B&B Bezpieczeństwo w biznesie
  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Cyberbezpieczny Samorząd
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • Kontakt

Fortinet udostępnił najnowszą aktualizację FortiOS w wersji 7.4.5, wprowadzając istotne poprawki. W ramach aktualizacji rozwiązano problem związany z tworzeniem zasad zapory sieciowej – użytkownicy nie mogli zapisywać grup aplikacji zawierających niestandardowe sygnatury aplikacji za pomocą interfejsu graficznego. Poprawiono również działanie protokołu SSL VPN, który wcześniej nie funkcjonował poprawnie, gdy nazwa UPN użytkownika LDAP przekraczała 35 znaków. Od wersji 7.4.5 naprawiono także błąd dotyczący opcji automatycznych aktualizacji – na wcześniejszych wersjach wyłączenie tej opcji nie wyłączało automatycznych aktualizacji. Po więcej szczegółów zapraszam do dalszej części artykułu.

Wspierane urządzenia:

FortiGate FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-61F, FG-70F, FG-71F, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-80F-DSL, FG-80F-POE, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-90G, FG-91G, FG-100F, FG-101F, FG-120G, FG-121G, FG-140E, FG-140E-POE, FG-200E, FG-200F, FG-201E, FG-201F, FG-300E, FG-301E, FG‑400E, FG-400E-BP, FG‑401E, FG-400F, FG-401F, FG‑500E, FG-501E, FG-600E, FG-601E, FG-600F, FG-601F, FG-800D, FG‑900D, FG-900G, FG-901G, FG-1000D, FG-1000F, FG-1001F, FG-1100E, FG-1101E, FG-1800F, FG-1801F, FG-2000E, FG-2200E, FG-2201E, FG-2500E, FG-2600F, FG-2601F, FG-3000D, FG-3000F, FG-3001F, FG-3100D, FG‑3200D, FG-3200F, FG-3201F, FG-3300E, FG-3301E, FG-3400E, FG-3401E, FG-3500F, FG-3501F, FG-3600E, FG-3601E, FG-3700D, FG-3700F, FG-3701F, FG-3960E, FG‑3980E, FG-4200F, FG-4201F, FG-4400F, FG-4401F, FG-4800F, FG-4801F, FG-5001E, FG‑5001E1, FG-6000F, FG-7000E, FG-7000F
FortiWiFi FWF-40F, FWF-40F-3G4G, FWF-60E, FWF-60E-DSL, FWF-60E-DSLJ, FWF-60F, FWF-61E, FWF-61F, FWF-80F-2R, FWF-80F-2R-3G4G-DSL, FWF-81F-2R, FWF-81F-2R-3G4G-DSL, FWF-81F-2R-POE, FWF-81F-2R-3G4G-POE
FortiGate Rugged FGR-60F, FGR-60F-3G4G, FGR-70F, FGR-70F-3G4G
FortiFirewall FFW-1801F, FFW-2600F, FFW-3001F, FFW-3501F, FFW-3980E, FFW-4200F, FFW-4400F, FFW-4401F, FFW-4801F, FFW-VM64, FFW-VM64-KVM
FortiGate VM FG-ARM64-AWS, FG-ARM64-AZURE, FG-ARM64-GCP, FG-ARM64-KVM, FG-ARM64-OCI, FG-VM64, FG-VM64-ALI, FG-VM64-AWS, FG-VM64-AZURE, FG‑VM64‑GCP, FG-VM64-HV, FG-VM64-IBM, FG-VM64-KVM, FG‑VM64‑OPC, FG‑VM64-RAXONDEMAND, FG-VM64-XEN

FortiGate 6000 and 7000 support

FortiOS 7.4.5 supports the following FG-6000F, FG-7000E, and FG-7000F models:

FG-6000F FG-6001F, FG-6300F, FG-6301F, FG-6500F, FG-6501F
FG-7000E FG-7030E, FG-7040E, FG-7060E
FG-7000F FG-7081F, FG-7121F

Rozwiązane problemy:

Anti Virus

Bug ID Description
977905 An issue in the WAD prevents access to SMB when an AV proxy based profile is included in a policy.
1028114 FortiGate cannot connect to FortiSandboxCloud when inline content block scan mode is set to default in an antivirus profile.
1031084 When FortiGate is in HA AA mode, the secondary unit does not connect to all FSA types for inline scanning.
1042358 A memory usage issue in the WAD process prevents the AV Engine from loading properly.
1044961 On FortiGate, the Scanunit does not work as expected due to zlib data check issue..

Application Control

Bug ID Description
951150 The Zoom meeting remote control feature is not blocked during meetings.

Data Loss Prevention

Bug ID Description
1012922 When a DLP policy is set to block the upload or download of test PDF documents, the policy does not function as expected.
1036260 The DLP blocks all traffic with deep packet inspection and displays an error page.
1049719 The DLP dictionary with a regex configuration does not deny an accent mark on FortiGate.

DNS Filter

Bug ID Description
1026058 When IP is not resolved or does not exist, the DNS alters the response for the domain and results in a performance issue on the client device.

Explicit Proxy

Bug ID Description
890776 The GUI-explicit-proxy setting on the System > Feature Visibility page is not retained after a FortiGate reboot or upgrade.
1042125 FortiGate generates a replacement error message when the message-upon-server-error option is disabled.

File Filter

Bug ID Description
900911 When srcure-web-proxy is enabled, if the client disconnects without sending any data as soon as the TCP connection with FortiGate is established, a WAD process signal 11 error occurs.
1004198 .exe files in ZIP archives are not blocked by file-filter profiles during CIFS file transfers.

