Producent oprogramowania Fortinet opublikował nową wersję software dla produktu FortiWeb o numerze wersji 6.3.17. W 6.3.17 zostało dodane polecenie execute redis rebuild, aby odbudować dane ML i zarządzania klientami. W aktualizacji naprawiono problem z powolnym działaniem aplikacji przy wzroście ruchu sieciowego oraz problem z niedodawanymi plikami cookies do żądania HTTP podczas przesyłania go do rzeczywistego serwera. Po więcej informacji zachęcamy do przeczytania dalszej części artykułu.
Co nowego:
Optimization of IP Protection policies
To optimize performance FortiWeb now executes IP Reputation and IP List policies at the TCP layer to avoid HTTP
packets being processed unnecessarily. This is only enabled when Server Objects > X-Forwarded-For is not used. It’s
now also supported to set the trigger action to Deny (no log) or Period Block to avoid alert flooding.
includeSubDomains and preload headers support
The includeSubDomains and preload options are now supported in HSTS Header (Server Policy > Add HSTS
Header).
Removing support for RestAPI 1.0
For security reasons, RestAPI 1.0 is not supported in FortiWeb 6.3.17 and later versions. Afterwards we only support
RestAPI 2.0.
Redis database rebuild
A new command execute redis rebuild is added to clean and rebuild the database for ML and Client
Management. The old command execute redis rebuild is now used to rebuild the database for disklog
Aktualnie wspierane modele:
Supported Hardware:
- FortiWeb 100D
- FortiWeb 400C
- FortiWeb 400D
- FortiWeb 400E
- FortiWeb 600D
- FortiWeb 600E
- FortiWeb 1000D
- FortiWeb 1000E
- FortiWeb 2000E
- FortiWeb 3000D/3000DFsx
- FortiWeb 3000E
- FortiWeb 3010E
- FortiWeb 4000D
- FortiWeb 4000E
- FortiWeb 100E
Supported hypervisor versions:
- VMware vSphere Hypervisor ESX/ESXi 4.0/4.1/5.0/5.1/5.5/6.0/6.5/6.7/7.0
- Citrix XenServer 6.2/6.5/7.1
- Open source Xen Project (Hypervisor) 4.9 and higher versions
- Microsoft Hyper-V (version 6.2 or higher, running on Windows 8 or higher, or Windows Server 2012/2016/2019)
- KVM (Linux kernel 2.6, 3.0, or 3.1)
- OpenStack Queens 17.0.5
- Docker Engine CE 18.09.1 or higher versions, and the equivalent Docker Engine EE versions; Ubuntu18.04.1 LTS
or higher versions - Nutanix AHV
FortiWeb is tested and proved to function well on the hypervisor versions listed above. Later hypervisor releases may
work but have not been tested yet.
To ensure high performance, it’s recommended to deploy FortiWeb-VM on the machine types with minimum 2 vCPUs,
and memory size larger than 8 GB.
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 0761752 | In 6.3.17, we have added a CLI command execute redis rebuild to rebuild ML and Client Management data. |
| 0760190 | A saved attack log filter does not apply properly if it is selected immediately after applying another filter. |
| 0759242 | The source IP shown in attack log is not correct when the Client Real IP is enabled in Server Policy |
| 0759137 | Config-sync crashes when timezone >= 10 (GMT-6:00) Saskatchewa |
| 0758200 | The SQL/XSS Syntax Based Detection module has false positives. |
| 0757846 | The „Certificate Verification for HTTPS” should be grayed out when „Enable Strict SNI” in policy is enabled. |
| 0755118 | Web Cache: Continuation cached HTTP packets are sent to the client after 304 Not Modified is sent by the Cache Module. |
| 0754375 | GUI: The bottom Left-to-right Scroll Bar is missing on HTTP Content Routing page. |
| 0754282 | FortiWeb doesn’t add all the cookies in the HTTP request while forwarding it to the real server. |
| 0754230 | Missing „includeSubDomains; preload” in HSTS header. |
| 0753521 | Parameter validation module may not work properly |
| 0752769 | The message „is not a qualified HTTP hostname” displays when creating a new report. This is caused by hostname too long. |
| 0752531 | Memory failure occurs when executing diagnose hardware check all. |
| 0750312 | High memory usage – proxyd restarts due to OOM. |
| 0734471 | Application Slowness when traffic increases. |
Common Vulnerabilities and Exposures
| Bug ID | Description |
|---|---|
| 0759713 | FortiWeb6.3.17 is no longer vulnerable to the following CWE-Reference: CWE384 |
| 0757476/0754591/0753920 | FortiWeb6.3.17 is no longer vulnerable to the following CWE-Reference: CWE121. |
| 0754269 | FortiWeb6.3.17 is no longer vulnerable to the following CWE-Reference: CWE122 |
| 0753313 | FortiWeb6.3.17 is no longer vulnerable to the following CWE-Reference: CWE120. |
| 0752799/0753292/0753293 | FortiWeb6.3.17 is no longer vulnerable to the following CWE-Reference: CWE78. |
| 0744041 | FortiWeb6.3.17 is no longer vulnerable to the following CWE-Reference: CWE347 |
Znane problemy:
| Bug ID | Description |
|---|---|
| 0718583 | When the Virtual Server’s VIP item is changed to enable interface IP, the original VIP field cannot be deleted even though it is not in use. |
| 0684107 | Failure to allocate memory, QAT lib returns 0 rather than -1 to prohibit Openssl to proceed, causing proxyd to crash. |
Notatki producenta: FortiWeb 6.3.17
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
