Fortinet opublikował pierwszą rewizję najnowszej rodziny oprogramowania FortiOS, oznaczonej wersją 7.2.1. Nowa wersja przynosi między innymi nowe REST API dla FortiGate oraz FortiNAC dla wymiany informacji pomiędzy oboma rozwiązaniami, dodatkowo Fortinet obdarował FortiOS nowym dynamicznym obiektem FortiNAC tag, który jest wykorzystywany do przechowywania informacji o urządzeniu, tagach z FortiNAC i informacji o grupach użytkownika otrzymanych z FortiNAC. Dodatkowo nowy FortiOS 7.2.1 posiada zewnętrzny connector dla SAP, który może być wykorzystany do synchronizowania dynamicznych obiektów adresów oraz do przyznawania dostępu do SAP Workloads. Aktualizacja przynosi również wsparcie dla zabezpieczeń w WiFi6 a konkretniej – dodano wsparcie dla Hash-to-Element (H2E) oraz jednoczesnego uwierzytelniania równego klucza publicznego (SAE-PK) dla modeli FortiAP które wspierają WPA3-SAE.
Zmian jest znacznie więcej, dotyczą one ZTNA, komend w CLI, zachowań FortiGate w GUI, szyfrowania backupu konfiguracji, licencji testowych dla FortiGate VM – zapraszam do dalszej części artykułu!
Nowości lub ulepszenia w 7.2.1:
| ID | Description |
|---|---|
| 535099 | When editing an SSID interface within WiFi & Switch Controller > SSIDs, an address group containing wireless clients’ MAC addresses and an address group policy (disable, allow, or deny) can be configured for the client MAC address filtering feature. |
| 652281 | Certain unused WAD proxy processes are not started by default on FortiGate models with 2 GB of RAM or less to reduce memory usage. These process will only start when relevant proxy features are configured. |
| 688237 | Add support for a FortiGate to manage a Procend 180-T DSL transceiver (FN-TRAN-DSL) that is plugged into an SFP port.
The management of the DSL transceiver includes the ability to program the physical layer attributes on the DSL module, retrieve the status and statistics from the module, support firmware upgrade of the module, and reset the module. The following VDSL profiles are supported: 8a, 8b, 8c, 8d, 12a, 12b, 17a, 3and 0a. Supported platforms: FG-80F, FG-81F, FG-80F-BP, FGR-60F, and FGR-60F_3G4G. |
| 735929 | Add REST API in both FortiNAC and FortiGate that is used by FortiNAC to send user logon/logoff information to the FortiGate. A new dynamic firewall address type (FortiNAC tag) is added to FortiOS, which is used to store the device IP, FortiNAC firewall tags, and FortiNAC group information sent from FortiNAC via the REST API when user logon/logoff events are registered.
The FortiNAC tags connector under Security Fabric > Fabric Connectors is deprecated. For upgrade support, the FSSO FortiNAC user type can still be configured from the CLI. |
| 739174 | For a FortiGate with a valid Security Rating license, the separate Security Rating package downloaded from FortiGuard adds support for PSIRT vulnerabilities, which allows the security rating result to highlight them. If the security rating result highlights a vulnerability with a critical severity, then the FortiGate GUI displays a new warning message in the header and a new notification under the bell icon. Both GUI enhancements link to the System > Fabric Management page to encourage updating any affected Fortinet Fabric devices to the latest firmware releases to resolve the critical vulnerabilities.
A new View Vulnerability link in the header is visible for global administrators, and a new tooltip for the critical vulnerability label on the System > Fabric Management page both link to the Security Rating page and highlight the critical vulnerability. On the Security Rating page, the search bar supports using the PSIRT keyword to filter for PSIRT vulnerabilities, and the security panel provides a link to the System > Fabric Management page when a PSIRT vulnerability is selected. |
| 739182 | Allow FortiClients to learn the available ZTNA services from the FortiGate ZTNA portal. The services that can be learned include HTTP/HTTPS web services, TCP forwarding services, and web portals. The FortiClient must connect to the FortiGate using a DoT or DoH tunnel. Then, it can retrieve the service mapping in JSON format. |
| 743804 | Add a RADIUS option to allow the FortiGate to set the RADIUS accounting message group delimiter to a comma (,) instead of a plus sign (+) when using RSSO. The default delimiter is still a plus sign. |
| 745135 | Provide three sizes of internet service databases, and an option to choose between full, standard, or mini databases. Only FortiGate 30 and 50 series models can configure mini size.
config system global
set internet-service-database {mini | standard | full}
end
|
| 750320 | Add command to add ZTNA virtual hosts and domains to the FortiGates local DNS database. Each virtual host and domain is mapped to the VIP defined for the corresponding access proxy. Each virtual host can only be used in one access proxy.
config firewall access-proxy
edit <name>
set add-vhost/domain-to-dnsdb {enable | disable}
next
end
|
| 760932 | The SAP external Fabric connector allows the FortiGate to connect to an SAP controller to synchronize dynamic address objects and ports for SAP workloads. These address objects can be used in firewall policies to grant access control to dynamic SAP workloads. |
| 764957 | Add automation trigger for certificate expiry by introducing local-certificate-near-expiry event type if a user-supplied local certificate used for SSL VPN, deep inspection, or other purpose is about to expire. This trigger relies on a VPN certificate setting in the CLI configuration setting for the certificate log expiring warning threshold:
config vpn certificate setting
set cert-expire-warning <integer>
end
Where The local certificate expiry trigger can be used with an email notification action, for example, to remind an administrator to re-sign or load a new local certificate to avoid any service interruptions. |
| 765657 | Add WTP profile support for FortiAP G series access points (FAP-231G, FAP-233G, FAP-431G, FAP-433G) that support Wi-Fi 6E IEEE 802.11ax Tri-band 2.4 GHz/5 GHz/6 GHz mode and dual 5 GHz mode. |
| 766158 | In a video filter profile, when the FortiGuard category-based filter and YouTube channel override are used together, by default a video will be blocked if it matches either category or YouTube channel and the action is set to block. This enhancement enables the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled. |
| 773555 | Add option to push updates to external threat feeds through the REST API. When configuring a FortiGuard Category, Malware Hash, IP Address, or Domain Name threat feed from the Security Fabric > External Connectors page, select the Push API update method to provide the code samples needed to perform add, remove, and snapshot operations. |
| 775285 | Enhance LAN extension on the FortiGate to allow a remote FortiGate (FortiGate Connector) to provide remote connectivity back to the FortiGate (FortiGate Controller) over a backhaul connection. A FortiGate deployed at a remote location will discover the FortiGate Controller and form an IPsec tunnel (or multiple tunnels when multiple links exists on the FortiGate Connector) back to the FortiGate Controller. A VXLAN is established over the IPsec tunnels to create an L2 network between the FortiGate Controller and the network behind the FortiGate Connector. |
| 775287 | Allow an administrator to deregister a FortiGate if the device has been registered for three or more years. After the device is deregistered, all associated contracts are also deregistered. |
| 775288 | Enhance IP address management (IPAM) in the GUI and the CLI to allow multiple pools and assign them to different interfaces based on name and/or role using IPAM rules.