Firewall

Bug ID Description
807191 On FortiGate, the diagnose netlink interface list command shows no traffic running through the policy, even with NP offload enabled or disabled.
837866 On the NP7 platform, traffic is blocked when egress-shaping-profile and outbandwidth are enabled on a vlan parent interface.
876034 Traffic is allowed to pass through ports that are configured with a block policy.
966466 On an FG-3001F NP7 device, packet loss occurs even on local-in traffic.
992610 The source interface displays the name of the VDOM and local out traffic displays as forward traffic.
998699 On the Policy & Objects > Firewall Policy page, the Firewall/Network options are missing in the GUI when enabling a security profile group in a policy.
1002269 When a schedule is added to a firewall policy, the schedule is not activated at the time configured in the policy.
1004267 On the Policy & Objects > Firewall Policy page, when searching for an address object with a comment keyword, no results are displayed.
1008680 On FortiOS, the Dashboard > FortiView Destination Interfaces, Dashboard > FortiView Source Interfaces pages, and Policy & Objects > Firewall Policy > Edit Policy page display incorrect bandwidth units.
1010037 When editing object address in the Policy & Objects > Addresses page on the GUI, the GUI does not function as expected if the address being edited contains a slash character.
1010824 FortiGate creates dummy destination IP logs when pinging a FortiGate VIP.
1013488 On the Policy & Objects > Firewall Policy page, searching for service port numbers in the Firewall Policy list does not return any results.
1022116 After editing a policy on the Interface Pair View window on the Policy & Objects > Firewall Policy page, the display order changes.
1034378 SMTP traffic does not egress from the same interface when a UTM profile is used in a proxy-based policy.
1036676 When a loopback interface has an IP that matches a VIP’s extip with an extintf "any", FortiGate will match the VIP but the oif loopback causes an unintended policy 0 match and drops.
1047208 The FortiGate virtual server does not setup an http2 connection with a WebSocket server due to a WAD process issue.
1058494 When snat-hairpin-traffic is enabled, SNAT is not automatically applied to hairpin traffic, causing a SNAT mismatch in strict-dirty-session-check.
1062333 FortiGate does not reply to an ARP request when VIP is disabled due to an iplist reference issue.

FortiGate 6000 and 7000 platforms

Bug ID Description
694958 On FortiGate 7000 models, the Power Supply status displays as Normal in the GUI when there is a logged power failure.
885205 IPv6 ECMP is not supported for the FortiGate 6000F and 7000E platforms. IPv6 ECMP is supported for the FortiGate 7000F platform.
986845 On FortiOS, the Security Fabric widget does not display information on blade status.
997161 On FortiGate 6000 FPCs and FortiGate 7000 FPMs the node process may consume large amounts of CPU resources, possibly affecting FPC or FPM performance. (You can run the diagnose sys top command from an FPC or FPM CLI to view CPU usage.) This problem may be caused by security rating result submission.
1018594 On FortiGate 7000, if gtp-mode is enabled and then disabled, after disabling gtp-enhanced mode and rebooting the device, traffic is disrupted on the FIM and cannot be recovered.
1022499 IPv6 routes are not fully synchronized between HA primary and secondary units.
1029415 On FortiGate 6000 models in an HA cluster, the secondary unit does not send out logs when an interface is configured.
1030917 FortiGate displays an erroneous error for high/low warning alarms. SFP data transfer functions as expected.
1032573 In an HA configuration, FortiGate does not respond to SNMP queries causing the device to display as being DOWN.
1033050 On FortiGate 6000 models in an HA cluster, the secondary unit does not send out automated stitch emails for certain events.
1035601 An SNMP query for policy statistics returns 0 on MBD.
1037965 When applying a script to a configuration, the updated configuration is applied to the FIM but is not fully synchronized on the FPCs.
1047553 HA remote access does not work as expected when ha-port-dtag-mode is double-tagging.
1057499 FIM interfaces are DOWN after restoring the root VDOM configuration due to a speed issue.

GUI

Bug ID Description
946521  

On the System > Interfaces page, the set monitor-bandwidth setting is not automatically disabled set when the interface bandwidth monitor for a port is deleted.
989512 When the number of users in the Firewall User monitor exceeds 2000, the search bar, column filters, and graphs are no longer displayed due to results being lazily loaded.
991573 In the Assets widget preview window of the Asset & Identities widget, clicking the Refresh button does not update the data.
992346, 993890 The Node.JS restarts and causes a kill ESRCH error on FortiGate after an upgrade.
1006079 When changing administrator account settings, the trusthost10 setting is duplicated.
1009143 On FortiOS, the time displayed in the CLI and in the GUI do not match.
1017181 The Node.JS restarts and causes an Error: The socket was closed while data was being compressed error.
1018682 When creating a firewall policy, applications groups with custom application signatures cannot be saved using the GUI.
1044745 On the Dashboard > User & Devices page on a VDOM, the Address column shows multiple devices with the FortiGate VLAN gateway instead of the Client IP.
1050865 When updating an administrator password in the GUI, the password expiration date does not update when the new password is created.
1058473 Expired licenses are still displayed in the GUI after 30 days.

