Resolved issues
The following issues have been fixed in FortiProxy 7.6.6. For inquiries about a particular bug, please contact Customer Service & Support.
|
Bug ID |
Description |
|---|---|
| 1203968 | Proxy HTTPS traffic bypasses authentication when SSL profile is cert-inspection. |
| 1202644 | Wildcard FQDN should not be allowed as source address in authentication rule. |
|
1203616 |
Remove wcs socket console message. |
|
1174407 |
external-resource download does not support IPv6 for FQDN. |
| 1206970 |
ZTNA Web Portal crash when using ZTNA Web Portal and visit web bookmark then visit RDP. |
| 962298, 1195020 | Add support for panic logging on FortiProxy G-series generation 2. |
| 1194046 | When a web-filter blocks a QUIC initial packet, the QUIC CONNECTION_CLOSE frame is returned with an incorrect error code. |
| 1187323, 1195493, 1200523, 1200528, 1207608, 1247091, 1247617, 1247662 | GUI issues. |
|
1197589 |
Explicit web HTTPS traffic fails to match policy if |
| 1143184 |
Policy test does not working on service set on app-service-type app-id |
| 1178204 | FortiProxy lacks visibility of the performance of a shared traffic shaper. |
| 1205399 | FortiClient TCP forwarding times out when destination is configured as FQDN. |
| 1202928 | When a video filter profile is configured to block all videos except some YouTube channels, errors may occur with a "no internet" page when loading a video from the allowed channel. |
|
1209116 |
Empty config in user group when creating remote SAML user account from GUI. |
| 1212010 | SAML idp-entity-id on GUI does not accept HTTP. |
| 1211319 | URLFilter regex pattern with perl style regex flags (e.g. /goo.*/gm) does not work after upgrade. |
| 1210950 | Crash in crypto_soft_key_signature_schemes when memory malloc failed. |
| 1212765 | HTTP-transaction logs show "deny" action while the traffic is allowed with the traffic log showing "allow" action. |
| 1212053 | Entry errors when upgrading FortiProxy on FPX-400E/G/F models due to wrong limits for FPX-400E/G/F models. |
| 1211406 | "Agentforce" chat service on "help.salesforce.com" returns error messages when Appctrl is configured and inline IPS is enabled. |
| 1197688 |
FortiSandbox setting in web filter prevents updates to URL list objects from taking effect. |
|
1199969 |
ICAP: WAD keeps crashing with stress traffic. |
| 1203869 | Inline IPS performance issue with all-zero 44k HTTPS file. |
| 1214773 | Memory leak for web UI LDAP query causing crash or process freezing. |
| 1216034 | In config-sync HA mode, the primary shows as secondary. |
| 1211845 | TLS 1.3 and newer IANA-registered alerts are displayed as unknown with no numeric alert ID in WAD logs. |
| 1210950 | Crash in crypto_soft_key_signature_schemes when memory malloc failed. |
| 1215948 | LLM proxy session hangs when the HTTP request does not have a valid body. |
| 1188271 | HTTPS is deep scanned silently when it matches a shaping policy with group configured. |
| 1210657 | ICAP client should compress multiple cookie headers when converting H2 to H1 for ICAP request. |
|
1214555 |
Forticron process crashes when too many failed connections occur when fetching external resources. |
| 1219314 | HTTP/2 server stream statistics are not displayed in WAD stats output. |
| 1220427 | FortiProxy only removes the first header from the HTTP response when multiple HTTP-predefined headers are configured to be removed from response in the web-proxy.profile entry. |
| 1210356 | Unable to create shaping profile on top of interface config. |
| 1217947 | Failure in adding VLAN interface in kernel. |
|
1217944 |
Aggregate interface cannot be created in global scope. |
| 1183724 | Stream scan detects eicar as "FSA/RISK_MALICIOUS" while analytics-db is disabled. |
| 1219985 |
FortiProxy fails to cache object with pnc no-cache indicated even with ignore-pnc set to enable. |
| 1198336 | Setting up SF-Root HA A/P cluster and the HA widget shows a negative value for uptime with state changed. |