In the GUI of a FortiGate not in a Security Fabric or on the root FortiGate of a Security Fabric, IPAM pools can be defined under Network > IPAM > IPAM Settings, and IPAM rules can be defined under Network > IPAM > IPAM Rules. In the CLI of a FortiGate not in a Security Fabric or on the root FortiGate of a Security Fabric, IPAM pools can be defined as follows where a.b.c.d/x is the IP/netmask of the subnet: config system ipam
config pools
edit <name>
set subnet <a.b.c.d/x>
next
end
end
In the CLI of a FortiGate not in a Security Fabric or on the root FortiGate of a Security Fabric, IPAM rules can be defined as follows (device and interface fields accept * wildcard inputs): config system ipam
config rules
edit <rule_name>
set device {<FortiGate_serial_number> | *}
set interface {<name> | *}
set pool <pool_name>
next
end
end
|
| 779304 | YAML can be selected as file format when backing up or restoring configurations from the GUI. |
| 780993 | When registering using FortiCare, users can select a Government end user type for parity with the registration process using the support portal. |
| 784630 | Support BGP Autonomous System (AS) numbers as input in asdot and asdot+ format from RFC 5396 for the following CLI commands:
|
| 784665 | Add option for a FortiGate to use FortiManager as an override server for IoT query services.
config system central-management
config server-list
edit 1
set server-type {iot-query iot-collect}
next
end
end
|
| 786329 | Extend VCI (vendor class identifier) support in DHCP to allow for VCI pattern matching as a condition for IP or DHCP option assignment. This allows the mapping of a single IP address, IP ranges of a pool, and dedicated DHCP options to a specific VCI string. |
| 786559 | Add fgFwAuthUserTables table for SNMP to gather information about authenticated users, which are users authenticated by the user authentication methods supported on the FortiGate. This table supports SNMP VDOM access control and OIDs for IPv4 and IPv6 authenticated users. |
| 787019 | Perform FortiExtender auto firmware provisioning using CLI commands to allow a federated upgrade of a FortiExtender upon discovery and authorization by the FortiGate. The FortiExtender will be upgraded to the latest firmware from FortiGuard, based on the matching FortiExtender firmware version that matches each FortiOS firmware version. |
| 787020 | Add information and logs to record and trace connection failures to the EMS server. |
| 787021 | In an SD-WAN scenario when DSCP tags are used to mark traffic from the branch to the hub, it is sometimes desirable for the hub to mark the reply traffic with the same DCSP tags. A setting has been added to the firewall policy configurations to allow the DSCP tag to be copied to the reply direction.
config firewall policy
edit <id>
set diffserv-copy {enable | disable}
next
end
|
| 787477 | Ensure that session synchronization happens correctly in the FGCP over FGSP topology.
|
| 789032 | Embed SLA information into ICMP probes, which consists of three parts:
By passing SLA information to the hub, the hub can route traffic to the spoke symmetrically based on the overlay that is in SLA on the spoke. |
| 790243 | Inline scanning is supported when the FortiGate is licensed with the FortiGuard AI-Based Sandbox Service (FAIS). It works similar to inline scanning for the FortiSandbox appliance, by holding a file up to 50 seconds for the verdict to be returned. Timed out scans can either be set to block, log, or ignore. Inline scanning can be enabled from the GUI on the Cloud Sandbox configuration page. |
| 791091 | Add settings to disable a FortiGate administrator account with a customized access profile from running execute ssh and execute telnet, thus restricting jump host capability using SSH and Telnet from the FortiGate to another host.
config system accprofile
edit <name>
set system-execute-ssh {enable | disable}
set system-execute-telnet {enable | disable}
next
end
|
| 791129 | Add the underlay link cost property to the IPsec VPN tunnel phase 1 configuration and enhance IPsec VPN to exchange the link cost with a remote peer as a private notified payload in the phase 1 negotiation of IKEv1 and IKEv2. This avoids possible health check daemon process load issues and improves network scalability in a large-scale SD-WAN networks with ADVPN.
config vpn ipsec phase1-interface
edit <name>
set link-cost <0 - 255>
next
end
|
| 792170 | The FortiGate explicit web proxy supports the Cross-Origin Resource Sharing (CORS) protocol, which allows the FortiGate to process a CORS preflight request and an actual CORS request properly, in addition to a simple CORS request when using session-based, cookie-enabled, and captive portal-enabled SAML authentication. This allows a FortiGate explicit web proxy user with this specific configuration to properly view a web page requiring CORS with domains embedded in it other than its own domain. |
| 793303 | Add a system action automation action type to back up the configuration of the FortiGate to the disk revisions, reboot the FortiGate, or shutdown the FortiGate. This action type allows these actions to occur even if the FortiGate is in conserve mode and allows the automation stitch to bypass the CLI user confirmation prompts, which the CLI script action does not support.
config system automation-action
edit <name>
set action-type system-actions
set system-action {reboot | shutdown | backup-config}
next
end
|
| 793304 | Enhance the scheduled automation trigger to execute only once at a specific date and time in the future. This trigger may be useful to support one-time automated FortiGate system actions in the future, such as a configuration backup to disk, reboot, or shut down.
config system automation-trigger
edit <name>
set trigger-type scheduled
set trigger-frequency once
set trigger-datetime <YYYY-MM-DD HH:MM:SS>
next
end
|
| 794494 | Proxy auto-config (PAC) files can be downloaded for an explicit proxy through the FortiGate’s captive portal using HTTPS to ensure a secure download. |
| 795821 | Support WiFi 6 Release 2 security enhancements by adding support for Hash-to-Element (H2E) only and Simultaneous Authentication of Equals Public Key (SAE-PK) for FortiAP models that support WPA3-SAE security modes.
config wireless-controller vap
edit <name>
set ssid <ssid>
set security wpa3-sae
set sae-h2e-only {enable | disable}
next
end
config wireless-controller vap
edit <name>
set ssid <ssid>
set security wpa3-sae
set sae-pk {enable | disable}
set sae-private-key <private_key>
next
end
|
| 795822 | Enhance the FortiGate ZTNA access proxy to act as an inline cloud access security broker (CASB) by providing access control to software as a service (SaaS) traffic using ZTNA access control rules. This enhancement introduces a new FortiGuard Inline CASB Database (ICDB) that includes all FQDNs related to specific SaaS applications and corresponding FortiGuard packages for FortiOS and FortiClient. The inline CASB feature is included with the FortiClient ZTNA license. No separate license is needed for inline CASB.
Previously, ZTNA SaaS access control was possible using the TCP forwarding access proxy configuration on FortiGate and FortiClient:
With this enhancement and service, users can configure the ZTNA access proxy with a new SaaS proxy access type and conveniently specify SaaS application destinations by application name or by application group name without needing to manually search for and enter FQDNs specific to each SaaS application. Currently, CLI commands must be used for the configuration. Users can configure the SaaS application destination by adding support for SaaS in Support for this feature will be available in a future version of FortiClient and FortiClient EMS |
| 796798 | Support wireless controller VAP set rates-11ac-mcs-map and set rates-11ax-mcs-map commands to configure 802.11ac and 802.11ax Modulation and Coding Scheme (MCS) rates. These commands replace the set rates-11ac-ss12, set rates-11ac-ss34, set rates-11ax-ss12, and set rates-11ax-ss34 VAP commands. |
| 796961 | Add attribute under config switch-controller igmp-snooping to configure the query-interval under FortiLink, and add a check to ensure the query-interval is less than the aging-time interval. |
| 797054 | Allow FortiManager to apply a license to a BYOL FortiGate VM instance. For example, when launching a BYOL FortiGate VM on Azure, the FortiGate receives a serial number with the FGVMEV prefix and a VM license with an invalid status by default. This unlicensed FortiGate VM can register to a FortiManager for authorization and management. Subsequently, the FortiManager can apply a VM license to the FortiGate VM instance. |
| 798310 | In addition to per-tunnel IPsec failover for FGSP peers, FGCP over FGSP is also supported. For additional redundancy, an FGCP cluster on one site may form FGSP peering with FGCP clusters on other sites. The FGCP over FGSP peers can still synchronize IPsec SAs and act as the primary gateway for individual tunnels for the same dialup servers. When failover happens within an FGCP cluster, tunnel traffic will fail over to the other FGCP cluster member. When an FGCP cluster fails, tunnel traffic will fail over to the other FGSP peer. |
| 798773 | Add options in IPv6 static and policy routes for parity with IPv4 static and policy routes. |
| 799621 | Support wireless authentication using SAML and a captive portal configured on a tunnel mode SSID.
