Fortinet black logo

Release Notes

Home FortiProxy 7.0.9 Release Notes
7.0.9
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.17
7.0.16
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0

Resolved issues

Resolved issues

The following issues have been fixed in FortiProxy 7.0.9. For inquiries about a particular bug, please contact Customer Service & Support.

Bug ID

Description
871559 The command "exec bypass-mode enable/disable" is not functional.
875832 doh server crash when connecting to 443 port for GUI.
756345 In certain circumstances, such as after booting, vd->policy_conf_gen lags behind g_wad.policy_generation, causing a logic failure that leads to conflict with IANA protocol numbers.
796510 When all server in a forward server group goes down, traffic through the group is forwarded to the original destination directly even if down-option is set to `block`.
807982 Disable group profile with DNS Filter in proxy-policy.
812888 When a client sends an HTTP/1.0 request, FortiProxy's forwarded response is always HTTP/1.1. Furthermore, if the server's response has chunked encoding, then FPX does not remove chunked encoding before forwarding the response to the client.
822829 FortiProxy does not have default policy for ftp. When a client tries to access an ftps server, ses_ctx->sec_profile is none in wad_ftp_on_auth_cmd(), which causes crash.
825977 Fix crash on avscan submission error due to double close.

828194

 SSLVPN stops passing traffic after some time.

831069

Blank page displayed after login to back-end server in SSLVPN web mode.

842517

Adding a local user to a group containing lot of users causes delay on GUI and CLI due to cmdbsvr (high CPU).

843318

WAD worker may crash with signal 11 if the request header contains "Cache-Control: only-if-cached".
851581 Change FortiView shaper monitor to show real-time information.
854115 ssh-policy-check results in TP policy being ignored.
855882 Memory leaking issue due to a typo in the calloc API.
857368 After upgrading to 7.0.8, WAD crash with signal 11 wad_hpack which is caused by a stack allocated buffer overflow.
857632 wad http2 hpack parsing error in an edge case.
859013 Debug daemon may get stuck and cause Web GUI to load slowly.
860190 A tp-policy without any ssh related UTM will fail to redirect to check ssh-policies.

863317

Fix GUI issue about FortiSandbox on the AntiVirus profile configuration page.

863855

Lack of certificate verification when establishing secure connections with fabric devices.
865135 Multipart boundary parsing failed with CRLF before the end of boundary1.
867005 Sending traffic to icap client using icap secure results in "502 Bad Gateway".

868250

 No monitoring for disk access. Difficult to trace what causes frequent disk access.
868666 Improper use of snprintf to write into a buffer.
868782 Change the default value formula of config.system.global.conntrack to be memory-size-based.
869120 Fix wad crashes when loading or updating policy configuration.
869267 config-sync cluster is not able to sync with NTP server using dedicated mgmt interfaces.

869359

Azure Auto-scale HA shows certificate error in secondary.
869578 When solving eicar evasion problem, status code 1xx and 204/304 are handled together rather than separately.
869700 wad crash at wad_h2_proc_data when icap blocks the traffic.
869923 DNS filter not taking effect for DoT traffic.

870099

LDAP cache was not updated properly after the user group changed in Active Directory server.
870764 In wad_ftp_tp_cancel, wad delete the session context lease after the session is closed
871449 WAD crashes on policy testing when test request destination is IP and port.
872358 The logout option does not work when "Keep-alive" authentication is enabled.

872366

 "Insert empty policy" in GUI copies some fields from the parent policy instead of inserting a blank policy.

872368

 Failed to save changes while adding a user as source in a policy using quick edit.
872617 SWG SSO shows "Firewall Authentication" failure on endpoint, which is caused by infinite redirects.

872685

When adding user objects to source field in a policy, the user objects are not highlighted.
872721 HA role is not updated on Web UI status bar.
872931 'diag sys session list' fails to list all sessions.
872950 wad_scan module is closed in wad_scan_handle_scan_results, which causes a crash.

873031

Web UI firmware upgrade option is not available.
873369 HA fails to sync on KVM multicast HA when interface is virtio.
873458 Add forward server status update in passive mode for transparent traffic.
873851 When you create a new vdom, wad_ui_prefetch_vd_init and wad_ui_reverse_cache_server_vd_init are not called and the linked list is not initialized, which results in a crash while traversing the linked list.
874563 Crash and compile error due to implementation or coding error.

874711

Explicit Proxy Traffic only has Policy ID recorded without the policy name on Web UI.

874989

Support multiple 'Server' headers to fix website login issues.

875170

Cannot view more than 500 lines under Log & Report > Forward Traffic on FortiProxy-2000E.
875175 Requests from local non-domain LDAP users are denied by the explicit firewall policy.
875485 Log all socks traffic as https transaction and show domain name in "hostname" and "url" for FQDN requests.