HA

Bug ID Description
825380 When workspace configuration save mode is set to manual in the System > Settings, configuration changes made on the primary unit and then saved do not synchronize with the secondary unit when one of the cluster units are rebooted or shutdown after the change.
998004 When the HA management interface is set a LAG, it is not synchronized to newly joining secondary HA devices.
1002682 The VMware SDN connector does not respect the ha-direct setting and uses the management interface, causing traffic to be dropped.
1005596 Using RADIUS login on the secondary unit does not work as expected when trying to login to the primary and secondary units at the same time.
1015950 When upgrading a FortiGate VM Analyzer, a CPU usage issue causes the auto scale cluster to go out of synchronization.
1017177 A WAD processing issue causes the SNMP to not respond in an HA cluster.
1018937 In a FortiGate HA configuration, the tunnel connection to FortiManager is disrupted due to a mismatched serial number and local certificate issue.
1024535 In an FGSP cluster configuration running in TP mode, reply traffic in asymmetric flow is not offloaded to NP.
1027149 When creating a new VDOM in an HA configuration, FortiGate may not operate as expected due to an hasync issue.
1029441 In an HA cluster on the SOC4 platform, the secondary unit enters a continuous rebooting cycle due to an interruption in the kernel after a firmware upgrade.
1032415 On the System > HA page, all HA vcluster device roles display as Primary in the Role column.
1034326 In a HA cluster using FGSP mode, the primary and secondary units cannot synchronize the lease agreements due to a synchronization issue with the DHCP server.
1047094 The HA Secondary unit cannot communicate with FortiGate Cloud when it uses standalone-mgmt-vdom using the HA Primary unit.
1055336 Using the Test User Credentials button from the Radius Server in the GUI does not honor the custom nas-id-type.

Hyperscale

Bug ID Description
1024902 After FTP traffic passes, the npu-session stat does not display the accurate amount of actual sessions on FortiGate.
1034100 The NPD process is interrupted in a Hyperscale VDOM configuration after an upgrade and sessions are not setup on hardware.

ICAP

Bug ID Description
1022247 In an ICAP profile, the set request-failure bypass option does not work as expected resulting in traffic being blocked.

Intrusion Prevention

Bug ID Description
910267 In an FGSP setup running emix traffic, nTurbo values run in the negative.
979586 When applying an IPS profile with offloading enabled, WLAN authentication does not function as expected caused by EAP transaction timeouts.
1001860 On the Security Profiles > Intrusion Prevention page, when a new IPS filter is created with no filter selected, the Details column of the IPS Signatures and Filters table is blank instead of All Attributes.
1008107 Throughput capacity drops during failover to the secondary unit in an A/P cluster.
1011702 FortiGate experiences a CPU usage issue which may lead to an interruption in the kernel when dos-policy is enabled.
1026354 On FortiGate, the softirq experiences a CPU usage issue with the IPSengine when traffic hits a firewall policy without an IPS profile.
1040783 FortiGate encounters CPU usage issue due to IPSEngine utilization when using an app-ctrl utm profile.

IPsec VPN

Bug ID Description
942618 Traffic does not pass through an vpn-id-ipip IPsec tunnel when wanopt is enabled on a firewall policy.
986756 VPN traffic does not pass between VDOMs through intervdom links.
1002345 IKE daemon randomly does not operate as expected during phase1 rekeying depending on soft rekey margin, timing, and packet ordering.
1004272 On NP7 platforms that are used a hub in a hub and spoke configuration, traffic packets are dropped on IPsec tunnel spokes due to an anti-replay error.
1019269 On the VPN > IPsec Tunnels page, when language setting on FortiOS is set to anything other than English, the Status column displays active (green up arrow) when the tunnel is inactive.
1020250 A second IPsec tunnel cannot be added on different IP versions that use the same peerid.
1023871 IPSec IKEv2 with SAML cannot match the Entra ID group during EAP due to a buffer size issue.
1024558 IPsec interfaces created on 802.1ad + 802.3ad interfaces with NP offloading enable do not work as expected after a firmware upgrade.
1025202 After a peer-side interface shutdown and reboot, the dpd status does not return to OK, even when the peer-interface is up and SA renegotiated.
1027537 On the SOC4 platform, L2TP & ETHERIP traffic does not traverse through an IPSec tunnel with NP offload enabled.
1029262 IPsec VPN traffic does not pass over the tunnel when the HA heartbeat cable is reconnected.
1031963 The firewall hit and bytes counts display values of 0 in a policy-based VPN.
1031985 IPSec VPN tunnel does not go down when the VPN peer route is removed from the routing table.
1033154 FortiGate does not unregister the net_device causing the unit to encounter a performance issue.
1039988 When performing a SAML authentication, authd gets stuck in a loop due to a CPU usage issue.
1042324 The Phase1 monitor BGP remains active when the tunnel is DOWN.
1050646 FortiGate does not always send the full Server Certificate Chain causing disconnections with IKEv2 VPN using the native Windows client.
1057165 The IPsec tunnel with QKD experiences flapping each time a DHCP configuration/interface update occurs.

Log & Report

Bug ID Description
925649 An interruption may occur in the daemon locallogd when the system is in memory conserve mode.
1010244 When uploading the log file to the FTP server, some parts of the log files are not included in the upload.
1010428 On the Log & Report > System Events page, the log displays an FortiGate has experienced an unexpected power off error message when an interruption occurs in the kernel.
1011172 The miglogd does not forward log packages to FortiAnalyzer due to a memory usage issue.
1012862 User equipment IP addresses are not visible in traffic logs.
1018392 A memory usage issue in the fgtlogd daemon causes FortiGate to enter into conserve mode.
1021195 The IPS engine sends a high frequency of IoT device queries even when the device identification is set to disabled.
1025797 The appcat field location is inconsistently placed in the system log.
1028167 A system log message is not generated when syslogd setting is enabled or disabled in the GUI or CLI.
1028309 On FortiGate, a CPU usage issue occurs in the locallogd.
1034824 On the Log & Report > Forward Traffic page, application icons may not display in the Application Name column.
1040678 The first character User-Agent information is not included in the web filter log.
1044092 When filtering forward traffic logs using FortiAnalyzer as a source, data takes longer than expected to load and generates a memory error message.
1050071 The unset pac-file-data from pac-policy does not generate a system event log and the pac-file-data is deleted.
1060204 When the threat feed download times out, a system event log is not generated.