| 1219335 | http3 does not jump to captive portal for cookie authentication. |
| 1214773, 1215764 | Unable to add remote LDAP user to FortiProxy while user group addition works normally. |
| 1215809 | Maximum seats change for VM04, FPX-2000G, and FPX-4000G. |
|
1215282 |
FortiProxy transparent policy does not pass traffic when both schedule "none" and webfilter-profile exist in the policy. |
| 1216319 | Web filter returns error-block when FortiGuard category resolution fails. |
| 1214267 | Performance issue for large file upload with http form. |
| 1215438, 1210696 | HTTPS traffic does not trigger authentication challenge when passing through forward proxy Internet. |
| 1216128 | Failure in matching URL list with external resource URL feed. |
| 1192737 | FPX-2000G and FPX-4000G generation 2 UID buttons are non-functional. |
| 1215797 | HA Status Widget shows negative value for uptime and state changed. |
| 1104818 | WAD crashes when FTP establishes passive data channel without snat and ips configured. |
| 1226755 | FortiProxy fails FortiGuard updates if it has CIDB001 license and FortiManager acting as a FDS. |
| 1210702 | Replacement message should always be sent if deep inspection is configured in the matched policy even if SSL-exempt is true. |
| 1213796, 1214768, 1221476 | CMDB crashes. |
|
1226770, 1218198 |
WAD crash at wad_http_scan_unexpected(). |
| 1225436 | FortiProxy scheduled update failur ewith multiple log events "FortiProxy update failed". |
|
1222972 |
tcp-random-srcport setting does not take effect after reboot. |
| 1223054 |
Cannot connect to FortiSandbox when "Verify FortiSandbox Certificate" is enabled. |
| 1223145 | SAML authentication fails when user-database is configured in the SAML authentication scheme. |
| 1224090 | "TLS Internal Error" when a TLS client sends ClientHello with an empty supported_group to FortiProxy TLS Server (like secure web proxy). |
| 1223712 | ICAP secure server does not support TLS1.2+DHE cipher. |
| 1194462 | GUI sensor view widget is unavailable. |
| 1223615 | Connection to ICAP secure server with TLS 1.3 fails. |
| 1218507 | SAML authentication cannot proceed when captive-portal-ssl-port is set to 443. |
|
1186225 |
Microsoft Outlook certificate errors after FortiProxy upgrade. |
| 1220573 | FortiProxy SAML SSO login failed with Azure. |
|
1220551 |
Reports of nonsense sensor values. |
|
1214466 |
Intermittent traffic via FortiProxy throws 403 Forbidden error. |
|
1224937 |
Restoring configuration by VDOM causes static entries of proxy-address to lose host-regex. |
|
1213247 |
504 Gateway Timeout error when accessing full mode HTTPS virtual server. |
|
1228242 |
Captive portal does not support ECDSA cert + TLS 1.2 Client. |
|
1224024 |
FortiGuard Web Filtering categories does not work in ICAP server. |
|
1226921 |
Incorrect length of resulting formatted JSON text output. |
|
1226782 |
HTTP/2 error when LLM profile prompt size is too small. |
|
1213758 |
Crash when forward server is enabled and health check is enabled. |
|
1223406 |
Connection to websites with redirection is slow. |
|
1222883 |
Enabling "certificate inspection" on a policy breaks traffic and causes browser certificate error. |
|
1226848 |
Toggling FortiSandbox status causes the blocklist option to unset after FortiProxy upgrade. |
|
1224684 |
ICAP server configuration should not be allowed to be saved when address type is FQDN but no FQDN is set. |
|
1223904 |
Error "Access Denied - The maximum web proxy user limit has been reached" while the limit of licenses are not reached. |
|
1228552 |
The “compile took” value in diag wad deb ips-db status is incorrect. |
|
1199626, 1232099 |
Unable to access the website after successful SAML authorization when using ZTNA TCP forwarding. |
|
1229572, 1230697, 1230682 |
Rule is missing for policy when address contains proxy-address with host=all. |
|
1226834 |
transparent-connect policies have higher priority than ZTNA access policies, which should not be the case. |