876758

SSH key is added even if operation is aborted.
877128 ZTNA saml portal or auth portal cannot handle cors preflight because it does not take cors preflight request into consideration after matching (saml/auth) gateway.
877230 If an HB interface is disabled and enabled on a unit, the respective unit will never join the cluster unless it is restarted.
877774 psv_tm prints the wrong time in diagnose command.
878298 If the memory usage is out of control, the appending request is added to a 'hold-list' for a while to apply flow-control to the worker. The request might not be removed from the list properly for some corner cases.
878386 Add upgrade code to retain firewall policy's ssl-ssh-profile on upgrade from FortiProxy 2.0 to 7.0.
878587 HA role in the list page is not consistent with the detail page.

878782

PAC configuration issue.
878863 Forward server group log only works when load-balance algorithm (ldb-method) is `weighted`.
880092 icap server hangs when icap secure is enabled.
880205 Fix firewall policy schedule with year later than 2038.
880479 Fix debug daemon crash when session is not found, which usually happens when CLI or worker exits before the request is done.

881208

Fix masquerade 'disable' in transparent policy which causes traffic failure.

881499

Icap client crashed on wad_conn_pool_conn error.

881693

Fix SSL/SSH Inspection inspection profile visible issue.

882475

Domain user suffix extract from krb ticket not matching what's shown in diag wad user list.

883170

Cached object is corrupted and client keeps resending request with token.

378251

860859

 Fix nf_conntrack_expect's reference for master conntrack to avoid leaks.

802564

881341

forticron crash when restoring vdom configuration.

843288

874159

 No endpoint information is found when accessing ZTNA application FUSE.

874049

860282

 SSLVPN crashes when using webmode access.

877873

877875

 When new hatalk is launched, ha_clear_state() is called to reset some shared memory information which could be accessed by hatalk.

880624

881471

Fix unpopulated ipset when FQDN dstaddr is specified.

845698

857358

866735

 Google Cloud - When ha_filtered is called on slave's receiving, some packets are dropped as IP header is not correct.

861343

863428

870022

 Fix policy hit counts not shown in GUI policy list and diag command.

870846

871239

871587

 FPX hardware models do not update CMOS time correctly.

881553

882350

882403

Fix some GUI issues.

Common vulnerabilities and exposures

FortiProxy 7.0.9 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE reference

845848

CVE-2022-41329

874761

CVE-2023-25610

874049

CVE-2023-33307

843318

CVE-2023-41675

Previous
Next

Resolved issues

The following issues have been fixed in FortiProxy 7.0.9. For inquiries about a particular bug, please contact Customer Service & Support.

Bug ID

Description
871559 The command "exec bypass-mode enable/disable" is not functional.
875832 doh server crash when connecting to 443 port for GUI.
756345 In certain circumstances, such as after booting, vd->policy_conf_gen lags behind g_wad.policy_generation, causing a logic failure that leads to conflict with IANA protocol numbers.
796510 When all server in a forward server group goes down, traffic through the group is forwarded to the original destination directly even if down-option is set to `block`.
807982 Disable group profile with DNS Filter in proxy-policy.
812888 When a client sends an HTTP/1.0 request, FortiProxy's forwarded response is always HTTP/1.1. Furthermore, if the server's response has chunked encoding, then FPX does not remove chunked encoding before forwarding the response to the client.
822829 FortiProxy does not have default policy for ftp. When a client tries to access an ftps server, ses_ctx->sec_profile is none in wad_ftp_on_auth_cmd(), which causes crash.
825977 Fix crash on avscan submission error due to double close.

828194

 SSLVPN stops passing traffic after some time.

831069

Blank page displayed after login to back-end server in SSLVPN web mode.

842517

Adding a local user to a group containing lot of users causes delay on GUI and CLI due to cmdbsvr (high CPU).

843318

WAD worker may crash with signal 11 if the request header contains "Cache-Control: only-if-cached".
851581 Change FortiView shaper monitor to show real-time information.
854115 ssh-policy-check results in TP policy being ignored.
855882 Memory leaking issue due to a typo in the calloc API.
857368 After upgrading to 7.0.8, WAD crash with signal 11 wad_hpack which is caused by a stack allocated buffer overflow.
857632 wad http2 hpack parsing error in an edge case.
859013 Debug daemon may get stuck and cause Web GUI to load slowly.
860190 A tp-policy without any ssh related UTM will fail to redirect to check ssh-policies.

863317

Fix GUI issue about FortiSandbox on the AntiVirus profile configuration page.

863855

Lack of certificate verification when establishing secure connections with fabric devices.
865135 Multipart boundary parsing failed with CRLF before the end of boundary1.
867005 Sending traffic to icap client using icap secure results in "502 Bad Gateway".