Proxy

Bug ID Description
723764 Replacement page is not provided to client when blocking traffic from an application control profile.
871273 When the kernel API tries to access the command buffer, the device enters D state due to a kernel interruption.
933502 When a forward server with proxy authorization is configured with certain traffic, a memory usage issue in the WAD process interrupts the operation of FortiGate.
949464 On FortiGate, a memory usage issue in the WAD process may cause the unit to enter into conserve mode.
956481 On FortiGate 6000 models, when an explicit proxy is configured, the TCP 3-way handshake does complete as expected.
982553 After upgrading from version 6.4.13 to version 7.0.12 or 7.0.13, FortiGate experiences a memory usage issue.
987483 On FortiGate, the WAD daemon does not work as expected due to a NULL pointer issue.
999118 TCP connections are not distributed properly when src-affinity-exempt is enabled.
1014778 When downgrading to a previous firmware version, the restoration of IoT device information results in an out of bound access interruption due to newly added iot attributes.
1021346 Starting from version 7.4.4, FortiOS no longer supports proxy-related features for FortiGate models with 2 GB RAM or less. When upgrading from FOS 7.4.3 or earlier to later versions, the UTM profile feature set was not properly changed from proxy to flow.
1021699 When some regex objects do not match the policy, it can result in all other objects in the same policy to not match.
1033729 An IMAP connection to an external application email server is not established in a proxy mode policy with DPI enabled.
1036201 A memory usage issue occurs in the WAD daemon process for wad-config-notify.
1042055 On FortiGate, an interruption occurs in the WAD process when in proxy-mode causing the unit to go into memory conserve mode.
1062516 The WAD process does not work as expected when FortiGate is configured as a HTTP load balancer with an HTTP session and changes are made to the virtual server live.
1067014 All wad-workers encounter a gradual memory usage issue, /proc/pid/maps shows increasing symbolic links to /tmp/casb_shm.

REST API

Bug ID Description
859680 In an HA setup with vCluster, a CMDB API request to the primary cluster does not synchronize the configuration to the secondary cluster.
1014694 The count and start API request attributes that required for some API endpoints are skipped, causing the REST API to not function as expected.
1026195 When importing a certificate using API, it is not visible on FortiOS despite displaying that the import was successful.

Routing

Bug ID Description
779825 In SD-WAN with interface-select-method enabled, if link performance is affected, local out traffic continues on the same link.
923994 On the Network > Static Routes page, VRF information does not display in the VRF column.
993843 On FortiGate 1800F models, the VXLAN tunnel on a Loopback interface does not match SD-WAN rules.
1002132 A BGP neighbor over GRE tunnel does not get established after upgrading due to anti-spoofing not functioning as expected.
1002851 BGP Stale routes do not function as expected in an HA configuration.
1003756 When creating a rule on the Network > Routing Objects page, the Prefix-list is set to 0.0.0.0 0.0.0.0 when an incorrect format is entered in the Prefix field.
1004249 FortiGate routes traffic to an interface with a physical status of DOWN.
1006753 When renewing the LTE WWAN IP, some packets are sent using the old IP address causing traffic to drop.
1008818 The default configuration of the Fabric Overlay Orchestrator causes concurrent disconnects with the BGP.
1011263 FortiGate does not advertise default route to its EBGP neighbor when capability-default-originate is enabled.
1013773 FortiGate does not automatically add the set LTE dynamic route to the routing table.
1020474 In a hub and spoke configuration, the IPsec SA MTU calculation does not match with the vpn-id-ipip encapsulation resulting in a fragmentation issue.
1021666 When adding a route using SD-WAN zone, there is no overlap check on existing gateway IP addresses which prevents routes from being added.
1022665 When the SNAT does not match the outgoing interface during failover from the secondary to the primary, SD-WAN traffic does not failover back to the primary WAN.
1023878 SD-WAN SLA shows intermittent disruptions of packet loss on all links simultaneously, even though there is no actual packet loss.
1025201 FortiGate encounters a duplication issue in a hub and spoke configuration with set packet-duplication force enabled on a spoke and set packet-de-duplication enabled on the hub.
1029460 Creating a BGP IPv4 network prefix or neighbor in the GUI unintentionally creates an empty IPv6 network prefix.
1031394 On the Network > Routing Objects page, the Set AS path on the Edit Rule pane does not allow the use of the full range AS numbers.
1042848 BGP multipath routing does not work as expected in a BGP confederation setup.
1046169 On FortiGate, outgoing traffic goes through the wrong interface for local-in traffic coming on an SDWAN interface.
1049721 When BGP enables local-as-replace-as and there is a network loop condition, the NLRI’s as-path is increased indefinitely.
1050992 IKE-SAML reply traffic does not egress from the same interface as ingress traffic when the route is present in the routing table.
1057135 The gateway/offload value of offloaded one-way UDP sessions is reset when unrelated routing changes are made.
1060456 When hovering over a vlan interface on the SD-WAN Rules tab on the Network > SD-WAN page, the interface shows as disabled in the SD-WAN rule even though it is active.

