Resolved issues
The following issues have been fixed in FortiProxy 7.4.12. For inquiries about a particular bug, please contact Customer Service & Support.
| Bug ID | Description |
|---|---|
| 1192922 | iptables cannot match DNS server hosted on loop interface. |
|
1188294 |
Transparent-connect policy with service set to ALL incorrectly accepts all non-HTTPS traffic without redirect. |
| 1177408, 1177663, 1181700, 1181736, 1181744, 1181930, 1181958, 1185020, 1187659, 1192982, 1193199, 1194087 | Replacement message issues. |
| 1193761, 1194130 | Inline IPS crash. |
|
1028368, 1177336, 1194732 |
Improve ICAP connection pool counting to count overall connections from multiple workers. |
| 1179919 | Fix `ftgd-wf` configuration in "sniff-profile" to match other default profiles. |
| 1185240 | Fix source address added to unknown http header on virtual server |
|
1190655 |
Webfilter service is not enabled when deny policy configured with url-category. |
| 1188619 | HTTPS over SOCKS traffic fails when `inspect-all deep-inspection` is configured. |
|
1188912 |
Incorrect and misleading logs for files detected as malware by FortiSandbox. |
|
1180336 |
Authentication is not triggered for deny and redirect policy. |
| 1189849, 1187323, 1200523, 1200528, 1202754 | GUI issues. |
|
1166666 |
Upper case domain name triggered domain-fronting block on http1.1 |
| 1178104 | External resource HTTP password cannot be blank when username is set. |
|
1185498, 1189006 |
Count file not generated for threat feed external resource. |
|
1168867 |
Inconsistent behaviour with authenticated users when the XFF is in the HTTP header and IP-based authentication is enabled in authentication rule. |
|
1203616 |
Remove wcs socket console message. |
|
1189440, 1199676, 1200447 |
Memory allocation requests exceeding the limit (2 GB) are rejected with no record in the system, making it difficult to diagnose and analyze related issues. |
| 1200594 | After uploading image to a HA cluster, the active unit responds passive unit's MAC address to the ARP request, which leads to client wrongly connect to the passive unit when trying to access the cluster with the cluster IP. |
|
1200971 |
Non-HTTP traffic fails to match address group with "and" logic. |
|
1174407 |
external-resource download does not support IPv6 for FQDN. |
|
1200523, 1200528 |
FQDN with wildcard is not supported for source address matching. |
|
1199969 |
ICAP: WAD keeps crashing with stress traffic. |
|
1200290 |
Crash for YouTube player request when the request is blocked. |
|
1160437 |
DNS lookup does not work for IPv6. |
| 1198497 | ICAP debug log issues. |
|
1198548 |
ICAP response ISTag header content should be quoted-string. |
| 1199135 | The username to be authenticated is not converted to lowercase when username-case-sensitivity is disabled. |
| 1186176 | File download hangs with medium severity IPS sensor. |
| 1197206 | WAD url-lookup fails to find webproxy if the first web-proxy explicit-proxy is invalid. |
| 1018161 | Improve DLP EDM optional field when optional columns are configured in CLI. |
| 1194819 | Crash when printing more than 25 forward servers |
|
1170853 |
No PSU monitoring for FPX-400E. |
| 776013 | Authentication refactor to support multiple authentication request so as to prevent race condition. |
|
776013, 1180097 |
Authentication refactor to support multiple authentication request so as to prevent race condition. |
| 1194046 | When a web-filter blocks a QUIC initial packet, the QUIC CONNECTION_CLOSE frame is returned with an incorrect error code. |
| 1143184 |
Policy test does not working on service set on app-service-type app-id |
| 1178204 | FortiProxy lacks visibility of the performance of a shared traffic shaper. |
| 1202928 | When a video filter profile is configured to block all videos except some YouTube channels, errors may occur with a "no internet" page when loading a video from the allowed channel. |