868250

 No monitoring for disk access. Difficult to trace what causes frequent disk access.
868666 Improper use of snprintf to write into a buffer.
868782 Change the default value formula of config.system.global.conntrack to be memory-size-based.
869120 Fix wad crashes when loading or updating policy configuration.
869267 config-sync cluster is not able to sync with NTP server using dedicated mgmt interfaces.

869359

Azure Auto-scale HA shows certificate error in secondary.
869578 When solving eicar evasion problem, status code 1xx and 204/304 are handled together rather than separately.
869700 wad crash at wad_h2_proc_data when icap blocks the traffic.
869923 DNS filter not taking effect for DoT traffic.

870099

LDAP cache was not updated properly after the user group changed in Active Directory server.
870764 In wad_ftp_tp_cancel, wad delete the session context lease after the session is closed
871449 WAD crashes on policy testing when test request destination is IP and port.
872358 The logout option does not work when "Keep-alive" authentication is enabled.

872366

 "Insert empty policy" in GUI copies some fields from the parent policy instead of inserting a blank policy.

872368

 Failed to save changes while adding a user as source in a policy using quick edit.
872617 SWG SSO shows "Firewall Authentication" failure on endpoint, which is caused by infinite redirects.

872685

When adding user objects to source field in a policy, the user objects are not highlighted.
872721 HA role is not updated on Web UI status bar.
872931 'diag sys session list' fails to list all sessions.
872950 wad_scan module is closed in wad_scan_handle_scan_results, which causes a crash.

873031

Web UI firmware upgrade option is not available.
873369 HA fails to sync on KVM multicast HA when interface is virtio.
873458 Add forward server status update in passive mode for transparent traffic.
873851 When you create a new vdom, wad_ui_prefetch_vd_init and wad_ui_reverse_cache_server_vd_init are not called and the linked list is not initialized, which results in a crash while traversing the linked list.
874563 Crash and compile error due to implementation or coding error.

874711

Explicit Proxy Traffic only has Policy ID recorded without the policy name on Web UI.

874989

Support multiple 'Server' headers to fix website login issues.

875170

Cannot view more than 500 lines under Log & Report > Forward Traffic on FortiProxy-2000E.
875175 Requests from local non-domain LDAP users are denied by the explicit firewall policy.
875485 Log all socks traffic as https transaction and show domain name in "hostname" and "url" for FQDN requests.

876758

SSH key is added even if operation is aborted.
877128 ZTNA saml portal or auth portal cannot handle cors preflight because it does not take cors preflight request into consideration after matching (saml/auth) gateway.
877230 If an HB interface is disabled and enabled on a unit, the respective unit will never join the cluster unless it is restarted.
877774 psv_tm prints the wrong time in diagnose command.
878298 If the memory usage is out of control, the appending request is added to a 'hold-list' for a while to apply flow-control to the worker. The request might not be removed from the list properly for some corner cases.
878386 Add upgrade code to retain firewall policy's ssl-ssh-profile on upgrade from FortiProxy 2.0 to 7.0.
878587 HA role in the list page is not consistent with the detail page.

878782

PAC configuration issue.
878863 Forward server group log only works when load-balance algorithm (ldb-method) is `weighted`.
880092 icap server hangs when icap secure is enabled.
880205 Fix firewall policy schedule with year later than 2038.
880479 Fix debug daemon crash when session is not found, which usually happens when CLI or worker exits before the request is done.

881208

Fix masquerade 'disable' in transparent policy which causes traffic failure.

881499

Icap client crashed on wad_conn_pool_conn error.

881693

Fix SSL/SSH Inspection inspection profile visible issue.

882475

Domain user suffix extract from krb ticket not matching what's shown in diag wad user list.

883170

Cached object is corrupted and client keeps resending request with token.

378251

860859

 Fix nf_conntrack_expect's reference for master conntrack to avoid leaks.

802564

881341

forticron crash when restoring vdom configuration.

843288

874159

 No endpoint information is found when accessing ZTNA application FUSE.

874049

860282

 SSLVPN crashes when using webmode access.

877873

877875

 When new hatalk is launched, ha_clear_state() is called to reset some shared memory information which could be accessed by hatalk.

880624

881471

Fix unpopulated ipset when FQDN dstaddr is specified.

845698

857358

866735

 Google Cloud - When ha_filtered is called on slave's receiving, some packets are dropped as IP header is not correct.

861343

863428

870022

 Fix policy hit counts not shown in GUI policy list and diag command.

870846

871239

871587

 FPX hardware models do not update CMOS time correctly.

881553

882350

882403

Fix some GUI issues.

Common vulnerabilities and exposures

FortiProxy 7.0.9 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE reference

845848

CVE-2022-41329

874761

CVE-2023-25610

874049

CVE-2023-33307

843318

CVE-2023-41675

Previous
Next