When a SAML user has been configured on the FortiGate, a user group containing this SAML user can be applied to a captive portal in a wireless tunnel mode SSID. When configured with both a captive portal exempt firewall policy to allow wireless clients to contact the SAML IdP and a firewall policy with the SAML user group applied to allow authenticated traffic, upon connecting to this SSID, wireless clients will be redirected to a login page for wireless authentication using SAML. |
| 799971 | To synchronize Active Directory users and apply two-factor authentication using FortiToken Cloud, two-factor authentication can be enabled under the user ldap object definition. This enhancement reduces the number of the AD users returned by allowing the use of a group filter to synchronize only the users who meet the group filter criteria.
config user ldap
edit <name>
set dn <string>
set two-factor {disable | fortitoken-cloud}
set two-factor-filter <string>
next
end
|
| 799987 | Add support for multitenant FortiClient EMS deployments that have the Manage Multiple Customer Sites setting enabled with multiple sites. Since a FortiClient EMS site is no longer unique using its serial number alone, the FortiGate configuration for FortiClient EMS connectors and related diagnostic commands have been enhanced to distinguish EMS sites using serial number and tenant ID:
|
| 801700 | Add option to enable automatic firmware updates based on the FortiGuard upgrade path. When enabled, the FortiGate will look for an upgrade path and perform an upgrade at a time within the time period specified by the administrator. The upgrade will only be performed on a patch within the same major release version.
config system fortiguard
set auto-firmware-upgrade {enable | disable}
set auto-firmware-upgrade-day {sunday monday tuesday wednesday thursday friday saturday}
set auto-firmware-upgrade-start-hour <integer>
set auto-firmware-upgrade-end-hour <integer>
end
|
| 801701 | Certain unused WAD proxy processes are not started by default on FortiGate models with 2 GB of RAM or less to reduce memory usage. These process will only start when relevant proxy features are configured. |
| 801707 | During FGSP per-tunnel failover for IPsec, the same IPsec dialup server configured on each FGSP member may establish tunnels with dialup clients as the primary gateway. The IPsec SAs are synchronized to all other FGSP peers that have FGSP synchronization for IPsec enabled. Other FGSP members may establish a tunnel with other clients on the same dialup server and synchronize their SAs to other peers.
Upon the failure of the FGSP member that is the primary gateway for a tunnel, the upstream router will fail over the tunnel traffic to another FGSP member. The other FGSP member will move from standby to the primary gateway for that tunnel and continue to forward traffic. config vpn ipsec phase1-interface
edit <name>
set fgsp-sync {enable | disable}
next
end
|
| 801708 | In conjunction with support for FGSP per-tunnel failover for IPsec, configuring DPD (dead peer detection) on an FGSP member is now permitted. This allows a failed FGSP member to send out DPD probes during failover to detect the unreachable remote peer and flush the corresponding tunnels. |
| 802702 | When local-out traffic such as SD-WAN health checks, SNMP, syslog, and so on are initiated from an interface on one VRF and then pass through interfaces on another VRF, the reply traffic will be successfully forwarded back to the original VRF. |
| 802785 | Add the ability to toggle 802.11d support for 2.4 GHz radios using a FortiAP profile. 802.11d only applies to the 802.11g band (2.4 GHz band). By default, this option is always enabled. When 802.11d is enabled, the FortiAPs broadcast the country code in beacons, probe requests, and probe responses. The ability to disable 802.11d on the FortiAPs provides backwards compatibility with old or legacy Wi-Fi clients in the 802.11g band (2.4 GHz band) that failed to associate to a FortiAP with 802.11d enabled. |
| 803326 | Vendor-Specific Attributes (VSAs) can be used with TACACS authentication and authorization in wildcard system administrator access to FortiGates from browsers and SSH. The new VSAs allows the FortiGate to perform group matching, and overwrite VDOM settings under system admin. |
| 805870 | Add setting to enforce ZTNA trusted client before the user can successfully establish a SSL VPN tunnel when connecting to FortiGate SSL VPN in tunnel mode, and has a device certificated issued by EMS.
config vpn ssl setting
set ztna-trusted-client {enable | disable}
end
|
| 805871 | Add support in Azure FG-VM to generate a unique vWAN cluster/group ID and display a line with the Azure NVA name and the generated cluster/group ID in get system status. This line is only displayed for FortiGate instances that are NVA VMs. FortiManager uses the cluster/group ID to display FortiGate VM instances from the same vWAN as a group. |
| 806166 | Add NetFlow support on EMAC VLAN interface. |
| 806628 | Added endpoint to return HA non-synchronized checksum. The HA checksum calculation module has new parameter to switch between the regular checksum calculation and the non-synchronized checksum calculation.
# diagnose sys ha checksum show-nonsync [global | vdom_name] |
| 806993 | Enhance the ZTNA access proxy to determine whether a client device that does not have FortiClient installed is a mobile device that is considered unmanageable, or is not a mobile device that is considered unknown and tag the device as either either ems-tag-unmanageable or ems-tag-unknown respectively. The FortiGate WAD process achieves this by either matching device TLS fingerprints against a library or learning information from the HTTP User-Agent header if the set user-agent-detect setting is enabled. These new tags allow for ZTNA access control of unmanaged devices using config firewall proxy-policy. Also, enhance the set empty-cert-action setting by adding an accept-unmanageable option to allow unmanageable clients to continue ZTNA proxy rule processing. |
| 809701 | Support auto revision backup on FortiSwitch upon log out or firmware upgrade in FortiLink mode (both settings are disabled by default).
config switch-controller switch-profile
edit <name>
set revision-backup-on-logout {enable | disable}
set revision-backup-on-upgrade {enable | disable}
next
end
|
| 812209 | This enhancement builds on the AWS SDN connector, which uses the AWS security token service (STS) to connect to multiple AWS accounts concurrently. To enhance security, the SDN connector supports the use of an External ID, which allows the target account owner to permit the role to be assumed by the source account only under specific circumstances. |
| 813346 | Improve GTPv2 message filtering to include all GTPv2 message types, based on 3GPP TS 29.274. Also, by adding message types UE Registration Query request (61) and UE Registration Query response (62), FortiOS Carrier can now filter all GTPv0 and GTPv1 message types based on 3GPP release 3GPP TS 29.060. |
Główne zmiany w 7.2.1 (CLI):
| Bug ID | Description |
|---|---|
| 750230 | Add support for up to 30 virtual clusters (previously, only two were supported). The vcluster2 and config secondary-vcluster settings have bee replaced.
config system ha
set vcluster-status enable
config vcluster
edit <id>
...
next
end
end
|
| 773524 | Add option to configure whether the banned IP list persists through a power cycle.
config firewall global
set banned-ip-persistency {disabled | permanent-only | all}
end
The |
| 789554 | Consolidate the FGSP settings by moving the previous config system cluster-sync settings into a subtable under config system standalone-cluster.
Old syntax: config system cluster-sync
edit <id>
set peervd <VDOM>
set peerip <address>
set syncvd <VDOM>
config session-sync-filter
...
end
next
end
New syntax: config system standalone-cluster
config cluster-peer
edit <id>
set peervd <VDOM>
set peerip <address>
set syncvd <VDOM>
config session-sync-filter
...
end
next
end
end
|
| 795943 | NetFlow collector and source IPs can be configured as an IPv4 or IPv6 address. This is supported in VDOM mode within global and VDOM configurations.
config system netflow
set collector-ip <IPv4/IPv6_adddress>
set source-ip <IPv4/IPv6_adddress>
end
|
| 798305 | For non-hyperscale VDOMs, extend the maximum PBA timeout to 86400 seconds (3 – 86400, default = 30):
config firewall ippool
edit <name>
set pba-timeout <integer>
next
end
For CGNAT cases, extending the PBA timeout allows PBA logs to be generated less frequently on the FortiGate. |
| 799832 | For webhook, aws-lambda, azure-function, google-cloud-function, and alicloud-function automation actions, change the headers attribute to a http-headers configurable subtable (instead of a PARSE_F_MEMBER attribute) so the subtable entries are a key-value pair that can be variable sized strings.