| 1203968 | Proxy HTTPS traffic bypasses authentication when SSL profile is cert-inspection. |
| 1200107 | Active mode data channel fails to walk through FortiProxy when WAD is kicked in. |
| 915834 | Standby FortiProxy tries reaching out to FortiGuard services through HA port hitting implicit deny rule and spams the forward traffic logs. |
| 1212053 | Entry errors when upgrading FortiProxy on FPX-400E/G/F models due to wrong limits for FPX-400E/G/F models. |
| 1212765 | HTTP-transaction logs show "deny" action while the traffic is allowed with the traffic log showing "allow" action. |
| 1211406 | "Agentforce" chat service on "help.salesforce.com" returns error messages when Appctrl is configured and inline IPS is enabled. |
| 1184023 | IP tables request fails to match policy with mix VIP and virtual server in destination address. |
| 1207802 | DNS resolve failure due to DNS query hash conflict with high traffic volume. |
| 1197688 |
FortiSandbox setting in web filter prevents updates to URL list objects from taking effect. |
| 1182981 | SSH matching behaviors against isolate policy are inconsistent under different configurations. It fails to match the desired policy in some cases. |
| 962298, 1195020 | Add support for panic logging on FortiProxy G-series generation 2. |
| 1214773 | Memory leak for web UI LDAP query causing crash or process freezing. |
| 1210950 | Crash in crypto_soft_key_signature_schemes when memory malloc failed. |
| 1188271 | HTTPS is deep scanned silently when it matches a shaping policy with group configured. |
| 1210657 | ICAP client should compress multiple cookie headers when converting H2 to H1 for ICAP request. |
| 1215809 | Maximum seats change for VM04, FPX-2000G, and FPX-4000G. |
| 1214773, 1215764 | Unable to add remote LDAP user to FortiProxy while user group addition works normally. |
| 1215438 | HTTPS traffic does not trigger authentication challenge when passing through forward proxy Internet. |
| 1216319 | Web filter returns error-block when FortiGuard category resolution fails. |
| 1192737 | FPX-2000G and FPX-4000G generation 2 UID buttons are non-functional. |
| 1216128 | Failure in matching URL list with external resource URL feed. |
| 1219846 | Crash when ZTNA TCP forwarding destination is configured as FQDN. |
| 1198336 | Setting up SF-Root HA A/P cluster and the HA widget shows a negative value for uptime with state changed. |
| 1219335 | http3 does not jump to captive portal for cookie authentication. |
| 1219314 | HTTP/2 server stream statistics are not displayed in WAD stats output. |
| 1220427 | FortiProxy only removes the first header from the HTTP response when multiple HTTP-predefined headers are configured to be removed from response in the web-proxy.profile entry. |
| 1183724 | Stream scan detects eicar as "FSA/RISK_MALICIOUS" while analytics-db is disabled. |
| 1219985 |
FortiProxy fails to cache object with pnc no-cache indicated even with ignore-pnc set to enable. |
|
1214555 |
Forticron process crashes when too many failed connections occur when fetching external resources. |
|
1215282 |
FortiProxy transparent policy does not pass traffic when both schedule "none" and webfilter-profile exist in the policy. |
|
1217944 |
Aggregate interface cannot be created in global scope. |
|
1220551 |
Reports of nonsense sensor values. |
|
1222790 |
The DLP signature database is not updated for HA Active-Passive clusters. |
|
1225781 |
Improper bounds check leading to overflow if crashlog is longer than 128 lines. |
|
1222972 |
tcp-random-srcport setting does not take effect after reboot. |
|
1186225 |
Microsoft Outlook certificate errors after FortiProxy upgrade. |
|
1226770, 1218198 |
WAD crash at wad_http_scan_unexpected(). |
Common vulnerabilities and exposures
FortiProxy 7.4.12 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.
|
Bug ID |
CVE reference |
|---|---|
|
1081024 |
|
|
1119207 |
|
|
1081024 |