Fortinet udostępnił aktualizacje oprogramowania dla FortiWeb o numerze wersji 7.0.4. Rozwiązano problemy związane z klastrem HA, przyspieszono procesowanie ruchu sieciowego, usunięto problem który powodował wycieki pamięci, rozwiązano problemy z certyfikatami administracyjnymi oraz usunięto błąd który powodował błędne procesowanie ruchu. Po więcej szczegółowych informacji zapraszam do dalszej części materiału.
Wspierane modele:
- FortiWeb 100D
- FortiWeb 400C
- FortiWeb 400D
- FortiWeb 400E
- FortiWeb 600D
- FortiWeb 600E
- FortiWeb 1000D
- FortiWeb 1000E
- FortiWeb 2000E
- FortiWeb 3000D/3000DFsx
- FortiWeb 3000E
- FortiWeb 3010E
- FortiWeb 4000D
- FortiWeb 4000E
- FortiWeb 100E
- FortiWeb 2000F
- FortiWeb 3000F
- FortiWeb 4000F
Nowości w FortiWeb 7.0.4:
- 100-continue headers
- New CLI commands are added to control how FortiWeb interacts with clients and servers when forwarding the 100-continue headers.
- config server-policy policy
edit <policy-name>
set reply-100-continue {enable | disable}
set forward-expect-100-continue {enable | disable}
next
end
- config server-policy policy
- New CLI commands are added to control how FortiWeb interacts with clients and servers when forwarding the 100-continue headers.
- Enhancement on HA fail-over upon core dump
- A new CLI command is introduced to trigger HA fail-over upon proxyd coredump, so that the secondary node can
immediately take over the traffic when coredump file is being generated on the primary node.-
config server-policy setting set enable-core-file enable set corefile-ha-failover enable end
-
- A new CLI command is introduced to trigger HA fail-over upon proxyd coredump, so that the secondary node can
Please note you should enable enable-core-file as well for the corefile-ha-failover to work. From 7.0.4, enable-core-file is by default disabled.
- Signature Algorithm setting for TLS1.2
- When tls12-compatible-sigalg is enabled, signature algorithm negotiation in TLS handshake for FortiWeb
behaves exactly the same as OpenSSL 1.1.0.- config server-policy setting
set tls12-compatible-sigalg enable
- config server-policy setting
- When tls12-compatible-sigalg is enabled, signature algorithm negotiation in TLS handshake for FortiWeb
Rozwiązane problemy:
| Bug ID | Description |
|---|---|
| 0860696 | HTTP Parsing error occurs after rebooting proxyd or FortiWeb |
| 0858699 | Let’s Certificate status shows OK for non existing domain. |
| 0856101 | When core-file-count is 3, the newly generated coredump file will always be removed and cannot be displayed. |
| 0851929 | HA module needs to synchronize MAC address of all physical interfaces. Currently the maximum restrict is 20. |
| 0850228 | Frequent and fast certificate operations cause policy reload issue. |
| 0848148 | Slow traffic processing due to the web shell detection modules. |
| 0847495 | Memory leakage issue due to web socket traffic. |
| 0846656 | Admin certificate cannot work after upgrade to 7.0.2/7.0.3 |
| 0846369 | SNMP-inaccurate interface speed reported for 10G interface. |
| 846332 | WAD site shows as disconnected and no files being backed up even though connection test shows successful. |
| 0843673 | Proxyd crashes under HTTP/2 stress with 1024 KB page size in TTP mode. |
| 0845822 | Specification issues about server pool. |
| 0841704 | Secondary unit is stuck in INIT state. The CRLF converting rules break the HA sync status. |
| 0841686 | The health status is Unavailable because we do not use the standard Azure Linux Agent |
| 0841635 | Remove the filter pserver-ip in diagnose debug flow under non-RP platforms. |
| 0840279 | Parser using uninitialized data causes hdb_dump to crash. |
| 0840259/0835458/0757998 | There is a dead lock in client management process, which will trigger connection failure. |
| 0839557(Need Verify) | Expecting 100-Continue header causes application delay for about 3 seconds with SOAP UI application when enabling XML Protection. |
Notatki producenta: FortiWeb 7.0.4
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