config system automation-action
edit <name>
set action-type {webhook | aws-lambda | azure-function | google-cloud-function | alicloud-function}
config http-headers
edit 1
set key <string>
set value <string>
next
edit 2
set key <string>
set value <string>
next
end
next
end
|
| 801707 | Remove the ike-monitor, ike-monitor-interval, ike-heartbeat-interval, and ike-use-rfc6311 settings from config system cluster-sync. |
Główne zmiany w 7.2.1 (GUI):
| Bug ID | Description |
|---|---|
| 739194 | Add a time frame selector to the log viewer pages, so the logs can be loaded more efficiently.
|
| 753095 | Add visibility for configuring advanced options for wireless features in the FortiGate wireless controller GUI:
|
| 753107 | Add IoT device information to the Security Fabric > Asset Identity Center page, including the device name, software OS, hardware vendor, status, IP address, hostname, time last seen, port, VLAN, and so on. |
| 758549 | Enhance the Managed FortiExtenders tab on the Network > FortiExtenders page with additional monitoring features:
Enhance the Profile tab on the Network > FortiExtenders page with two charts for displaying Status and Mode. |
| 761169 | Update the Log & Report > System Events and Security Events pages:
|
| 775203 | Add Network > IPAM GUI page to centralize all IP address management (IPAM) details within three new tabs: IPAM Interfaces, IPAM Rules, and IPAM Settings.
This page is only viewable on a FortiGate that is not in a Security Fabric, or on the root FortiGate in a Security Fabric. In a Security Fabric, downstream FortiGates will receive a notification to view the root FortiGate. This new page replaces the IPAM dashboard widget and IPAM connector card within Security Fabric > Fabric Connectors, which have been removed. When viewing the IPAM interfaces tab, IP conflict markers are displayed to notify an administrator of IPAM pool IP conflicts with manually configured IPs and prompts administrators to use the Edit Interface dialog to manually resolve the conflict by changing the interfaces’ IP/netmask settings. |
| 779209 | Advanced BGP options can be configured in the GUI on the Network > BGP page, including: the BGP neighbor local AS, hold time timer, keepalive timer, and enforcing eBGP multihop. The View in Routing Monitor buttons in the right-side of the screen can display the BGP neighbors list, the BGP IPv4 routing table, or the BGP IPv6 routing table in a slide-out window instead of redirecting to the monitor page. The Routing monitor includes an option to soft reset a neighbor from the BGP neighbors list. |
| 797544 | Enhance the Summary tabs on the System Events and Security Events pages under Log & Report:
|
Zmiany ogólne:
| Bug ID | Description |
|---|---|
| 761565 | Change the encryption and decryption method of backup files to AES-GCM method. The backup configuration file encrypted by the new algorithm in 7.2.1 cannot be restored on FortiGates running FortiOS 7.2.0 and earlier. |
| 771952 | The 15-day evaluation period for a FortiGate VM is replaced with a permanent evaluation VM license. When spinning up a new FortiGate VM, the user will have a choice of logging in to FortiCare to activate the VM trial or to upload a full license. Each FortiCare account is entitled to one evaluation VM license.
Limitations of the evaluation VM license include:
The evaluation VM license is applicable to all private cloud (VMware ESXi, KVM, and so on) and all BYOL public cloud instances. |
| 802757 | In order for unlicensed FortiGate VMs to be managed by FortiManager, FortiOS enables high encryption on the FGFM protocol for a secure connection between the FortiGate and FortiManager. Upon being added into the device manager, FortiManager can install VM licenses to the managed FortiGate VMs. |
Aktualnie wspierane modele:
| FortiGate | FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG‑500E, FG-501E, FG-600E, FG-601E, FG-800D, FG‑900D, FG-1000D, FG-1100E, FG-1101E, FG-1500D, FG-1500DT, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3100D, FG‑3200D, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-5001E, FG‑5001E1 |
| FortiWiFi | FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-81F-2R, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE |
| FortiGate Rugged | FGR-60F, FGR-60F-3G4G |
| FortiGate VM | FG-ARM64-AWS, FG-ARM64-KVM, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-SVM, FG-VM64-VMX, FG-VM64-XEN |
| Pay-as-you-go images | FOS-VM64, FOS-VM64-HV, FOS-VM64-KVM, FOS-VM64-XEN |
Rozwiązane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 722304 | AV does not block malicious file uploads to the MS Exchange server (OWA). |
| 727067 | FortiGate should fix the interface between FortiGate and FortiAnalyzer for the CDR file. |
| 794575 | When FortiGate Cloud is used as a sandbox server, enabled sandbox settings do not show up or apply on AV profiles in the GUI (CLI works). |
| 795784 | Able to bypass FortiOS AV inspection on email traffic when manipulating a MIME attachment with junk and pad characters in Base64. |
| 805655 | A scanunit crash with signal 11 occurs for SMTP and QP encoding. |
| 823677 | A scanunit crash occurs on call to fg_pcre_free. |
Application Control
| Bug ID | Description |
|---|---|
| 787130 | Application control does not block FTP traffic on an explicit proxy. |
Data Leak Prevention
| Bug ID | Description |
|---|---|
| 807327 | A scanunit crash occurs after upgrading to 6.4.9. |
DNS Filter
| Bug ID | Description |
|---|---|
| 744572 | In multi-VDOM with default system fortiguard configuration, the DNS filter does not work for the non-management VDOM. |
| 790974 | When the DNS static domain filter entry’s action set to allow, it skips DNS translation. |
| 796052 | If local-in and transparent requests are hashed into the same local ID list, when the DNS proxy receives a response, it finds the wrong query for requests with the same ID and domain. |
| 798562 | DNS filter does not work when the FortiGate is working as a DNS server. |
| 800497 | In flow mode with set status disable in the static domain filter, the entry still works when enabled in the DNS filter. |
Endpoint Control
| Bug ID | Description |
|---|---|
| 775742 | Upgrade EMS tags to include classification and severity to guarantee uniqueness. |
Explicit Proxy
| Bug ID | Description |
|---|---|
| 770440 | Explicit web proxy encounter lots of WAD crashes. |
| 774442 | WAD is NATting to the wrong IP pool address for the interface. |
| 778339 | Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking. |
| 794124 | HTTPS websites are not accessible if certificate-inspection is set in a proxy policy. |
| 794255 | Microsoft website (microsoft.com) cannot be mapped to the Microsoft-Web ISDB name for proxy policy. |
| 796364 | Renaming a ClearPass dynamic address object that is configured in a proxy policy causes the address not to be matched. |
| 798647 | Explicit web proxy firewall policy can not pass through HTTP traffic. |
| 801602 | In agentless NTLM authentication, the source IP in user domain-controller is not applied. |
| 802829 | Explicit proxy encounters a 504 timeout after CONNECT in 7.2.0 GA. |
| 816879 | Explicit proxy is not working when certificate inspection is enabled. |
Firewall
| Bug ID | Description |
|---|---|
| 599638 | Get unexpected count for established session count, and diagnose firewall iprope clear does not work as expected. |
| 677855 | cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies. |
| 750081 | Traffic can pass through an EMAC VLAN interface but cannot be offloaded. |
| 752267 | Load Balance Monitor detects a server in standby mode as being down. |
| 770383 | In multi-VDOM mode, nothing is exported to the NetFlow collector. |
| 777231 | Dashboard > FortiView Traffic Shaping page sometimes displays an undefined traffic shaper. This is cosmetic and does not impact functionality. |
| 781144 | Policy & Objects > Virtual Servers page should remove the overlap check function. |
| 791735 | The number of sessions in session_count does not match the output from diagnose sys session full-stat. |
| 794648 | Cannot set src-vendor-mac in policy. The src-vendor-mac policy setting is not lost after upgrading from 7.0.5 and is still in the iprope. |
| 794901 | Unable to create a geography type address object and get a Can not be geography address when it is a member of addrgrp used by ipsec_tunnel! error. |