Security Fabric

Bug ID Description
972921 On the Security Fabric > External Connectors page, the comments are not working as expected in the threat feed list for the domain threat feed.
987531 Threat Feed connectors in different VDOMs cannot use the source IP when using internal interfaces.
1003503 During a full fabric upgrade where a PoE powered device (PD) connected to a Power Sourcing Equipment (PSE) are upgraded, the upgrade of the PD may be interrupted if the PSE finishes upgrading first, causing a boot loop on the PD. This behavior is now avoided by performing upgrades on PDs first before upgrading PSEs and the FortiGate itself.
1007607 When creating a new IPv6 address, SDN connectors cannot be added for dynamic addresses.
1008901 STIX threat feeds cannot download properly due to a JSON parsing issue.
1014961 The SDN Connector for nutanix does not return all the entries.
1019244 The System > Fabric Management page may not load properly after an unsuccessful federated upgrade.
1019284 When optimizing a security rating, resolving an alert for one rating causes another alert to appear for another rating and the alerts cycle between both ratings continuously.
1036018 When the Security Fabric is enabled and the FortiGate is set as root, the System > Firmware & Registration page does not load.
1042972 Cannot test an automation stitch that uses the Schedule trigger from the GUI.
1056262 With a FortiGate configured with a root-vdom and a mgmt-vdom, when an automation stitch is configured for a compromised host with IP-Ban action, the IP is banned from the mgmt-vdom.
1057862 FortiGate models with 2GB of memory that manage many extension devices (FortiSwitches and FortiAPs) may enter conserve mode due to the GUI process experiencing a memory usage issue over time.
1058589 Webhook requests use the same Content-Type: application/json in HTTP headers for all requests, even if it has a custom header.

SSL VPN

Bug ID Description
943971 On the VPN > SSL-VPN Settings page, when renaming a selected Restrict Access Host object, the object is deselected.
983513 The two-factor-fac-expiry command is not working as expected for remote RADIUS users with a remote token set in FortiAuthenicator.
999661 When changing SSLVPN access in the Restrict Access field to Allow access from any host and enabling the Negate Source option on the VPN > SSLVPN page, the changes made in the GUI are not reflected in the CLI.
1003672 When RDP is accessed through SSL VPN web mode, keyboard strokes on-screen lag behind what is being typed by users.
1004633 FortiGate does not respond to ARP packets related to SSL VPN client IP addresses.
1018928 A CPU usage issue occurs in the tvc daemon when the vpn server cannot be reached.
1024584 The SSL VPN IP pool may get exhausted when tunnel-connect-without-reauth is enabled.
1024837 OneLogin SAML does not work as expected with SSL VPN after upgrading to 7.0.15 or 7.4.3.
1027863 NAS-IP per SSL-VPN realm does not work as expected under the config vpn ssl web realm after upgrading firmware.
1041202 SSL VPN does not work as expected if an LDAP user UPN exceeds 35 characters.
1042457 Duplicate log entries are created for SSL VPN when the tunnel is up or down.
1048915 The SSL VPN web mode flag is determined incorrectly causing the authenticated POST request to be dropped.

Switch Controller

Bug ID Description
688724 A non-default LLDP profile with a configured med-network-policy cannot be applied on a switch port.
960240 On the WiFi & Switch Controller > Managed FortiSwitches page, ISL links do not display as solid connections.
1023888  

On the WiFi & Switch Controller > FortiSwitch Ports page, changes made to the Allowed VLANs and Native VLAN columns are not saved when edited on the GUI.
1032105 FortiGate in an HA configuration goes out of synchronization due to a split-port interface on FortiSwitch.
1033874 FortiGate does not work as expected due an issue with a null variable in the cu_acd.
1042390 On the WiFi & Switch Controller > SSID page, NAC policies using a Wildcard MAC Address cannot be saved using the GUI.

Workaround: use the CLI to perform the operation.
1052908 When the name of the FortiSwitch does not match its serial number, it shows up as not registered on the System > Firmware & Registration and Security Fabric > Fabric Connectors pages.
1058289 FortiGate 90G and 91G models only supports up to 8 FortiSwitches and not 24 due to table size issue.

