms).
781960	A dhcpd crash log occurs.
783939	IPv4 session is flushed after creating a new VDOM.
787144	FortiExtender virtual interface on the FortiGate is not receiving the IP address when mapping FortiExtender to it.
787595	FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.
787929	Deleting a VDOM that contains EMAC interfaces might affect the interface bandwidth widget of the parent VLAN.
789153	A profile with higher privileges than the user’s own profile can be set.
797428	SNMP status for NPU is not available on NP6xlite.
798091	After upgrading from 6.4.9 to 7.0.5, the FG-110xE’s 1000M SFP interface may fail to auto-negotiate and cannot be up due to the missed auto-negotiation.
798303	The threshold for conserve mode is lowered.
800294	Interface migration wizard fails to migrate interfaces when VLANs have dependencies within dependencies.
800615	After a device reboot, the modem interface sometimes does not have a stable route with the local carrier.
801040	Session anomaly was incorrectly triggered though concurrent sessions on the FortiGate that were below the configured threshold.
801053	FG-1800F existing hardware switch configuration fails after upgrading.
801474	DHCP IP lease is flushed within the lease time.
805122	In FIPS-CC mode, if cfg-save is set to revert, the system will halt a configuration change or certificate purge.
805345	In some cases, the HA SNMP OID responds very slowly or does work correctly.
805412	DHCPv6 authentication option offer is not accepted from the server.
807947	Unable to create new interface and VDOM link with names that contain spaces.
809030	Traffic loss occurs when running SNAT PBA pool in a hyperscale VDOM. The NP7 hardware module PRP got stuck, which caused the NP7 to hang.
810104	Under certain trace condition scenarios, a kernel panic may be triggered on new kernel platforms after failover with HTTP CCS followed by SIP64 traffic.
810466	EHP and HRX drop on NP6 FortiGate, causing low throughput.
810583	Running diagnose hardware deviceinfo psu shows the incorrect PSU slot.
810879	DoS policy ID cannot be moved in GUI and CLI when enabling multiple DoS policies.
811350	Packets drop when the standby device is turned on.
811367	Ports 33-35 constantly show suspect messaging in the transceiver output. Affected platforms: FG-2600F and FG-2601F.
811449	New DNS system servers with DoT enabled, applying a DNS filter to the FortiGate DNS server fails.
812499	When traffic gets offloaded, an incorrect MAC address is used as a source.
813223	Random kernel panic occurs due to calling timer_setup.
813606	DHCP relay offers to iPhones is blocked by the FortiGate.
815360	NP7 platforms may encounter a kernel panic when deleting more than two hardware switches at the same time.
815692	Slow upload speeds when connected to FIOS connection. Affected platforms: NP6Lite and NP6xLite.
816278	Memory increase due to iked process.
816385	When creating an inner VLAN CAPWAP interface or sending inner VLAN traffic when the FortiGate is rebooting/upgrading from capwap-offload disable status, these actions trigger a freeze. Affected platforms: NP7 models.
816823	NP6xLite test failed when running diagnose hardware test pci.
818461	When an aggregate is created after all VLANs and added to a software switch, all VLANs are lost after rebooting.
819460	There is no 1000auto option under the ports. Affected platforms: FG-110xE.
819640	SSH public key changes after every reboot.
821366	PPPoE is not working on FG-60E wan2 interface.
823589	When pushing a script from FortiManager to FortiGate, FortiOS will sometimes send the CLI change to FortiManager with the FGFM API. If the tunnel is not up, the session will not exist and it causes a code crash.
824464	CMDB checksum is not updated when a certificate is renewed over CMP, causing a FortiManager failure to synchronize with the certificate.
826440	Null pointer causing kernel crash on FWF-61F.
829598	Constant increase (3%-4%) in memory occurs everyday.
830415	FEX-40D-NAM model support was removed after upgrading to 7.0.6 or 7.0.7.
832948	Signature updating from FortiManager does not work after cloud communication is disabled.
834138	Kernel panic occurs due to VXLAN.
834414	When the uplink modem is restarted, the FortiGate interface configured as PPPoE is unable to obtain an IP address.
834641	Unable to remove DDNS entry frequently, even if the DDNS setting is disabled.
834762	Kernel panics occurs on secondary HA node on NP7 models (7.0.6).
836049	Unexpected device reboots with the kernel panic error on NP7 models.
837110	Burst in multicast packets is causing high CPU usage on multiple CPU cores.
839190	Running get system auto-update versions causes newcli to crash and the prints quit at the MAC address database.
840175	Random kernel panic occurs and causes the device to reboot.