| 797017 | The FortiGate does not refresh the iprope group for central SNAT policies after moving a newly created SNAT policy. |
| 797318 | NAT64 is not forwarding traffic to the destination IP. |
| 801483 | Packet drops noticed in the network when FortiGate is running 7.2.0 GA. |
| 802834 | On the Traffic Shaping > Traffic Shapers tab, the Bandwidth Utilization column is empty for per-policy reverse shapers. |
| 803270 | Unexpected value for session_count appears. |
| 803283 | Firewall deny policy did nt block a session that should have been blocked (geolocation block, outgoing direction). |
| 806113 | The Traffic Shaping Policies edit dialog shows a configured reverse shaper as disabled. |
| 806904 | IPv6 source with the same 32-bit prefix always NATs to the same IPv4 address. |
FortiView
| Bug ID | Description |
|---|---|
| 787886 | The tooltip for the Bandwidth column always displays the receiving bandwidth as zero on the Dashboard > FortiView Traffic Shaping page. |
| 804177 | When setting the time period to now filter, the table cannot be filtered by policy type. |
| 811095 | Threat type N/A – Static URL Filter is showing on sources that do not have the URL filter enabled. |
GUI
| Bug ID | Description |
|---|---|
| 695163 | When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range. |
| 740508 | Bandwidth widget shows incorrect traffic on FG-40F. |
| 746618 | Export port link status is not correct on tenant VDOM FortiSwitch Ports page. |
| 774159 | Signature not found in IPS database message when editing the IPS profile from the policy. |
| 778844 | Dashboard and Managed FortiAPs pages can take a long time to load when there are over 1000 FortiAPs configured. |
| 781310 | Policy & Objects > DNAT & Virtual IPs page can take more than 30 seconds to load if there are more than 25 thousand virtual IPs. |
| 787550 | HTTPSD daemon crashes frequently with signal 6 (aborted) at api_v2_page_result. |
| 787565 | When logged in as guest management administrator, the custom image shows as empty on the user information printout. |
| 792045 | FortiGate failed to view matched endpoints after viewing it successfully several times. |
| 798161 | System -> Certificates page keeps spinning when trying to access it from Safari. |
| 799160 | Modem 1 Health is incorrectly displayed as Disconnected in the Diagnostics and Tools pane of the FortiExtenders page. |
| 800632 | Search bar on Addresses page does not complete loading and return a result when format is <IP>-<number>. |
| 802292 | Logs sourced from FortiAnalyzer Big Data show the incorrect time. |
| 810225 | An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms. |
HA
| Bug ID | Description |
|---|---|
| 722703 | ISDB is not updating; last update attempt is stuck at an older date. |
| 734040 | Need a way for FortiManager to retrieve an HA-specific configuration of a secondary device through the primary device. |
| 744033 | HA out-of-sync messages appear in logs instead of sync messages when the FortiGate is in synchronization. |
| 750087 | Multicast convergence on HA failover. |
| 750978 | Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout. |
| 779180 | FGSP does not synchronize the helper-pmap expectation session. |
| 779587 | When an authentication log on length is longer than the hasync packet length and when there is a large number of logons, hasync is busy. |
| 781463 | FortiGate does not respond to ARP request for management-ip on interface if the interface IP is changed. |
| 782734 | Cluster is out-of-sync due to switch controller managed switch checksum mismatch. |
| 786592 | Failure in self-pinging towards the management IP. |
| 794707 | Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync. |
| 799659 | Unusually large uptime and HA behavior occurs. |
| 799765 | Multicast is failing after HA failover. |
| 801872 | Unexpected HA failover on AWS A-P cluster when ipsec-soft-dec-async is enabled. |
| 803354 | After HA-AP failover, the FortiExtender WAN interface of the new primary cannot get the LTE IP address from FortiExtender. |
| 803697 | The ha-mgmt-interface stops using the configured gateway6. |
| 805663 | After upgrading, rebooting the primary in HA (A-A) results in unusually high bandwidth utilization on redundant interfaces. |
| 807322 | AWS HA does not update the prefix list in the route table. |
| 810175 | set admin-restrict-local is not working for SSH. |
| 812090 | FGCP with in-band management mode does not send logs to newly added syslog server after being switched from out-of-band. |
| 816883 | High CPU usage on secondary device, and CPU lacks the AVX feature needed to load libdpdk.so. |
Hyperscale
| Bug ID | Description |
|---|---|
| 810025 | Using EIF to support hairpinning does not work for NAT64 sessions. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 698247 | Flow mode web filter ovrd crashes and socket leaks in IPS daemon. |
| 771000 | High CPU in all cores with device running with one interface set as a one-arm sniffer. |
| 779377 | IPS fails to load a configuration if an NGFW policy uses the unrated category group or category of 0. |
| 796094 | EMAC VLAN traffic egresses with the wrong MAC address. |
| 809691 | High CPU usage on IPS engine when certain flow-based policies are active. |
| 813998 | IPv6 static routes are not generated for IP-based URL entries in one-arm IPS URL filtering solution. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 765868 | The packets did not pass through QTM, and SYN packets bypass the IPsec tunnel once traffic is offloaded. Affected platforms: NP7 models. |
| 771935 | Offloaded transit ESP is dropped in one direction until session is not deleted. |
| 773221 | Traffic that goes through IPsec based on a loopback interface cannot be offloaded. |
| 775011 | In VPN peering using IKEv2, the signature and aes256-sha256 proposals fail between the FortiGates and Palo Alto firewalls. |
| 781403 | IKE is consuming excessive memory. |
| 787949 | FortiGate sends duplicate SNMP traps if the tunnel is brought down on the local side. |
| 790486 | Support IPsec FGSP per tunnel failover. |
| 793863 | File downloads over L2TP IPsec VPN failed when using the VIP mapped to the internal server. |
| 796546 | IPv6 traffic through IPsec tunnel from learned BGP routes is not forwarding to Prisma Cloud provider. |
| 798709 | Shortcut fails to be triggered by interested traffic. |
| 803336 | VPN certificate private key changes on SCEP renewal. |
| 803686 | Tooltip in Dashboard > Network IPsec widget only displays one address for the local and remote addresses of the phase 2 selector. |
| 810988 | GUI does not allow IP overlap for a tunnel interface when allow-subnet-overlap is enabled (CLI allows it). |
| 814366 | There are no incoming ESP packets from the hub to spoke after upgrading. |
| 815969 | Cannot apply dialup IPsec VPN settings modifications in the GUI when net-device is disabled. |
Log & Report
| Bug ID | Description |
|---|---|
| 692237 | FortiOS is truncating the group field to 35 characters in traffic logs. |
| 699019 | The source IP under config log fortiguard setting is not respected. |
| 740157 | Event log is missing when the FortiGate Cloud Sandbox server is connected, disconnected, or switched. |
| 769300 | Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log. |
| 770352 | On the Log & Report > Forward Traffic page, filters applied to an interface name with a comma (,) do not show the correct filtered results for that interface. |
| 781357 | Add upgrade code for using free-style filter in miglogd for FortiOS 7.0 and later. |
| 788724 | The secondary FortiGate did not send the logs to the syslog server (sendmmsg failed to send data). |
| 789459 | Empty log Summary tab for System Events and Security Events pages. |
| 790893 | Logging filters do not work as expected. |
| 795595 | Date/Time filter changes after setting the time. |
| 797789 | FortiGate goes into conserve mode because fgtlogd occupies too much memory. |
| 803262 | Anti-spam logs are empty when the log source is FortiCloud (adding a time filter may return a result). |
| 806914 | RADVD unloaded interface message appears in system event log when changing a configuration on the FortiGate. |
| 814427 | FortiGate error in FortiAnalyzer connectivity test on secondary device after upgrade. |
Proxy
| Bug ID | Description |
|---|---|