System

Bug ID Description
907752 On FortiGate 1000D models, the SFP 1G port randomly experiences flapping during operation.
916172 GRE traffic is still allowed to flow through when the GRE interface is disabled.
917886 On FortiGate, fragmented packets with specific flow types are not forwarded to the correct ports on a LAG interface.
948875 The passthrough GRE keepalive packets are not offloaded on NP7 platforms.
956697 On NP7 platforms, the FortiGate maybe reboot twice when upgrading to 7.4.2 or restoring a configuration after a factory reset or burn image. This issue does not impact FortiOS functionality.
966237 On NP7 platforms, egress shaping on a physical interface is not enforced on traffic according to the shaping profile definition.
966384 On FortiGate 401F and 601F models, the CR mediatype option on x5-x8 ports is not available.
967436 DAC cable between FortiGate and FortiSwitch stops working after upgrading from 7.2.6 to 7.2.7.
972170 On FortiGate 80F models, the 100FULL speed option is not available for the SPF port.
975778 VLAN traffic is stopped when created on LACP with split-port-mode configured.
976314 After upgrading FortiGate and not changing any configuration details, the output of s_duplex in get hardware nic port command displays Half instead of Full. This is purely a display issue and does not affect system operation.
978122 FortiGate experiences packet drop when egress-shaping-profile is applied to a LAG interface.
981433 The ipmcsensord does not work as expected when executing sensor-related commands before the high-end device sensor finishes booting up.
986926 On the FortiGate 90xG models, the ULL interfaces for x5 – x8 are down after being set to 25G speed.
989629 FortiGate does not show additional speed options outside of auto on a WAN interface.
991264 The locallogd process may cause a CPU usage issue on FortiGate.
995442 FortiGate may generate a Power Redundancy Alarm error when there is no power loss. The error also does not show up in the system log.
995967 When FortiGate firmware is upgraded, the interface speed changes from auto to 1000 full.
997563 SNMP ifSpeed OID show values as zero on VLAN interfaces in hardware switches.
999816 FortiGate 100 models may become unresponsive and prevent access to the GUI, requiring a reboot to regain access due to an issue with the SOC3.
1000194 FortiGate does not show QoS statistics in the diagnose netlink interface list command when offloading is disabled in a firewall policy and IPsec phase 1 tunnel on NP7 platforms.
1001133 After an upgrade, FortiGate receives a PSU RPS LOST traps error despite not having any RPS connected.
1001722 VLAN/EMAC VLAN traffic is unexpectedly blocked under certain conditions.
1001938 Support Kazakhstan time zone change to a single time zone, UTC+5.
1002323 After restoring a configuration on FortiGate with the interface changed from aggregate to physical, the interface switches back to aggregate and cannot be changed back to physical.
1004883 VLAN traffic is stopped when created on LACP with split-port-mode configured.
1005573 FortiGate incorrectly sends set csr instead of set certificate to FortiManager after auto enrolling a certificate using SCEP.
1006024 Administrator accounts using an admin profile with only FortiGuard Updates read-write permissions cannot open the FortiGuard page.
1006685 FortiGate enters a loop cycle and generates a large number of LCAP packets when FortiGate does not receive LCAP packets from a peer device.
1008022 After a restarting FortiGate from the GUI, the auto-nego SFP port settings are not reflected in FortiGate.
1009278 Traffic does not hit a new policy created in the GUI or CLI due to an auto-script command issue.
1011968 Jumbo frame packets do not pass through all split ports and may cause packets to drop.
1015736 On FortiWiFi 60/61F models, the STATUS LED light does not turn on after rebooting the device.
1017446 Some TTL exceeded packets are not forwarded on their destination and an error message is not always generated.
1018022 On FortiGate, VXLAN traffic is not offloaded properly resulting in some packets being dropped.
1018843 When FortiGate experiences a memory usage issue and enters into conserve mode, the system file integrity check may not work as expected and cause the device to shutdown.
1019749 On a VDOM, running sudo global show does not return any system interfaces information.
1020602 After configuring a virtual wire pair (VWP) setting, it is not present in FortiGate after a reboot.
1020921 When configuring an SNMP trusted host that matches the management Admin trusted host subnet, the GUI may give an incorrect warning that the current SNMP trusted host does not match. This is purely a GUI display issue and does not impact the actual SNMP traffic.
1021355 FortiGate encounters a CPU usage issue when there are a high volume of traffic and scripts running on the device which could lead to an issue with performance.
1021542 FortiGate reboots twice after a factory reset when gtp-enchanced-mode is enabled.
1021632 FortiGate may experience intermittent traffic loss on an LACP interface in a virtual wire pair with l2forward enabled.
1022935 FortiGate experiences a CPU usage issue when dedicated-management-cpu is enabled.
1024737 On FortiGate, when set ull-port-mode is set to 25G, ports x5-x8 show a status of DOWN.
1025503 On the Network > Diagnostics page, FortiGate shows that the packet capture capacity has been reached when there is no captured packet on the device.
1025576 Passthrough GRE traffic using Transparent Ethernet Bridging packets as the protocol type are not offloaded on NP7 platforms.
1025870 On FortiGate Rugged FGR70F-3G4G models, wan1 and wan2 port mode changes to static after a factory reset.
1029351 The OPC VM does not boot up when in native mode.
1029353 The SNMP trap is not sent out when a virus is detected on the antivirus scanner.
1032018 The SFP+ port LED does not illuminate and displays a speed 10Mbps even though the link status up and speed is set to 1000Mbps.
1034286 FortiGate does not auto negotiate to Full duplex when connecting to FortiSwitch due to a duplication error.
1034322 FortiGates using a SOC4 platform with a virtual switch configured may continuously reboot when upgrading due to an interruption in the kernel.
1037075 On FortiGate, an interruption occurs in the kernel when running WAD process monitoring scripts.
1037393 FortiGate reboots due to the maximum buffer length difference between nTurbo and NPU HW. NPU will fragment packets which are more than 10000, but carries wrong extend info to nTurbo in the 2nd fragment.
1041165 The MAC Authentication Bypass (MAB) does not initiate on a virtual switch due a kernel configuration issue.
1041457 The kernel 4.19 cannot concurrently reassemble IPv4 fragments for a source IP with more than 64 destination IP addresses
1041669 FortiGate does not upgrade if private-data-encryption is enabled and the device is not rebooted.
1043979 An interruption occurs in the kernel resulting in intermittent power disruptions and rebooting of FortiGate.
1046966 When upgrading FortiGate from version 7.4.3 to 7.4.4, if a set vlan 3 setting is present, the device repeatedly reboots and does not boot up.
1048299 User names for some cloud-based services cannot be configured under config system email-server that exceed 64 characters.
1049119 FortiGate encounters an interruption in the kernel due to a NULL pointer issue.
1050908 In some scenarios, when FortiGate as a DHCP client sends out DHCP-REQUEST packets, the SRC IP address is set in the IP header.
1051961 On FortiGate, IP addresses cannot be assigned within a configured IP range due to a DHCP server issue.
1052004 FortiGate encounters a memory usage issue when there is no traffic running and the configuration is not fully loaded.
1053536 On FortiGate, the console displays error messages when adding Pre and Post-login banners due to a rare error condition.
1058397 On FortiGate 900 models, when the baudrate is configured, the changes are not applied and is set to 9600.
1061334 FortiGate returns a string with a % sign for the OID 1.3.6.1.4.1.12356.101.4.8.2.1.8 (fgLinkMonitorPacketLoss).
1061413 EXPIRE dates are not displayed properly when executing the get sys fortiguard-service status command due to a formatting issue.