Upgrade

Bug ID	Description
803041	Link lights on the FG-1100E fail to come up and are inoperative after upgrading.
803171	Upgrade takes longer than expected, and get daemon_bits=0x00000040 error when HA upgrades.

User & Authentication

Bug ID	Description
749694	A fnbamd crash is caused by an LDAP server being unreachable.
813407	Captive portal authentication with RADIUS user group truncates the token code to eight characters.
822684	When multiple FSSO CA connections are configured at the same time, only the last configured FSSO connection comes up.
825505	Devices are lost in Users & Devices widget after a period of time (around two days) in configurations with FortiSwitch, FortiAP, and DHCP.
825759	The Device detection option is missing in the GUI for redundant interfaces (CLI is OK).
833802	RADIUS re-authentication is not following RFC 2865 standards.

VM

Bug ID	Description
786278	Bandwidth usage is not shown when DPDK is enabled.
793914	HA is not in sync when a dynamic AWS service SMTP address object is retrieving a dynamic update from AWS.
798717	Traffic/session logging incorrectly refers to SR-IOV secondary interfaces when the Rx is from fast path.
803219	Azure SDN connector might miss dynamic IP addresses due to only the first page of the network interface being processed.
809963	Get cmdbsvr crash on FG-KVM32 after running concurrent performance test.
820457	Dynamic address objects are removed after Azure API call failed and caused legitimate traffic drop.
825464	Every time the FortiGate reboots, the certificate setting reverts to self-sign under config system ftm-push.

WAN Optimization

Bug ID	Description
804662	WANOpt tunnels are not established for traffic matching the profile.

Web Application Firewall

Bug ID	Description
817673	Problem accessing some web servers when WAF and AV are enabled in same policy (proxy inspection mode).

Web Filter

Bug ID	Description
789804	Web filter configured to restrict YouTube access does not work.
816781	FGSP cluster with UTM blocks websites when NTurbo or offloading is enabled.

WiFi Controller

Bug ID	Description
790367	FWF-60F has kernel panic and reboots by itself every few hours.
796036	Manual quarantine for wireless client connected to SSID on multi-VDOM with wtp-share does not work.
807605	FortiOS exhibits segmentation fault on hostapd on the secondary controller configured in HA.
807713	FortiGate is not sending RADIUS accounting message consistently to RADIUS server for wireless SSO.
809623	CAPWAP traffic is dropped when capwap-offloading is enabled.
811953	Configuration installation from FortiManager breaks the quarantine setting, and the VAP becomes undeletable.
821803	Wireless multicast traffic causes the cw_acd process to have high CPU usage and triggers a hostapd crash.
824441	Suggest replacing the IP Address column with MAC Address in the Collected Email widget.
827902	CAPWAP data traffic over redundant IPsec tunnels failing when the primary IPsec tunnel is down (failover to backup tunnel).
831932	The cw_acd process crashes several times after the system enters conserve mode.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID	CVE references
846234	FortiOS 7.0.8 is no longer vulnerable to the following CVE Reference: CVE-2022-40684
846854	FortiOS 7.0.8 is no longer vulnerable to the following CVE Reference: CVE-2022-40684

Notatki producenta: FortiOS 7.0.78

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

7.0.8 FortiGate FortiGate 7.0.8 FortiOS FortiOS 7.0.8