Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Built-In IPS Engine

Resolved Engine Issues

Bug ID

Description

400997

Backport TLS 1.3 support for IPS engine 4.0.

466084

Added parameter default and multiple lines support; a new feature related to Mantis 466084 and the new SCADA/ICS NFR 571919.

478628

Fixed crash when copying to packet mime_body buffer. Fix crash when ZIP uncompressed size is bigger than INT_MAX.

513692, 594505

Fixed cross session tags with multiple engine processes.

519869

Fixed a specified service with default TCP protocol.

524362

Fixed IPS engine drops FIN-ACK packet for flow-based AV.

540344

In some cases when SNI verify failed, IPS engine crashed.

540902

Fixed reply to FIN+ACK retransmission with seq=0&ack=0 pkt.

545592

Fixed intermittent web access issue with SSL session ticket.

546787

In some rare cases, the RTP/RTSP/RTCP dissector resulted in a crash.

550227

Keep getting attackid=0 in FortiGate IPS logs for P2P traffic.

552326

Port IPS tag database improvement patch for IPS 4.0.

554062

Fixed wait time too long in sniff mode.

554219

Always choose explicitly configured rules over implicit ones.

557379

Do not generate a random serial number for a resigned server certificate.

557944

Avoid padding oracles due to different handling of invalid record MAC and invalid paddings. Fixed incomplete HMAC validation and crashes. Fixed IPS engine crash when doing CBC HMAC validation.

561936

Fixed web rating overrides that do not work with an external proxy.

562832

Do not filter out application signatures based on applications detected in host session.

563177

Fixed incorrect SACK.

565955

Fixed IPS engine with high memory issue.

568328

Fixed botnet database loading crash on Windows and removed garbage strings from database.

568873

Fixed inconsistent local URL filtering for SSL sessions.

569143

CIFS AV flow-based mode allows malware, which was blocked via HTTP. Change the value of SMB2_OOO_LIMIT to 4 MB.

570961

Apply URL filtering in packet error handler for certificate inspection as well.

574745

Create different sessions for the same session from a different policy.

579294

Support UTF-8 for flow web filter URLdatabase.

580113, 595060

Malware cannot be detected when both IPS and AV are enabled.

580113

Fixed HTTP decoder does not send file to flow-based AV.

584073

Fixed crash on HTTP2 control when getting content disposition.

586005

Fixed negative session expire time.

586544

Fixed IPS intelligent mode not working on random traffic.

587668

Fixed IPS engine signal 11 crash.

589653

Check null pointer before reference. Use -Os to compile for the FSOC2/FSOC3 platforms.

592618

Do not perform URL filter query if SNI is not yet verified.

593886

Use greased SSL extension to fill the gap in a session ticket extension.

594588

Fixed an IPS engine crash caused by session release.

594931

Check whether IPSA database is up-to-date before compile to avoid an unnecessary IPSA database compile.

596808

Fixed an IPS engine crash happening in SSL packet finish handler.

598036

Improved the way session ID cache cleans up. Reset SNI cache when it is around 90% full.

Built-In IPS Engine

Resolved Engine Issues

Bug ID

Description

400997

Backport TLS 1.3 support for IPS engine 4.0.

466084

Added parameter default and multiple lines support; a new feature related to Mantis 466084 and the new SCADA/ICS NFR 571919.

478628

Fixed crash when copying to packet mime_body buffer. Fix crash when ZIP uncompressed size is bigger than INT_MAX.

513692, 594505

Fixed cross session tags with multiple engine processes.

519869

Fixed a specified service with default TCP protocol.

524362

Fixed IPS engine drops FIN-ACK packet for flow-based AV.

540344

In some cases when SNI verify failed, IPS engine crashed.

540902

Fixed reply to FIN+ACK retransmission with seq=0&ack=0 pkt.

545592

Fixed intermittent web access issue with SSL session ticket.

546787

In some rare cases, the RTP/RTSP/RTCP dissector resulted in a crash.

550227

Keep getting attackid=0 in FortiGate IPS logs for P2P traffic.

552326

Port IPS tag database improvement patch for IPS 4.0.

554062

Fixed wait time too long in sniff mode.

554219

Always choose explicitly configured rules over implicit ones.

557379

Do not generate a random serial number for a resigned server certificate.

557944

Avoid padding oracles due to different handling of invalid record MAC and invalid paddings. Fixed incomplete HMAC validation and crashes. Fixed IPS engine crash when doing CBC HMAC validation.

561936

Fixed web rating overrides that do not work with an external proxy.

562832

Do not filter out application signatures based on applications detected in host session.

563177

Fixed incorrect SACK.

565955

Fixed IPS engine with high memory issue.

568328

Fixed botnet database loading crash on Windows and removed garbage strings from database.

568873

Fixed inconsistent local URL filtering for SSL sessions.

569143

CIFS AV flow-based mode allows malware, which was blocked via HTTP. Change the value of SMB2_OOO_LIMIT to 4 MB.

570961

Apply URL filtering in packet error handler for certificate inspection as well.

574745

Create different sessions for the same session from a different policy.

579294

Support UTF-8 for flow web filter URLdatabase.

580113, 595060

Malware cannot be detected when both IPS and AV are enabled.

580113

Fixed HTTP decoder does not send file to flow-based AV.

584073

Fixed crash on HTTP2 control when getting content disposition.

586005

Fixed negative session expire time.

586544

Fixed IPS intelligent mode not working on random traffic.

587668

Fixed IPS engine signal 11 crash.

589653

Check null pointer before reference. Use -Os to compile for the FSOC2/FSOC3 platforms.

592618

Do not perform URL filter query if SNI is not yet verified.

593886

Use greased SSL extension to fill the gap in a session ticket extension.

594588

Fixed an IPS engine crash caused by session release.

594931

Check whether IPSA database is up-to-date before compile to avoid an unnecessary IPSA database compile.

596808

Fixed an IPS engine crash happening in SSL packet finish handler.

598036

Improved the way session ID cache cleans up. Reset SNI cache when it is around 90% full.