Upgrade

Bug ID Description
955835 When auto-upgrade is disabled, scheduled upgrades on FortiGate are not automatically canceled.
1013821 On FortiGate, an interrupted occurs in the kernel in both HA FortiGates when an HA cluster’s firmware is upgraded.
1025687 After a firmware upgrade, the config system npu-post command does not work as expected.
1027462 When restoring an FortiGate, the 7.4.1 config file with deprecated Inline CASB entries displays errors messages and causes the confsyncd to not function as expected.
1031574 During a graceful upgrade, the confsync daemon and updated daemon encounter a memory usage issue, causing a race condition.

User & Authentication

Bug ID Description
974298 When using the local-in firewall authentication with SAML method, SAML users cannot get access using the authentication portal.
989760 On the System > Certificates page, error Unable to create certificate displays when uploading certificates using the PKCS12 (.pfx) format. The certificates are still uploaded.
1001026 Users are unable to use passwords that contain the ñ character for authentication.
1004258 The Strict-SNI SSL Profile might block connections even if SNI and Certificate CN match.
1009213 After upgrading firmware on FortiGate, an interruption occurs in the fnbamd resulting in auto-connect not working as expected.
1009884 FortiGate encounters a CPU usage issue in the authd process after a firmware upgrade.
1016112 SSL VPN access is prevented when the LDAP server includes a two-factor authentication filter.
1018846 When SCEP is used with SSL connections, some TLS connections are missing the SNI extension on FortiGate.
1021157 Users are unable to use passwords that contain Polish characters ńżźćłśąó for RADIUS authentication.
1023605 Multiple errors observed in the IOTD debug log caused by connection timeouts.
1034898 After a firmware upgrade, FortiToken does not work as expected when using the GUI.
1036265 The reply-to option under config system alertmail is removed even for custom mail-servers with 2-factor authentication after an upgrade.
1039004 The username-case-sensitive disable setting is not respected for RSSO when a username has a capital letter.
1039490 FortiGate does not use a policy with deep inspection enabled on SSL profiles for SWG user access.
1039663 The TACACS+ connection times out, irrespective of the remoteauthtimeout setting, due to an issue with the ldapconntimeout setting, after upgrading to version 7.4.4.
1039771 FortiOS may reply to an FTM push message using a different egress interface instead of the original interface.
1050942 The Active Firewall-Authentication for 2FA FAC RADIUS users using PAP method does not work as expected after upgrading to version 7.4.4.
1060009 On FortiGate, RADSEC sent incorrect accounting packets due to a hashing issue.

VM

Bug ID Description
938382 OpenStack Queens FortiGate VM HA heartbeat on broadcast is not working as expected.
954962 The Client Hello packet is delayed connecting to FortiGate proxy-based mode and certificate inspection in an AWS GWLB environment using a GENEVE interface.
967134 An interrupt distribution issue may cause the CPU load to not be balanced on the FG-VM cores.
980683 After upgrading FortiGate, the VM license status is removed even though the VM license is still valid.
996389 AWS SDN Connector stops processing caused by the IAM external account role missing the sts:AssumeRolevalue.
998208 The FortiGate-VM system stops after sending an image to the HA secondary during an firmware upgrade due to different Flex-VM CPU license.
999599 On FortiGate AWS, the IPsec configuration goes missing after an upgrade due to an inconsistent table-size.
1006570 VPN tunnels go down due to IKE authentication loss after a firmware upgrade on the VM.
1012927 When FortiGate returns an ICMP TTL-EXCEEDED message, the geneve option field header is missing.
1016327 After rebooting, DPDK mode is disabled on a VLAN interface and traffic stops.
1030534 On FortiGate, an HA failover does not work as expected when using an OCI environment.
1036917 When a intended policy is configured for interesting traffic subnets, traffic flow hits the implicit deny rule instead of the configured policy.
1040088 In an HA configuration, the secondary unit heartbeat port is accessible even though access to the interface is not allowed on that unit.
1046696 A FortiGate VM HA in Azure Cloud may intermittently go out of synchronization due to an issue in the daemon process.
1054244 FortiToken does not work as expected after moving a FortiGate-VM license to a new VM with the same serial number.
1058355 FortiGate VM Azure does not work as expected and enters into conserve mode in vWAN setup.
1073016 The OCI SDN connector cannot call the API to the Oracle service when an IAM role is enabled.

Web Application Firewall

Bug ID Description
1071022 A matched pattern in the HTTP body cannot be blocked with a waf profile for some content types.