| 678815 | WAD crashes with signal 11 if the client sends a client hello containing a key share that does not match the key share that the server prefers. |
| 760471 | WAD crashes and there is high memory after upgrading. |
| 766158 | Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category. |
| 768278 | WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out. |
| 781161 | WAD has signal 11 crash due to invalid reading after freeing WAD user information daemon. |
| 785927 | WAD process keeps crashing with signal 6. |
| 786939 | The scan-botnet-connections block setting does not work for TCP:443 with proxy-based inspection. |
| 789703 | WAD continually crashing at signal 11. |
| 791662 | FortiGate is silently dropping server hello in TLS negotiation. |
| 792505 | Memory leak identified for WAD worker dnsproxy_conn causing conserve mode. |
| 793651 | A revoked certificate should not be able to be used for deep inspection. |
| 795321 | WAD crash signal 11 and unit goes into conserve mode. |
| 796910 | Application wad crash (Segmentation fault) , which is the first crash in a series. |
| 800125 | Even if the policy is set to deny FTP_PUT, file uploads are permitted when the UTM feature is enabled. |
| 802935 | FortiGate cannot block a virus file when using the HTTP PATCH upload method. |
| 803136 | thumbnailPhoto files are saved in the memory disk with the incorrect hash name. |
| 803260 | Memory increase suddenly and is not released until rebooting. |
| 803380 | Device is consuming high memory and going in conserve mode, possible due to a WAD memory leak. |
| 807332 | WAD does not forward the 302 HTTP redirect to the end client. |
| 807431 | File from AWS S3 fails to download with UTM, deep inspection, and proxy configured. |
| 808072 | When accessing a specific website using UTF8 content encoding (which is unexpected according to the RFC) the FortiGate blocks the traffic as an HTTP evasion when applying an AV profile with deep inspection. |
| 809346 | FTPS helper is not opening pinholes for expected traffic for non-standard ports. |
| 811259 | WAD memory leak occurs with IPS enabled. |
| 815313 | WAD crash at wad_ssl_cert_check_auth_status once during stress testing. |
| 817750 | WAD daemon keeps crashing when web proxy forward server group does not have a server list. |
| 822271 | Unable to access a website when deep inspection is enabled in a proxy policy. |
| 823814 | Found WAD crash at signal 11 on wad_http_engine.c when ap.empty-cert-action is set to accept-unmanageable. |
Routing
| Bug ID | Description |
|---|---|
| 618684 | Static route will still in routing table after HA failover, and the BFD is down on the new primary. |
| 704322 | After configuring static routes on IPsec tunnels using the Network > Static Routes page, an unnecessary warning icon appears. |
| 720618 | Passive health check is not report packet loss when it occurs in the network. |
| 756955 | Routing table does not reflect the new changes for the static route until the routing process is restarted when cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies. |
| 769523 | Multicast is not working in VRRP. |
| 774136 | VPN traffic is not being metered by DoS policy when using SD-WAN. |
| 779113 | When a link monitor fails, the routes indicated in the link monitor are not withdrawn from the routing database. |
| 787487 | Default priority value in static route is set as 0, even though the range is 1- 65535 in transparent mode. |
| 788793 | Unable to receive BGP routes on redundant tunnel interfaces. |
| 795213 | On the Network > SD-WAN page, adding a named static route to an SD-WAN zone creates a default blackhole route. |
| 796070 | Incorrect SD-WAN kernel routes are used on the secondary device. |
| 796409 | GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load. |
| 797530 | SD-WAN health check event log shows the incorrect protocol. |
| 797590 | GRE tunnel configured using a loopback interface is not working after changing the interface back and forth. |
| 798245 | ICMP traffic is using the incorrect VRF. |
| 805285 | SIP-RTP fails after a route or interface change. |
| 806939 | Routing issue with ADVPN and SD-WAN if IPsec aggregate interfaces are configured. |
| 807635 | BGP routes hit the wrong route map. |
| 808840 | After cloning a static route, the URL gets stuck with "clone=true". |
| 809321 | IS-IS LSP packets do not include the checksum and the authentication key ([Checksum: [missing]], [Checksum Status: Not present] and authentication "hmac-md5 (54), message digest]). |
| 812982 | SD-WAN performance SLAs on a dialup IPsec VPN tunnel do not work as expected. |
| 817670 | IPv6 route redistribution metric value is not taking effect. |
Security Fabric
| Bug ID | Description |
|---|---|
| 614691 | Slow GUI performance in large Fabric topology with over 50 downstream devices. |
| 697160 | ACI connector does not import IPv6 addresses. |
| 741084 | Entry-level FortiGate with Security Fabric enabled for 30 or more downstream FortiGates can go into conserve mode when loading the physical or logical topology pages, or running security rating reports. |
| 753742 | Add distributed security rating and topology reports. |
| 778511 | PPPoE interface is unable to accept Fabric connections. |
| 782518 | Threat feeds are showing that the connection status has not started when it should be connected. |
| 788543 | Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer. |
| 791324 | Test Automation Stitch function only works on the root FortiGate, and is not working on the downstream FortiGate. |
| 795687 | On the Fabric Management page, some managed FortiSwitches are not shown. |
| 799832 | GCP bearer token is too long for the header in a google-cloud-function automation action. |
| 801048 | During the FortiOS initialization process, there is a small chance that other services using UDP take the specific port that caused csfd initialization to fail. |
| 803600 | Automation stitch for a scheduled backup is not working. |
| 807967 | Add reliable message for creating event logs on upstream device for use by Report Runner. |
| 815984 | Azure SDN connector has a 403 error when the AZD restarts. |
SSL VPN
| Bug ID | Description |
|---|---|
| 486837 | SSL VPN with external DHCP servers is not working. |
| 616896 | Link in SSL VPN portal to FortiClient iOS redirects to legacy FortiClient 6.0 rather than the latest 6.2. |
| 626311 | SSL VPN users are remaining logged on past the auth-timeout value. |
| 676278 | Custom host check AV and firewall for macOS fails for FortiClient SSL VPN. |
| 677031 | SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal. |
| 697142 | SharePoint server (de***.sc***.gov.sa) is not working on web-based VPN. |
| 757726 | SSL VPN web portal does not serve updated certificate. |
| 763611 | If dual-stack is enabled, the user connects to the tunnel with IPv6 and the tunnel is established successfully. When the user tries to access the IPv4 server to upload or download files, the network speed is very slow. |
| 767832 | After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage. |
| 767869 | SCADA portal will not fully load with SSL VPN web bookmark. |
| 768323 | Certain websites do not load properly in SSL VPN web mode. |
| 768983 | SSL VPN web mode access to the FortiGate GUI is slow after upgrading. |
| 778034 | FortiGate GUI in SSL VPN web mode is very slow. |
| 780305 | SSL VPN web mode is unable to redirect from port 62843 to port 8443. |
| 780765 | High CPU usage in SSL VPN using libssh2. |
| 781581 | Customer internal website is not shown correctly in SSL VPN web mode. |
| 784887 | A blank page appears after logging in to an SSL VPN bookmark. |
| 787978 | Unable to load NFMT routing display through SSL VPN web mode. |
| 789117 | SSL VPN web mode RDP bookmark always asks for credentials. |
| 789267 | SSO SSL VPN web mode user cannot connect to RDP intermittently. |
| 789642 | Unable to load Grafana application through SSL VPN web mode. |
| 791700 | SSL VPN crashes and disconnects users at the same time. |
| 792075 | SSL VPN web portal does not load internal e-learning website content. |
| 792944 | Internal redirect webpage is not working in SSL VPN web mode. |
| 794800 | SSL VPN /remote/logoutok screen loads in basic text. |
| 794820 | Slow performance to manage FortiGate trough the bookmark configured in SSL VPN web mode. |
| 795730 | Non-Google CAPTCHA cannot be displayed in SSL VPN web mode. |
