Producent oprogramowania Fortinet udostępnił aktualizację dla produktu FortiOS z rodziny 7.0! Najnowsza wersja 7.0.9 jest przede wszystkim wolna od podatności FG-IR-22-398. Ponadto w najnowszej wersji poprawiono stabilność SSL-VPN oraz IPsec VPN. Nowa wersja rozwiązała również problem z przełączaniem HA w przypadku urządzeń FG-100F oraz kilka problemów z routingiem w przypadku wykorzystania IPv6. Po więcej informacji zapraszamy do dalszej części artykułu.
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG‑1200D, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3800D, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
| FortiGate VM | FG-ARM64-AWS, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-XEN |
Rozwiązane problemy:
Explicit Proxy
| Bug ID | Description |
|---|---|
| 805703 | FortiGate does not load balance requests evenly when the ldb-method is set to least-session. |
Firewall
| Bug ID | Description |
|---|---|
| 834301 | Session dropped with timeout action after policy changes. |
| 835413 | Inaccurate sFlow interface data reported to PRTG after upgrading to 7.0. |
| 843274 | Source interface filter (srcintf-filter) is not working with virtual servers. |
GUI
| Bug ID | Description |
|---|---|
| 719476 | FortiLink NAC matched device is displayed in the CLI but not in the GUI under WiFi & Switch Controller > NAC Policies > View Matched Devices. |
| 831885 | Unable to access GUI via HA management interface of secondary unit. |
HA
| Bug ID | Description |
|---|---|
| 832634 | HA failovers occur due to the kernel hanging on FG-100F. |
| 840954 | The HA pair primary keeps sending fgFmTrapIfChange and fnTrapIpChange after upgrading to 7.0.6. |
| 843907 | Session load balancing is not working in HA A-A configuration for traffic flowing via the VLAN interface when the port1 link is down on platforms with a 4.19 kernel. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 819276 | After changing the password policy to enable it, all non-conforming IPsec tunnels were wiped out after rebooting/upgrading. |
| 832920 | Unable to edit the parent interface from the IPsec configuration if it was configured on an IPIP tunnel. |
| 840153 | Unexpected dynamic selectors block traffic when set mesh-selector-type subnet is configured. |
| 840940 | Unable to reestablish a new IPsec L2TP connection for 10 minutes after the previous one disconnected. The issue conditions are local in traffic and a policy-based IPsec tunnel. |
| 842528 | Improper IKEv1 quick mode fragmentation from third-party client can cause an IKE crash. |
Proxy
| Bug ID | Description |
|---|---|
| 827807 | WAD crash at signal 11 is observed after configuring 250 CGN VDOMs (full offload is enabled in the VDOMs). |
| 837095 | WAD daemon runs high with many child processes and is not coming down after configuring 250 CGN VDOMs. |
Routing
| Bug ID | Description |
|---|---|
| 817670 | IPv6 route redistribution metric value is not taking effect. |
| 833800 | The speed-test-server list cannot be loaded due to limited buffer size. |
| 836077 | IPv6 SD-WAN health check is not working after a disconnection. |
| 840691 | FortiGate as an NTP server is not using SD-WAN rules. |
Security Fabric
| Bug ID | Description |
|---|---|
| 837347 | Upgrading from 6.4.8 to 7.0.5 causes SDN firewall address configurations to be lost. |
| 843043 | Only the first ACI SDN connector can be kept after upgrading from 6.4.8 if multiple ACI SDN connectors are configured. |
SSL VPN
| Bug ID | Description |
|---|---|
| 705880 | Updated empty group with SAML user does not trigger an SSL VPN firewall policy refresh, which causes the SAML user detection to not be successful in later usage. |
| 808569 | sslvpnd crashes when no certificate is specified. |
| 808634 | SSL VPN daemon sometimes could not be recovered, even when setting the server certificate back from empty to a specific certificate. |
| 820536 | SSL VPN web mode bookmark incorrectly applies a URL redirect. |
| 822432 | SSL VPN crashes after copying a string to the remote server using the clipboard in RDP web mode when using RDP security. |
| 856316 | Browser displays an Error, Feature is not available message if a file larger than 1 MB is uploaded from FTP or SMB using a web bookmark, even though the file is uploaded successfully. There are no issues with downloading files. |
System
| Bug ID | Description |
|---|---|
| 798992 | Get newcli crash when running the diagnose hardware test memory command. |
| 827736 | As the size of the internet service database expands, ffdb_err_msg_print: ret=-4, Error: kernel error is observed frequently on 32-bit CPU platforms, such as the FG-100E. |
| 831486 | HQIP memory test failed and triggered a log out with a newcli process crash. |
| 844316 | IPS and application control is causing the FortiGate (VWP) to change either the source MAC address or the destination MAC address based on the flow. |
| 844908 | Outbandwidth does not control traffic properly on platforms with a 4.19 kernel when VDOM links are used. |
| 844937 | FG-3700D unexpectedly reboots after the COMLog reported a kernel panic due to an IPv6 failure to set up the master session for the expectation session under some conditions. |
| 850430 | DHCP relay does not work properly with two DHCP relay servers configured. |