Web Filter

Bug ID Description
975115 FortiGate prevents adding a regex string to a static URL filter table.
1026023 The webfilter and traffic logs show the incorrect realserver IP address due to a WAD process issue.
1045884 When enabling the log all search keywords in the web filter profile and VDOM mode is disabled, the Key Word column is not populated with data.

WiFi Controller

Bug ID Description
908282 On FortiGate, an interruption occurs with the cw_acd during failover to the secondary FortiGate.
949682 Intermittent traffic disruption observed in cw_acd caused by a rare error condition.
989929 A kernel interruption occurs on FortiWiFi 40F/60F models when WiFi stations connect to SSID on the local radio.
1001672 FortiWiFi reboots or becomes unresponsive when connecting to SSID after upgrading to 7.0.14.
1012433 Guest WiFi clients cannot be removed using RADIUS CoA after FortiGate reboots.
1017238 On the WiFi & Switch Controller > SSIDs page, when creating new SSIDs, settings cannot be saved with captive portal enabled and a Portal Type of Disclaimer Only or Email Collect.
1019680 FortiWiFi cannot access internal FAP consoles due to a login prompt issue in diagnose sys modem com.
1028181 Wi-Fi devices would encounter service delay when roaming over captive-portal SSID with MAC-address authentication.
1048928 Cannot retrieve DHCP IP’s from the assigned VLAN when connecting Bridge SSID with RADIUS-based MAC authentication.

ZTNA

Bug ID Description
944772 FortiGate does not use data from FortiClient to send the VPN snapshot to EMS.
998172 When first connecting to the ZTNA server, the EMS websocket can become stuck and an error displays ZTNA Access Denied – Policy restriction!.
1008632 When visiting SaaS application web pages using ZTNA, web pages can stall or return an ERR_CERT_COMMON_NAME_INVALID error.
1012317 ZTNA intermittently does not match the firewall policy due to missing information in the policy.
1018303 ZTNA does not allow tcp-forwarding SSH traffic to pass through.
1026930 An interruption occurs in the WAD process causing TCP connections to stop for ZTNA proxy policies.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID CVE references
1031370 FortiOS 7.4.5 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-51385

Notatki producenta: FortiOS 7.4.5 Release Notes

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie

Post Views: 188

7.4.5 FortiOS FortiOS 7.4.5

Poprzedni artykułFortiAnalyzer 7.4.4Następny artykuł VMware ESXi 8.0 Update 3b

Najnowsze

FortiOS 7.0.1630 października 2024
FortiManager 7.6.130 października 2024
FortiAnalyzer 7.4.522 października 2024

Kategorie

  • Acronis
  • Aktualności
  • Bez kategorii
  • ESET
  • F-Secure
  • FortiAnalyzer
  • FortiAP
  • FortiAuthenticator
  • FortiClient
  • FortiDeceptor
  • FORTIGATE
  • FORTIMAIL
  • FortiManager
  • FortiNAC
  • FortiSIEM
  • FORTISWITCH
  • FortiWeb
  • NAKIVO
  • Proget
  • Qnap
  • Stormshield
  • Szkolenia
  • Veeam
  • VMware
  • WithSecure

Tagi

6.0.6 6.2.2 6.2.7 6.4.0 6.4.4 6.4.5 6.4.8 7.0.0 7.0.2 7.0.5 7.2.0 7.2.2 Eset eset endpoint antivirus eset endpoint security ESET Inspect ESET Protect ESET Protect Cloud F-Secure f-secure client security FMG FortiAnalyzer forti analyzer FortiAP fortiap-w2 FortiAuthenticator FortiClient FortiClientEMS forticlient ems FortiGate FortiMail FortiManager FortiNAC Fortinet FortiOS FortiSIEM FortiSwitch FortiWeb vCenter vCenter Server VMware VMware ESXi vmware esxi 8.0 vmware vcenter VMware vCenter Server

MENU

  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Cyberbezpieczny Samorząd
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • Kontakt

BLOG TECHNICZNY

FortiOS 7.0.1630 października 2024
FortiManager 7.6.130 października 2024
FortiAnalyzer 7.4.522 października 2024

KONTAKT

+48 500-413-313
biuro@b-and-b.plhttps://www.b-and-b.pl
8:00-16:00
RODO | POLITYKA PRYWATNOŚCI
OGÓLNE WARUNKI REKLAMACJI

BEZPIECZEŃSTWO W BIZNESIE 2024 - wszystkie prawa zastrzeżone

MENU

  • Start
  • O nas
  • Produkty
  • Usługi
    • Szkolenia
    • Cyberbezpieczny Samorząd
    • Audyt bezpieczeństwa informacji
      • Testy penetracyjne
      • Testy ataków socjotechnicznych
    • Audyt konfiguracji Fortigate
    • Prezentacje
    • Wdrożenia
  • Blog techniczny
  • Pomoc
  • Kariera
  • Kontakt

BLOG TECHNICZNY

FortiOS 7.0.1630 października 2024
FortiManager 7.6.130 października 2024
FortiAnalyzer 7.4.522 października 2024

Kontakt

+48 500-413-313
biuro@b-and-b.pl
8:00-16:00
Add new entry logo

Korzystamy z plików cookies lub podobnych technologii, by lepiej dopasować treści na stronie do Twoich potrzeb.
W każdej chwili możesz zmienić ustawienia cookies. Polityka prywatności

Akceptuję Odmów
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
  • Always Active
    Necessary
    Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
  • Marketing
    Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
  • Analytics
    Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
  • Preferences
    Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
  • Unclassified
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.