| 796768 | SSL VPN RDP is unable to connect to load-balanced VMs. |
| 797136, 797139 | Internal site does not load completely using SSL VPN web mode bookmark. |
| 799308 | SSL VPN bookmark is not working. |
| 799780 | Website is not loading in SSL VPN web mode. |
| 800751 | Unable to download files over 2 GB to and from an SMB file share using SSL VPN web mode. |
| 801308 | FortiGuard should only provide an installer for FortiClient VPN, instead of the full FortiClient version. |
| 801588 | After Kronos (third-party) update from 8.1.3 to 8.1.13, SSL VPN web portal users get a blank page after logging in successfully. |
| 802379 | SSL VPN has memory leaks and crashes. |
| 803576 | Comments in front of <html> tag are not handled well in HTML file in SSL VPN web mode. |
| 803622 | High CPU in SSL VPN once SAML is used with FortiAuthenticator and an LDAP server. |
| 806143 | JavaScript error in SSL VPN web mode. |
| 807268 | Many SSL VPN users are disconnected periodically, and sslvpnd crashes. |
| 808569 | sslvpnd crashes when no certificate is specified. |
| 809209 | SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time. |
| 809473 | When sslvpnd debugs are enabled, the SSL VPN process crashes more often. |
| 810715 | Web application is not loading in the SSL VPN web mode. |
| 811007 | SSL VPN realm display is incorrect. |
| 811492 | SSL VPN should not leak information while performing Telnet. |
| 812006 | The PROD-MDN-WS1 SSL VPN portal is not loading properly, and cannot navigate within the page. |
| 814040 | SSL VPN bookmark configuration is added automatically after client logs in to web mode. |
| 814708 | The same SAML user failed to establish a tunnel when a stale web session exists with limit-user-logins enabled. |
| 816716 | sslvpnd crashed when deleting a VLAN interface. |
| 816881 | TX packet loss on ssl.root interface. |
| 817843 | Logging out of SSL VPN tunnel mode does not clear the authenticated list. |
| 826582 | SSH via SSL VPN web mode does not work for some SSH servers. |
Switch Controller
| Bug ID | Description |
|---|---|
| 774441 | FortiLink topology only displays partially. |
| 794026 | FortiGates quarantines are stuck at 256. |
| 799860 | FortiSwitch online/offline status is not consistent between the CLI and SNMP. |
| 803307 | The Enable STP security control description should be reworded to mention that Edge ports should have STP enabled once the network topology is stable. |
| 805154 | Switch controller preconfiguration of FortiSwitch 108F-POE is incorrect. |
| 810550 | Send DHCP/ARP packet failed, and get errno = 6 in log when config-sync runs. |
System
| Bug ID | Description |
|---|---|
| 540389 | Remote administrator password renewal shows remote token instead of new password (CLI and GUI). |
| 716250 | Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface. |
| 725273 | application newcli crashed with *** signal 11 (Segmentation fault) received ***. |
| 734912 | When VDOMs are enabled, changing system settings causes the GUI to display a failure to save message. |
| 736144 | AirCard 340U LTE Modem does not work. |
| 743831 | When global daylight saving time (DST) is disabled, the system time in the GUI still shows the time with DST. |
| 753912 | FortiGate calculates faulty FDS weight with DST enabled. |
| 756139 | When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU. |
| 758490 | The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device. |
| 761971 | AirCard 340U LTE modem does not work on FG-61F. |
| 764483 | After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface. |
| 766058 | FortiGate central management is configured on the backup mode ADOM, and any changes done on the FortiGate are not recorded in the FortiManager. |
| 771331 | Incorrect bandwidth utilization traffic widget for VLAN interface on NP6 platforms. |
| 773829 | Get /bin/cid crash when cid.tar.gz cannot be unpacked. |
| 782392 | ICMP traceroute with more than one probe is not working, and drops are seen on NP6 platforms. |
| 783939 | IPv4 session is flushed after creating a new VDOM. |
| 786255 | Cached topology reports causes the FortiGate to run out of flash storage on low-end models. |
| 786998 | When enabling the decrypted-traffic-mirror option on a VXLAN interface, the collector device will get a TCP Out-Of-Order packet. |
| 787557 | Sudo command is not working inconsistently. |
| 787595 | FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration. |
| 789153 | A profile with higher privileges than the user’s own profile can be set. |
| 789203 | High memory usage due to DoT leak at ssl.port_1way_client_dox leak\wad_m_dot_conn leak\sni leak when the DoX server is 8.8.8.8. |
| 790656 | DNS fails to correctly resolve hosts using the DNS database. |
| 792544 | A request is made to the remote authentication server before checking trusthost. |
| 793864 | Repeated FortiDDNS failed messages are in the system event logs output. |
| 796398 | BPDUs packets are blocked even though STF forwarding is enabled on FG-800D in transparent mode (UTP and SFP). |
| 797428 | SNMP status for NPU is not available on NP6xlite. |
| 799255 | Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing. |
| 799487 | The debug zone uses over 400 MB of RAM. |
| 800294 | Interface migration wizard does not work when VLANs have dependencies within dependencies. |
| 800295 | NTP server has intermittent unresolvable logs after upgrading to 6.4. |
| 801053 | FG-1800F existing hardware switch configuration fails after upgrading. |
| 801474 | DHCP IP lease is flushed within the lease time. |
| 801738 | Kernel panic occurs on FG-2610F when collecting debug flow information. |
| 802917 | PPPoE virtual tunnel drops traffic after logon credentials are changed. |
| 805412 | DHCPv6 authentication option offer is not accepted from the server. |
| 805644 | Trunk port is removed from the VLAN switch after rebooting. |
| 807947 | Unable to create new interface and VDOM link with names that contain spaces. |
| 810583 | Running diagnose hardware deviceinfo psu shows the incorrect PSU slot. |
| 810622 | Message regarding VDOM names longer than 11 characters is shown when set long-vdom-name is enabled. |
| 811449 | New DNS system servers with DoT enabled, applying a DNS filter to the FortiGate DNS server fails. |
| 812499 | When traffic gets offloaded, an incorrect MAC address is used as a source. |
| 813223 | Random kernel panic occurs due to calling timer_setup. |
| 813606 | DHCP relay offers to iPhones is blocked by the FortiGate. |
| 815360 | NP7 platforms may encounter a kernel panic when deleting more than two hardware switches at the same time. |
| 816278 | Memory increase due to iked process. |
| 818461 | When an aggregate is created after all VLANs and added to a software switch, all VLANs are lost after rebooting. |
| 819640 | SSH public key changes after every reboot. |
| 821773 | Manual license for air-gap environments is lost after rebooting the FortiGate. |
Upgrade
| Bug ID | Description |
|---|---|
| 792831 | [2062] fap_fsw_lst_req: buf of https is too small: 853 debug message appears in console when upgrading to certain builds. |
| 803171 | Upgrade takes longer than expected, and get daemon_bits=0x00000040 error when HA upgrades. |
User & Authentication
| Bug ID | Description |
|---|---|
| 667150 | Add GUI support for FortiToken Mobile push notification and FortiToken Cloud based on two-factor authentication, which is already supported by authd. |
| 738846 | FAS ends up in endless loop while synchronizing with LDAP when a special character (,) is part of a username. |
| 760740 | REVERSE_INULL found in WanOpt explicit proxy, wad_user_info.c:wad_group_info_cache_free. |
| 778521 | SCEP fails to renew if the local certificate name length is between 31 and 35 characters. |
| 782158 | The ç character is not accepted by an LDAPS password change. |
| 790941 | When logged in with an administrator profile using a wildcard RADIUS user, creating a new dashboard widgets fails. |
| 792924 | Incorrect captive portal page certificate is used after upgrading. |
| 804133 | The diagnose test guest del <group_name> <user_ID> command does not work after upgrading. |
| 808884 | Device information is not fully detected on NP7. |
| 810033 | The samld process is killed if the SP certificate set has an ECC 384-bit public key. |
