Fortinet black logo

Release Notes

Home FortiProxy 7.0.4 Release Notes
7.0.4
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.17
7.0.16
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0

Resolved issues

Resolved issues

The following issues have been fixed in FortiProxy 7.0.4. For inquiries about a particular bug, please contact Customer Service & Support.

Bug ID Description
754289 The WAN-optimization daemon (WAD) crashes with signal 11 when running the autotest group.
764817 You cannot import the Kerberos keytab file unless it has been encoded with base64.
768980 The set host-regex command is not working correctly.
770178 When a proxy address is used as the destination in a policy, unrelated traffic matches the policy.
773614 An error message is returned when trying to delete a new admin user in the CLI.
777370 When fast-match is disabled, the HTTPS request fails to match the source proxy address in the policy.
777718 The WAD should use the port in the TCP header to match the service field.
778766 The web proxy does not forward the HTTP request to the forwarding server when FQDN is used to configure the web-proxy forward-server.
782085 Session-based authentication does not redirect the request to the captive portal.
783072 The WAD does not perform a health check for the web-proxy forwarding server.
783145 The Cyrillic alphabet is not displayed correctly in the logs.
783201 Web caching is using too much memory.
783811 The web proxy does not forward requests to the forwarding server when FQDN is used as the address of the forwarding server for web proxy.

783837

After upgrading FortiProxy from an HA cluster, the primary FortiProxy license status changes to “Warning.”

783946 When the source is a ClearPass dynamic object, the explicit proxy policy does not deny the request.
784337 The Open Virtualization Format (OVF) file contains fortios.vmdk instead of fortiproxy.vmdk.

784797

SSH-over-HTTP traffic is redirected to the SSH policy, even when ssh-policy-redirect is disabled
784891 When editing a firewall policy in the GUI, the “Proxy Options,” “Disclaimer Options,” and “Security Profiles” sections are missing when the type is set to ssh, ssh-tunnel, wanopt, or ftp.
784974 Computer names are being used for authenticated users, instead of the user names.

785058

The default setting for servercert (under the config vpn ssl settings command) is null.

785232

The SSL-VPN daemon crashes during a quick HTTP connection from the VPN portal.
785247 When explicit FTP is being used, unknown commands should return a 530 message.
785342 When a proxy request is send using the SOCKS4A protocol, the request fails.
785743 Web application firewall (WAF) profiles block access to hosted websites, instead of illegal HTTP versions.
786194 The Category Usage Quota area is missing from the FortiProxy GUI.
787027 The Content Disarm options of the antivirus profile are not displayed correctly in the GUI.

787496

There is a WAD memory leak.
788697 After upgrading to FortiProxy 2.0.8, when the type of destination address is set to URL category, the URL is blocked.

Workaround: Use an allow policy in front of the blocking policy.
788698 After upgrading to 7.0.3, the logout page cannot be accessed after logging in with form-based authentication.
789150 The Duration field of the HTTP Transaction log shows seconds, instead of milliseconds.
789520 When a policy has the action set to isolate and the service set to http-connect, websites are not being properly isolated.
789600 When a firewall policy has the proxy-address type set to URL Category, the policy does not correctly block the specified categories.
789960 The user cannot create a three-node Config-Sync cluster.
789982 If the URL category is used in the firewall policy, websites are not being properly blocked.
791235 Exempting traffic from SSL inspection in the SSL/SSH inspection profile does not work.
791668 The shaping profile is not being used by the shaping policy.

792579

Implicit Deny Policy logs and HTTP transaction logs are not working.
793251 IPv6 address group objects cannot be added to the policies.
793687 The set ip-src-port-range command is not working.
794537 The default value for set tcp-window-type (under config firewall profile-protocol-options) should be auto-tuning.
794753 After upgrading from 7.0.1 to 7.0.3, a proxy user who was authenticated by LDAP cannot access the basic authentication web page.
795159 Traffic is triggering the wrong policy when the source is a proxy-address type header.
795621 When the antivirus profile is using deep inspection, some website uploads are denied.
795970 When the ICAP profile is configured, web pages cannot be fully displayed.
796152 When the transparent proxy is received, there is a WAD memory leak.

796489

The Digest Algorithm options are missing in the FortiProxy GUI.

796574

The authentication scheme for the SAML method cannot be saved in the GUI.
796664 Domain-fronting should be disabled on HTTP2 traffic.

797609

When the IPv6 default route is configured, the gateway route is not installed.

798027

Multiple WAD worker crashes cause the “Access Denied - The Maximum web proxy user limit has been reached.” error to be reported.

798054

When using deep SSL inspection, a web page produces an error but loads eventually.

798745

The original HTTP request should be forwarded to the web server.

799171

The WAD crashes when the configuration is being changed in a transparent firewall policy.

799214

The HTTPS request is not being forwarded to the forwarding server.

799278

The set dedicated-to management command (under config system interface) is not working correctly.

799847

Sometimes the Internet cannot be accessed when transparent mode, the Internet Service Database, and user authentication are being used together.

800243

The management interface should only listen for ports listed in the set allowaccess command.

Common vulnerabilities and exposures

FortiProxy 7.0.4 is no longer vulnerable to the following CVEs:

  • CWE-79

  • CWE-120

  • CWE-124

  • CWE-269

Visit https://fortiguard.com/psirt for more information.

