Resolved issues
The following issues have been fixed in FortiProxy 7.4.3. For inquiries about a particular bug, please contact Customer Service & Support.
| Bug ID | Description |
|---|---|
|
985560 |
Application IDs do not show up in CLI. |
|
972058 |
Proxy inline IPS service should be "HTTPS" instead of "https" in IPS log for HTTPS traffic. |
|
985686 |
OpenSSL fails to encrypt and decrypt VD licenses. |
|
982273 |
Certificate authentication group information query fails. |
|
982883 |
Attack traffic for inline IPS cannot be exempted if set src-ip/dst-ip for both direction are in exempt-ip list. |
|
982015 |
IP addresses are removed after factory reset when more than 4 ports are configured. |
| 968509, 968524 |
Raw data and attack context are missing from inline IPS log. |
| 985198 | IP address threat feed connection status indicates "Other Error". |
|
955481 983897 |
When fast-policy-match is enabled, traffic is matched to wrong policy during a specific period of time. |
| 980527 | CLI should not allow the FTP protocol in config web-proxy isolator-server. |
| 980994 | External-resource type other than address and domain are not filtered out for firewall.policy.dstaddr6 and srcaddr6. |
| 977734 | Access to secondary unit is not granted when you use the SVI interface for management in HA. |
| 979936 | When configuring ipv6 addresses in the CLI, all types of external-resource for ipv6 address are listed. Only the external-resources of type "domain" and "address" should be listed. |
| 986971 | WAD crash on wad_secure_webproxy_ssl_set. |
| 982669 | IPS filter type protocol does not detect matched signature and bypass traffic with proxy inline-ips enabled. |
| 948042 | Failed to create VDOM with a name longer than 11 characters in the CLI when long-vdom-name is enabled. |
|
984179 984948 |
Application Control profile does not work on non-root VDOM. |
| 988098 | Crash during smtp-over-http. |
| 983920 |
Policy with dnat vip is denied when log-http-transaction is set to "all". |
|
976775 |
When policy based routing is configured and traffic is redirected to WAD, traffic from the FortiProxy back to the client is routed via static routing. |
|
980297 |
GUI shows empty remote groups while CLI configuration shows the correct remote group configuration. |
|
980702 |
URL rating lookup does not support valid URLs with forward slash. |
|
987777 |
Policy ID is not available for disabled policies in the FortiProxy GUI. |
|
974938 |
Remove references to unsupported features in FortiProxy log IDs. |
|
978473 982156 |
URL local/user category rating result shows only one best match category but not the other matched local/user categories configured in the profile. |
|
945197 |
Configuration value of the interface IP address should not be synced within a FortiProxy HA cluster on Azure. |
|
982637 |
Cannot start a capture in a non-root VDOM. |
|
985485 |
FortiProxy interface does not respond when HA has multiple vclusters. |
|
947928 |
In Policy & Objects > Proxy Auth Settings, you cannot unset a CA certificate once it is set. |
|
964747 |
No method legend in User Monitor widget. |
| 990142 | Interfaces with no members are allowed to be aggregated in GUI. |
|
773815 988544 |
AD group cache update issue. |
| 986806 | Crash in WAD user-info process. |
|
988402 |
Cannot use HA reserved management interface to send log to FortiAnalyzer. |
|
982614 |
Anti-virus incorrectly blocks the upload of good Excel files to OneDrive with corrupted archive error. |
|
989515 |
Crash on building fast match table when the source interface is configured with an empty system zone. |
|
967538 |
Traffic that should get IPS scanned passes through when IPS is out of service. |
|
985374 |
HA is out of sync after automatic reboot. |
|
981069 981546 |
ICAP is unable to bypass when ICAP remote server is offline and health-monitor is disabled. |
|
987387 |
On a non-root VDOM with multiple explicit-web entries, changes to policies are not applied properly. |
|
981193 |
FortiProxy do not send authentication request after proxy-re-authentication-time is passed. |
|
972919 |
Buffer overflow and format string vulnerabilities. |
|
992186 |
Packet capture warning message is irrelevant and confusing. |
| 986713 | Config restore takes the device into system maintenance mode and makes it inaccessible. |
| 989621 | utmref is missing in forward traffic logs with http transaction log enabled. |
| 977905 | AV proxy profile causes issues with SMB access. |
| 990161 | HA secondary acts like primary in vcluster1 after the switch of primary and secondary in vluster2. |
| 983371 | WAD procmgr hangs on waitpid. |
|
977645 |
Incorrect output when viewing FortiView Proxy Policy with source set to FortiAnalyzer. |
| 991641 | Unable to save changes shaping policy when dstaddr6 is set to be an IPv6 FQDN address with wildcard (*). |
| 993581 | GUI DLP rules ID duplicate issue when you delete one and add another. |
| 993799 | Remove Fabric Overlay Orchestrator from GUI. |
| 993597 | WAD crashes when user LDAP server is configured. |
| 915834 | HA active-passive flip: standby FortiProxy tries to reach out to FortiGuard services through HA port. |
| 987687 | "Can not create query" error while deleting VDOMs. |
| 988015, 992933 | "sysctl ifconfig" does not work when the interface belongs to a non-root VDOM. |