| 855151 | There may be a race condition between the CMDB initializing and the customer language file loading, which causes the customer language file be removed after upgrading. |
VM
| Bug ID | Description |
|---|---|
| 848279 | SFTP backup not working with Azure storage account. |
Web Application Firewall
| Bug ID | Description |
|---|---|
| 838913 | The WAF is indicating malformed request false positives caused by incorrect setups of four known headers: Access-Control-Max-Age, Access-Control-Allow-Headers, Access-Control-Allow-Methods, and Origin. |
Web Filter
| Bug ID | Description |
|---|---|
| 742483 | System events logs randomly contain a msg=UrlBwl-black gzopen fail message. |
| 847676 | Unrated is displayed, even if the system language is set to Japanese when the policy inspection mode is set to flow. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 844172 | The cw_acd process is deleting dynamic IPsec tunnels on the secondary device, which causes the FortiAPs to disconnect on the primary device. |
Znane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 818092 | CDR archived files are deleted at random times and not retained. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 730767 | The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.
Workaround: delete the EMS Cloud entry then add it back. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 823319 | Authentication hard timeout is not respected for firewall users synchronized from WAD user. |
Firewall
| Bug ID | Description |
|---|---|
| 631814 | Static route configuration should not be shown on address dialog page if the address type is an IP range. |
| 728734 | The VIP group hit count in the table (Policy & Objects > Virtual IPs) is not reflecting the correct sum of VIP members. |
| 860480 | FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later. |
| 861990 | Increased CPU usage in softirq after upgrading from 7.0.5 to 7.0.6. |
GUI
| Bug ID | Description |
|---|---|
| 440197 | On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly. |
| 677806 | On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status. |
| 685431 | On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.
Workaround: use the CLI to configure policies. |
| 707589 | System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed. |
| 708005 | When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.
Workaround: use Chrome, Edge, or Safari as the browser. |
| 755177 | When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path. |
| 810225 | An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms. |
| 853352 | On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries. |
HA
| Bug ID | Description |
|---|---|
| 662978 | Long lasting sessions are expired on HA secondary device with a 10G interface. |
| 777394 | The flip timer does not start counting down when there is a ping sever failure following a previous outage. |
| 810175 | set admin-restrict-local is not working for SSH. |
| 810286 | FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect. |
| 811535 | HA failure occurs on pair of FG-2600s due to packet loss on heartbeat interface. |
| 813207 | Virtual MAC address is sent inside GARP by the secondary unit after a reboot. |
| 839549 | Secondary FortiGate unit in an HA cluster enters conserve mode due to high memory consumption by node scripts. |
| 850144 | EMS cloud connection fails or breaks when HA failover occurs. |
Hyperscale
| Bug ID | Description |
|---|---|
| 782674 | A few tasks are hung on issuing stat verbose on the secondary device. |
| 795853 | VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM. |
| 807476 | After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled. |
| 811109 | FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG. |
| 836976 | Traffic impact on changing from log to hardware to log to host during runtime (with PPA enabled). |
| 838654 | Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic. |
| 839958 | service-negate does not work as expected in a hyperscale deny policy. |
| 842008 | After HA failover, session count cannot synchronize on secondary FortiGate. |
| 842659 | srcaddr-negate and dstaddr-negate are not working properly for IPv6 traffic with FTS. |
| 843132 | After dynamically adding an ACL policy, the existing matched session is not cleared immediately. |
| 843197 | Output of diagnose sys npu-session list/list-full does not mention policy route information. |
| 843266 | Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM. |
| 843305 | Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up. |
| 844421 | The diagnose firewall ippool list command does not show the correct output for overload type IP pools. |
| 846520 | NPD/LPMD process killed by out of memory killer after running mixed sessions and HA failover. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 813727 | Custom signatures are not shown in the list when filters (server, client, or critical severity) are applied in an IPS sensor. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 761754 | IPsec aggregate static route is not marked inactive if the IPsec aggregate is down. |
| 822651 | NP dropping packet in the incoming direction for FG-200F. |
Log & Report