|
1232934 |
After successful deployment on OCI, the FortiProxy OCI instance can be accessed through the OCI cloud platform console but FortiProxy service is not accessible externally |
|
1232764 |
wad crashed with signal 11 at wad_port_fwd_peer_shutdown. |
|
1225658 |
Web filter cannot block host in HTTP header if SSL has no SNI. |
|
1090202 |
DoH/DoT client does not verify server certificate in TLS 1.3. |
|
1210941 |
Cannot choose IPv6 address pool in explicit proxy policy. |
|
1232659 |
"HTTP 500 Internal Error" when DLP profile is applied to the ICAP local server. |
|
1233437 |
No TLS downgrade protection. |
|
1233755 |
Scanunit crash in fg_hs_realloc when using DLP. |
|
1230902 |
Packet sniffer under a non-root VDOM captures and shows the packets on root VDOM. |
|
1093617 |
Move nethsm certificate from "vpn certificate local" to "vpn certificate hsm-local". |
|
|
|
| 1213836 | FortiView sources do not include all sessions in aggregated results. |
| 1233964 | Inline IPS should be disabled by default. |
| 1235057 | The transparent policy traffic matches a policy with a mismatching schedule. |
| 1233086 | Invalid read due to type confusion in wad_h2_ses. |
| 1182776 | Missing result check for wad_str_copy_str in wad_http_parse_hostinfo. |
| 1232661 | Improve policy test GUI/CLI usability by normalizing HTTP request header input. |
| 1236592 | WAD fails to return replacement message when tp fwd_svr is down and ssl is deep-inspection. |
| 1193993, 1194125, 1194197, 1218082 | WAD memory chaos fixes. |
| 1235968 | "diag wad filter process-type" does not work as expected. |
| 1232698 | Antiphish does not block usernames containing the "." character. |
| 1226196 | HTTP transaction log shows IP instead of URL/hostname on early request close. |
| 1120494 | Unauthorized traffic bypassing authentication on virtual server. |
| 1238298 | "diag sys link-monitor" does not work on non-root VDOM. |
| 1215764 | GUI-only interfaces of root VDOM are shown on GUI regardless of which VDOM is selected. |
| 1240478 | TACACS+ authentication does not use HA-direct interface in an active-passive cluster. |
| 1241868 | FPX_2000G Gen2 hardware keeps rebooting and formatting HD2 disk. |
| 1230642 | Key share mismatch error message against tls1.3 with ecdsa certificate in server load balance type VIP. |
| 1239501 | DLP profile rules discrepancy between GUI and CLI. |
| 1233331 | Incorrect GUI behavior logic for Web Authentication Cookies button. |
| 1242892 | Certificate authentication fails when set ldap-user-cache enable. |
| 1224664 | ZTNA portal RDS websocket should implement maximum frame sizes per protocol on FortiProxy. |
| 1243698 | HTTPS does not redirect for deep-inspection. |
| 1237357 | Proxy rule not matching if host-regex type address value is more than 40 characters. |
| 1242183 | FortiProxy fails to route replies to FortiProxy-originated traffic back to itself. |
| 1244035 | Wanopt server failed to establish tunnel. |
| 1244480 | WAD crashes when accessing HTTP/3 website with FSSO enabled. |
| 1213283, 1243580 | Web cache-related crashes. |
| 1245976 | Kernel-only traffic does not SNAT to IP pool. |
| 1243552 | heap-use-after-free is detected @wad_timer_list_renew. |
| 1245769 | Access-proxy traffic is rejected by redirect filter. |
| 1234160 | Incorrect formatted printing of array in JASON parser. |
| 1245586 | Deny policy fails to block FTP request. |
|
1242590 |
No event log is generated when an external resource is updated and the downloaded item is within the limit after an overflow. |
|
1175553 |
Unexpected "no route" error returned by policy lookup when no policy matches. |
|
1223433, 1223447, 1236782, 1237405 |
ICAP client health check and status issues after boot. |
|
1232296 |
FortiProxy-400E shows abnormal PSU voltage value. |
|
1249069 |
Error with WAD when running debug command "dia wad worker ut". |
|
1249419 |
App signature and group are not correctly created or displayed on GUI in non-root VDOM. |