| 989798 | Out-of-bounds write in SSL VPN. |
| 983298 | Forward logs for non-root VDOM are only visible in root VDOM. |
| 992167 | Providing an invalid client certificate during certificate authentication can create a redirection loop. |
| 989784 | Access to other users' bookmarks in SSL VPN web mode. |
| 979936 | When configuring ipv6 addresses in the CLI, all types of external-resource for ipv6 address are listed. Only the external-resources of type "domain" and "address" should be listed. |
| 980994 | External-resource type other than address and domain are not filtered out for firewall.policy.dstaddr6 and srcaddr6. |
|
988016 |
Aggregate interface is not initialized on startup when the aggregate is in a non-root VDOM. |
|
982716 |
False warning "unresovled FQDN" for all FQDN addresses other than wildcard FQDN. |
|
956570, 975752, 990586, 991059 |
Inline CASB UTM log issues. |
|
980924, 983161 |
Inline CASB upgrade issues. |
|
993080 |
Irrelevant fields in the VDOM configuration window in GUI. |
|
989660, 989668 |
rawdataid/rawdata, forwardedfor, and trueclntip are missing from inline IPS utm log. |
|
983856 |
"unknown-1" is listed in FortiView proxy applications tab. |
|
985902, 987198, 987298, 987310, 988250 |
Inline CASB CLI bug fixes. |
| 993108 | CLI hangs after you delete a VDOM from the CLI. |
| 994230 | WAD crashes when SOCKS request fails to connect to LDAP server. |
| 995622 | SOCKS request is unable to match web-proxy entity in auth rule and WAD crashes. |
| 985557 | HA in transparent mode fails to form due to dropped ARP requests. |
| 979908 |
No validation for source interface field for "ssh-tunnel" type policy in GUI. |
| 997177 | FortiProxy GUI cannot display ICAP log. |
|
992245 |
FQDN ipset is not populated after the captive portal configuration changes from IP to FQDN. |
|
989694 |
ICAP secure server with webfilter crashes on the first request. |
|
977530 |
HTTPS over locally resolved SOCKS webfilter not working. |
| 992599 | UTM action and count information is missing in http-transaction-log for HTTPS request when tp-policy is certificate-inspect. |
| 992853 | After matching an url-match in SOCKS proxy forwarding, the original IP rather than the fw_server ip is used to get the interface for policy matching. |
| 979219 | FortiProxy A/A cluster with VDOMs drop packets. |
| 981211 | Global system default settings for TLS 1.2 are not applied upon LDAP connection to domain controller. |
|
990257 |
Forward message sends the cookie header with original length but corrupted data. |
|
998086 |
New CASB entries are not created on none-root VDOM during CASB DB upgrade. |
|
998488 |
worker.tcp fails in "diag wad stats". |
|
999050 |
Certificate tab keeps loading the certificate is selected. |
|
997336 |
Cannot establish FSSO connection from FortiProxy VDOMs. |
|
997001 |
External resource cannot update for IPv6 hosts. |
|
975685 |
FortiProxy 400E possible WAD memory leak. |
|
996012, 997905 |
SOCKS policy match does not support url-list dstaddr type. |
|
959421 |
Cannot download files with a size of more than 5 MB via FPX with SSL deep inspection and DLP profile enabled. |
|
997868 |
Error during auth TLS for FTP service. |
|
992632 |
Inline CASB log is missing policytype field. |
|
992245 |
FQDN ipset is not populated after the captive portal configuration changes from IP to FQDN. |
|
995824 |
Counter value returns 0 for non-root interface when polling via SNMP. |
|
994749 |
URL filter fails to block transparent HTTPS traffic with IP hostname. |
|
868634 |
Bypass of root file system integrity checks at boot time. |
|
993166 |
When managed by FortiManager, HA-mode FortiPoxy triggers an auto update every 30 minutes. |
|
999664 |
Unable to allow the connections to match existing configured policy. |
|
923920 |
ICAP 204-response is not shown correctly and cannot be edited in GUI. |
|
986713 |
After configuration restore, the device changes to system maintenance mode and becomes inaccessible. |
|
993506 |
Remove CLI for in band HA management, which is not supported by FortiProxy. |
|
975759 |
When multiple control options are taking action in inline CASB, only the first action generates a UTM log. |
FortiNBI
The following issues have been fixed in FortiNBI. For inquiries about a particular bug, please contact Customer Service & Support.
| Bug ID | Description |
|---|---|
|
886077, 930915, 934251, 956123, 959594, 962908, 977250, 979177, 993669, 989676, 996544, 996542, 988642 |
FortiNBI bug fixes. |
| 959232 | Crash when downloading the FortiNBI installer. |
| 959263 | FortiNBI rating error and all pages are broken in the FortiNBI application. |
|
N/A |
Log collection fails if the isolator is not installed. |
|
N/A |
Instability issues caused by isolator state tracking. |
|
N/A |
Isolator download timeout is too long. |
|
N/A |
Service state are not accurate in edge scenarios during restart. |
|
N/A |
GUI is unavailable due to a broken link to Windows App SDK. |
|
N/A |
No timeout when task fails to start repeatedly. |
Common vulnerabilities and exposures
FortiProxy 7.4.3 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.
|
Bug ID |
CVE reference |
|---|---|
|
985058 |
|
|
985049 |
|
|
989784 |
|
|
989798 |
|
|
993863 |
|
|
868634 |
|
|
993863 |
|
|
985058 |
|
|
1004206 |
|
|
1002197 |