| Bug ID | Description |
|---|---|
| 820940 | On the Log Settings page, a VDOM administrator can force a FortiCloud log out of for all VDOMs. |
Proxy
| Bug ID | Description |
|---|---|
| 727629 | WAD encounters signal 11 crash at wad_http_marker_uri. |
| 836101 | WAD memory leak occurs. |
| 837724 | WAD crash at wad_port_general_update_dctx. |
Routing
| Bug ID | Description |
|---|---|
| 618684 | Static route will still in routing table after HA failover, and the BFD is down on the new primary. |
| 847037 | FortiGate is sometimes not following the policy route to forward traffic and sens unreasonable ARP requests. |
Security Fabric
| Bug ID | Description |
|---|---|
| 614691 | Slow GUI performance in large Fabric topology with over 50 downstream devices. |
| 794703 | Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results. |
| 814674 | Failed to retrieve upgrade progress message appears when upgrading a FortiAP or FortiSwitch that is connected to a downstream FortiGate. |
SSL VPN
| Bug ID | Description |
|---|---|
| 719740 | The No SSL-VPN policies exist warning should not be shown in the GUI when a zone that has ssl.root as a member is set in an SSL VPN policy. |
| 746230 | SSL VPN web mode cannot display certain websites that are internal bookmarks. |
| 803576 | Comments in front of <html> tag are not handled well in HTML file in SSL VPN web mode. |
Switch Controller
| Bug ID | Description |
|---|---|
| 813216 | FortiLink goes down when CAPWAP offloading is enabled or disabled. |
System
| Bug ID | Description |
|---|---|
| 724085 | Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected. |
| 743831 | When global daylight saving time (DST) is disabled, the system time in the GUI still shows the time with DST. |
| 784169 | When a virtual switch member port is set to be an alternate by STP, it should not reply with ARP; otherwise, the connected device will learn the MAC address from the alternate port and send subsequent packets to the alternate port. |
| 799487 | The debug zone uses over 400 MB of RAM. |
| 813162 | Kernel panic occurs after traffic goes through IPsec VPN tunnel and EMAC VLAN interface. |
| 818452 | The ifLastChange SNMP OID only shows zeros. |
| 827240 | Unexpected reboot occurs on FG-100F. |
| 847077 | Can't find xitem. Drop the response. error appears for DHCPOFFER packets in the DHCP relay debug. |
| 847314 | NP7 platforms may encounter random kernel crash after reboot or factory reset. |
| 847664 | Console may display mce: [Hardware Error] error message after fresh image burn or reboot. |
| 850683 | Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF. |
| 850688 | FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs. |
| 855573 | False alarm of the PSU2 occurs with only one installed. |
Upgrade
| Bug ID | Description |
|---|---|
| 792831 | [2062] fap_fsw_lst_req: buf of https is too small: 853 debug message appears in console when upgrading to certain builds. |
| 850691 | The endpoint-control fctems entry 0 is added after upgrading from 6.4 to 7.0.8 when the FortiGate does not have EMS server, which means the endpoint-control fctems feature was not enabled previously. This leads to a FortiManager installation failure.
Workaround: upgrade from FortiOS 6.4.x to 7.0.7 and then 7.0.8. If you have already upgraded to FortiOS 7.0.8, reboot the FortiGate to automatically set |
User & Authentication
| Bug ID | Description |
|---|---|
| 765184 | RADIUS authentication failover between two servers for high availability does not work as expected. |
| 836082 | LLDP packets are not being received if mgmt is used as an HA management reservation interface. |
| 846683 | Downloading the CSR certificate from global with a custom account profile (read/write) causes GUI/CLI errors due to unauthorized requests. |
VM
| Bug ID | Description |
|---|---|
| 667153 | Consume the licensed amount of CPUs without running execute cpu add and rebooting when a license is upgraded. |
WAN Optimization
| Bug ID | Description |
|---|---|
| 728861 | HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.
Workaround: set |
Web Filter
| Bug ID | Description |
|---|---|
| 766126 | Block replacement page is not pushed automatically to replace the video content when using a video filter. |
ZTNA
| Bug ID | Description |
|---|---|
| 832508 | The EMS tag name (defined in the EMS server’s Zero Trust Tagging Rules) format changed in 7.0.8 from FCTEMS<serial_number>_<tag_name> to EMS<id>_ZTNA_<tag_name>.
After upgrading, the EMS tag format was converted properly in the CLI configuration, but the WAD daemon is unable to recognize this new format, so the ZTNA traffic will not match any ZTNA policies with EMS tag name checking enabled. Workaround: unset the |
| 848222 | ZTNA TCP forwarding is not working when a real server is configured with an FQDN address type.
An FQDN address type that can resolve public IPs is not recommended for ZTNA TCP forwarding on real servers because the defined internal DNS database zone is trying to override it at the same time. By doing so, the internal private address may not take effect after rebooting, and causes a ZTNA TCP forwarding failure due to the real server not being found. |
Notatki producenta: FortiOS 7.0.9
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