| 813355 | Additional information from user ID login should be displayed. |
| 813407 | Captive portal authentication with RADIUS user group truncates the token code to eight characters. |
| 813987 | No traffic is generated when creating an ACME certificate that uses a domain name with an uppercase letter. |
VM
| Bug ID | Description |
|---|---|
| 782073 | IBM HA is unable to fail over route properly when route table has a delegate VPC route. |
| 786278 | Bandwidth usage is not shown when DPDK is enabled. |
| 799536 | Data partition is almost full on FG-VM64 platforms. |
| 803219 | Azure SDN connector might miss dynamic IP addresses due to only the first page of the network interface being processed. |
| 809963 | Get cmdbsvr crash after concurrent performance test on FG-KVM32. |
VoIP
| Bug ID | Description |
|---|---|
| 794517 | VoIP daemon memory leak occurs when the following conditions are met:
|
WAN Optimization
| Bug ID | Description |
|---|---|
| 804662 | WANOpt tunnels are not established for traffic matching the profile. |
Web Application Firewall
| Bug ID | Description |
|---|---|
| 795554 | Inspecting all ports in an SSL/SSH inspection profile does not work with the WAF profile. |
Web Filter
| Bug ID | Description |
|---|---|
| 743195 | Disclaimer module does not load and breaks the website. |
| 786448 | Web filtering with WISP functionality is intermittent in flow mode. |
| 798557 | When a new URL filter entry is created and the list is re-ordered, the list position is not maintained. |
| 801792 | IPS daemon has socket FD leaks. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 790367 | FWF-60F has kernel panic and reboots by itself every few hours. |
| 796036 | Manual quarantine for wireless client connected to SSID on multi-VDOM with wtp-share does not work. |
ZTNA
| Bug ID | Description |
|---|---|
| 792829 | WAD re-challenges user authentication upon HA failover. |
| 797433 | WAD treats ZTNA SAML URL with multiple query characters as invalid and closes. |
| 799530 | Found wad crash at wad_sched.c upon device tag matching. |
| 799759 | Applying a ZTNA rule in the GUI removes configured IP pools. |
| 802715 | ZTNA failed to match the policy when a tag is found for an endpoint in the EMS response. |
Znane problemy:
Anti Virus
| Bug ID | Description |
|---|---|
| 818092 | CDR archived files are deleted at random times and not retained. |
Application Control
| Bug ID | Description |
|---|---|
| 804138 | Application icon is missing when FortiGuard anycast is set to AWS (unable to resolve globalproductapi2.fortinet.net). |
Firewall
| Bug ID | Description |
|---|---|
| 719311 | On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.
Workaround: rename the custom section to unique name between IPv4 and IPv6 policies. |
| 770541 | There is a delay opening firewall, DoS, and traffic shaping policies in the GUI. |
FortiView
| Bug ID | Description |
|---|---|
| 798427 | Change the sandbox PDF report query to be on-demand. |
GUI
| Bug ID | Description |
|---|---|
| 651648 | Searching for address groups on the Addresses page and address dialog is slow due to recursive algorithm. |
| 677806 | On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status. |
| 685431 | On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.
Workaround: use the CLI to configure policies. |
| 780832 | Managed FortiAPs list fails to load if there is an invalid or unsupported FortiAP. |
| 820909 | When configuring a new One Time schedule in GUI, if the End Date is set to the 31st day of the month, it goes back to first day of the month. |
| 831439 | Multiple DHCP servers for the same range can be configured on an interface if the interface name contains a comma (,) character. |
Hyperscale
| Bug ID | Description |
|---|---|
| 804742 | After changing hyperscale firewall policies, it may take longer than expected for the policy changes to be applied to traffic. The delay occurs because the hyperscale firewall policy engine enhancements added to FortiOS 7.2.1 may cause the FortiGate to take extra time to compile firewall policy changes and generate a new policy set that can be applied to traffic by NP7 processors. The delay is affected by hyperscale policy set complexity, the total number of established sessions to be re-evaluated, and the rate of receiving new sessions. |
| 824733 | IPv6 traffic continues to pass through a multi-VDOM setup, even when the static route is deleted. |
| 829549 | DSE entry is being created for ALG sessions, and EIF sessions pass through. |
Intrusion Prevention
| Bug ID | Description |
|---|---|
| 813727 | Custom signatures are not shown in the list when filters (server, client, or critical severity) are applied in an IPS sensor. |
IPsec VPN
| Bug ID | Description |
|---|---|
| 699973 | IPsec aggregate shows down status on Interfaces, Firewall Policy, and Static Routes configuration pages. |
| 761754 | IPsec aggregate static route is not marked inactive if the IPsec aggregate is down. |
| 819276 | After changing the password policy to enable it, all non-conforming IPsec tunnels were wiped out after rebooting/upgrading. |
Limitations
| Bug ID | Description |
|---|---|
| 617042 | ACI dynamic address table size is limited to 1000 entries on FortiGate per EPG. |
Log & Report
| Bug ID | Description |
|---|---|
| 807661 | In a FortiAnalyzer with lots of logs, the log view shows no result if the user scrolls down to the bottom of the list. |
| 815150 | Negating a range or subnet does not work on in the GUI log display. |
| 820940 | On the Log Settings page, a VDOM administrator can force a FortiCloud log out of for all VDOMs. |
| 821359 | FortiGate appears to have a limitation in the syslogd filter configuration. |
| 826483 | The dstname log field cannot store more than 66 characters. |
Proxy
| Bug ID | Description |
|---|---|
| 823247 | WAD user_info process leaks memory. |
Routing
| Bug ID | Description |
|---|---|
| 792512 | Dashboard session widget shows IPv6 sessions from another VDOM (this is a REST API issue, the CLI is OK). |
Security Fabric
| Bug ID | Description |
|---|---|
| 794703 | Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results. |
| 814796 | The threat level threshold in the compromised host trigger does not work. |
SSL VPN
| Bug ID | Description |
|---|---|
| 795381 | FortiClient Windows cannot be launched with SSL VPN web portal. |
| 819296 | GUI should not use <server_ip> as a sender to send the SSL VPN configuration (it should use value set in reply-to). |
Switch Controller
| Bug ID | Description |
|---|---|
| 798724 | FortiSwitch exported ports in tenant VDOM are gone after rebooting the FortiGate. |
| 813216 | FortiLink goes down when CAPWAP offloading is enabled or disabled. |
| 818116 | Add link status to managed FortiSwitch switch ports. |
System
| Bug ID | Description |
|---|---|
| 725048 | Performance improvements for /api/v2/monitor/system/available-interfaces (phase 2). |
| 776646 | Configuring a delegated interface to obtain the IPv6 prefix from an upstream DHCPv6 server in the GUI fails with a CLI internal error. |
| 798091 | After upgrading from 6.4.9 to 7.0.5, the FG-110xE’s 1000M SFP interface may fail to auto-negotiate and cannot be up due to the missed auto-negotiation. |
| 799570 | FG-200F has high memory usage after rebooting. |
| 809366 | FG-40F with STP enabled on a hardware switch creates a loop after upgrading. |
Upgrade
| Bug ID | Description |
|---|---|
| 803041 | Link lights on the FG-1100E fail to come up and are inoperative after upgrading. |
VM
| Bug ID | Description |
|---|---|
| 825464 | Every time the FortiGate reboots, the certificate setting reverts to self-sign under config system ftm-push. |
WiFi Controller
| Bug ID | Description |
|---|---|
| 688655 | Adding an AP results in the cluster going out-of-sync due to different UUID values in the WTP profiles. |
| 789072 | Kernel panic on FWF-61F due to ol_target_failure, Target Register Dump Location 0x00401AE0. |
| 807713 | FortiGate is not sending RADIUS accounting message consistently to RADIUS server for wireless SSO. |
| 811953 | Configuration installation from FortiManager breaks the quarantine setting, and the VAP becomes undeletable. |
| 821803 | The cw_acd process spikes at 99%, the FortiGate reports hostapd crashes, and all FortiAPs are showing as being offline. |
Notatki producenta: FortiOS 7.2.1
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