Previous
Next

Resolved issues

The following issues have been fixed in FortiProxy 7.0.4. For inquiries about a particular bug, please contact Customer Service & Support.

Bug ID Description
754289 The WAN-optimization daemon (WAD) crashes with signal 11 when running the autotest group.
764817 You cannot import the Kerberos keytab file unless it has been encoded with base64.
768980 The set host-regex command is not working correctly.
770178 When a proxy address is used as the destination in a policy, unrelated traffic matches the policy.
773614 An error message is returned when trying to delete a new admin user in the CLI.
777370 When fast-match is disabled, the HTTPS request fails to match the source proxy address in the policy.
777718 The WAD should use the port in the TCP header to match the service field.
778766 The web proxy does not forward the HTTP request to the forwarding server when FQDN is used to configure the web-proxy forward-server.
782085 Session-based authentication does not redirect the request to the captive portal.
783072 The WAD does not perform a health check for the web-proxy forwarding server.
783145 The Cyrillic alphabet is not displayed correctly in the logs.
783201 Web caching is using too much memory.
783811 The web proxy does not forward requests to the forwarding server when FQDN is used as the address of the forwarding server for web proxy.

783837

After upgrading FortiProxy from an HA cluster, the primary FortiProxy license status changes to “Warning.”

783946 When the source is a ClearPass dynamic object, the explicit proxy policy does not deny the request.
784337 The Open Virtualization Format (OVF) file contains fortios.vmdk instead of fortiproxy.vmdk.

784797

SSH-over-HTTP traffic is redirected to the SSH policy, even when ssh-policy-redirect is disabled
784891 When editing a firewall policy in the GUI, the “Proxy Options,” “Disclaimer Options,” and “Security Profiles” sections are missing when the type is set to ssh, ssh-tunnel, wanopt, or ftp.
784974 Computer names are being used for authenticated users, instead of the user names.

785058

The default setting for servercert (under the config vpn ssl settings command) is null.

785232

The SSL-VPN daemon crashes during a quick HTTP connection from the VPN portal.
785247 When explicit FTP is being used, unknown commands should return a 530 message.
785342 When a proxy request is send using the SOCKS4A protocol, the request fails.
785743 Web application firewall (WAF) profiles block access to hosted websites, instead of illegal HTTP versions.
786194 The Category Usage Quota area is missing from the FortiProxy GUI.
787027 The Content Disarm options of the antivirus profile are not displayed correctly in the GUI.

787496

There is a WAD memory leak.
788697 After upgrading to FortiProxy 2.0.8, when the type of destination address is set to URL category, the URL is blocked.

Workaround: Use an allow policy in front of the blocking policy.
788698 After upgrading to 7.0.3, the logout page cannot be accessed after logging in with form-based authentication.
789150 The Duration field of the HTTP Transaction log shows seconds, instead of milliseconds.
789520 When a policy has the action set to isolate and the service set to http-connect, websites are not being properly isolated.
789600 When a firewall policy has the proxy-address type set to URL Category, the policy does not correctly block the specified categories.
789960 The user cannot create a three-node Config-Sync cluster.
789982 If the URL category is used in the firewall policy, websites are not being properly blocked.
791235 Exempting traffic from SSL inspection in the SSL/SSH inspection profile does not work.
791668 The shaping profile is not being used by the shaping policy.

792579

Implicit Deny Policy logs and HTTP transaction logs are not working.
793251 IPv6 address group objects cannot be added to the policies.
793687 The set ip-src-port-range command is not working.
794537 The default value for set tcp-window-type (under config firewall profile-protocol-options) should be auto-tuning.
794753 After upgrading from 7.0.1 to 7.0.3, a proxy user who was authenticated by LDAP cannot access the basic authentication web page.
795159 Traffic is triggering the wrong policy when the source is a proxy-address type header.
795621 When the antivirus profile is using deep inspection, some website uploads are denied.
795970 When the ICAP profile is configured, web pages cannot be fully displayed.
796152 When the transparent proxy is received, there is a WAD memory leak.

796489

The Digest Algorithm options are missing in the FortiProxy GUI.

796574

The authentication scheme for the SAML method cannot be saved in the GUI.
796664 Domain-fronting should be disabled on HTTP2 traffic.

797609

When the IPv6 default route is configured, the gateway route is not installed.

798027

Multiple WAD worker crashes cause the “Access Denied - The Maximum web proxy user limit has been reached.” error to be reported.

798054

When using deep SSL inspection, a web page produces an error but loads eventually.

798745

The original HTTP request should be forwarded to the web server.

799171

The WAD crashes when the configuration is being changed in a transparent firewall policy.

799214

The HTTPS request is not being forwarded to the forwarding server.

799278

The set dedicated-to management command (under config system interface) is not working correctly.

799847

Sometimes the Internet cannot be accessed when transparent mode, the Internet Service Database, and user authentication are being used together.

800243

The management interface should only listen for ports listed in the set allowaccess command.

Common vulnerabilities and exposures

FortiProxy 7.0.4 is no longer vulnerable to the following CVEs:

  • CWE-79

  • CWE-120

  • CWE-124

  • CWE-269

Visit https://fortiguard.com/psirt for more information.

Previous
Next