Resolved issues
The following issues have been fixed in FortiProxy 7.4.14. For inquiries about a particular bug, please contact Customer Service & Support.
|
Bug ID |
Description |
||
|---|---|---|---|
|
1222883 |
Enabling "certificate inspection" on a policy breaks traffic and causes browser certificate error. |
||
|
1226848, 1227043 |
Toggling FortiSandbox status causes the blocklist option to unset after FortiProxy upgrade. |
||
|
1224024 |
FortiGuard Web Filtering categories does not work in ICAP server. |
||
|
1224684 |
ICAP server configuration should not be allowed to be saved when address type is FQDN but no FQDN is set. |
||
|
1214466 |
Intermittent traffic via FortiProxy throws 403 Forbidden error. |
||
|
1224937 |
Restoring configuration by VDOM causes static entries of proxy-address to lose host-regex. |
||
|
1213247 |
504 Gateway Timeout error when accessing full mode HTTPS virtual server. |
||
|
1228242 |
Captive portal does not support ECDSA cert + TLS 1.2 Client. |
||
|
1134552, 1226921 |
Incorrect length of resulting formatted JSON text output. |
||
| 1213796, 1214768, 1221476 | CMDB crashes. | ||
| 1210702 | Replacement message should always be sent if deep inspection is configured in the matched policy even if SSL-exempt is true. | ||
|
1223406 |
Connection to websites with redirection is slow. |
||
| 1225436 | FortiProxy scheduled update failur ewith multiple log events "FortiProxy update failed". | ||
| 1223145 | SAML authentication fails when user-database is configured in the SAML authentication scheme. | ||
| 1223615 | Connection to ICAP secure server with TLS 1.3 fails. | ||
| 1223712 | ICAP secure server does not support TLS1.2+DHE cipher. | ||
| 1218507 | SAML authentication cannot proceed when captive-portal-ssl-port is set to 443. | ||
| 1220573 | FortiProxy SAML SSO login failed with Azure. | ||
| 1236592 | WAD fails to return replacement message when tp fwd_svr is down and ssl is deep-inspection. | ||
| 1235968 | "diag wad filter process-type" does not work as expected. | ||
| 1232698 | Antiphish does not block usernames containing the "." character. | ||
| 1226196 | HTTP transaction log shows IP instead of URL/hostname on early request close. | ||
| 1232661 | Improve policy test GUI/CLI usability by normalizing HTTP request header input. | ||
| 1233964 | Inline IPS should be disabled by default. | ||
|
1232659 |
"HTTP 500 Internal Error" when DLP profile is applied to the ICAP local server. |
||
|
1210941 |
Cannot choose IPv6 address pool in explicit proxy policy. |
||
| 1213836 | FortiView sources do not include all sessions in aggregated results. | ||
|
1233437 |
No TLS downgrade protection. |
||
|
1225658 |
Web filter cannot block host in HTTP header if SSL has no SNI. |
||
|
900911, 1232764 |
wad crashed with signal 11 at wad_port_fwd_peer_shutdown. |
||
|
1223904 |
Error "Access Denied - The maximum web proxy user limit has been reached" while the limit of licenses are not reached. |
||
|
1242590 |
No event log is generated when an external resource is updated and the downloaded item is within the limit after an overflow. |
||
| 1245586 | Deny policy fails to block FTP request. | ||
| 1243552 | heap-use-after-free is detected @wad_timer_list_renew. | ||
| 1234160 | Incorrect formatted printing of array in JASON parser. | ||
| 1237357 | Proxy rule not matching if host-regex type address value is more than 40 characters. | ||
| 1240478 | TACACS+ authentication does not use HA-direct interface in an active-passive cluster. | ||
| 1241868 | FPX_2000G Gen2 hardware keeps rebooting and formatting HD2 disk. | ||
| 1120494 | Unauthorized traffic bypassing authentication on virtual server. | ||
| 1215764 | Unable to add remote LDAP user to FortiProxy while user group addition works normally. | ||
| 1230642 | Key share mismatch error message against tls1.3 with ecdsa certificate in server load balance type VIP. | ||
|
1232296 |
FortiProxy-400E shows abnormal PSU voltage value. |
||
|
1211668 |
Add additional warnings when configuring certificate authentication. |
||
|
1204371, 1250962, 1260927 |
ICAP crash in "wad_hmsg_strm_reset" and chunked error. |
||
|
1258666 |
Policy test should match tp-connect when tp-connect has no inspection. |
||
|
1249061 |
ZTNA HTTP/3 traffic does not pass when using ciphers 0x1301 (ECC-256), 0x1302 (RSA-2048), and ECC-521. |
||
|
1237516 |
Increase header length limit from 4k to 16k for access management of SaaS applications that require longer values. |
||
|
1234284, 1248324 |
Group match cache is not updated when the groups are changed on LDAP server. |
||
|
1254103, 1256426, 1256564 |
Deamon 'wad_algo' crash. |
||
|
1252671 |
ICAP local server resets packet in non-root VDOM. |
||
|
1214017 |
FortiProxy becomes unresponsive after an external threat feed is added with more than 4,000,000 entries. |
||
|
1223433, 1223447, 1236782, 1237405 |
ICAP client health check and status issues after boot. |
||
|
1251663 |
Inline IPS crashes when visiting townscript.com. |
||
|
1249069 |
Error with WAD when running debug command "dia wad worker ut". |
||
|
1243569 |
FortiProxy booted with firewall policy that does not enable webcache. |
||
|
1244554 |
FortiProxy should be able to use non-root VDOM interface to connect to FortiSandbox. |
||
| 1265039 | “504 Gateway Timeout: remote server did not respond to the proxy.” error after upgrade. | ||
| 1262480 | GUI freezes and keeps loading LDAP group. | ||
| 1263851 | SNMP response returns 0 when querying policy-related OID | ||
| 1259573 | Unintended subnet added during GUI search. | ||
| 1250976 | No validation for duplicate explicit-outgoing-ip. | ||
| 1265395 | The kernel HA primary shown in the CLI does not match the debug zone group primary on the secondary device. | ||
| 1266880 | The device encounters an issue when connecting to a website with an IP address, as the ephemeral certificate is generated with a DNS type IP address in the SAN instead of an IPADD type. | ||
| 1196434 | SAML authentication may stop working due to mandatory response signing in SAML auth response verification. An option is needed to allow SAML auth response without response signature while preserving security. | ||
| 1261184,1261205 | Authentication failure due to remote server renaming. | ||
| 1264570 | CLI script is not executed by automation stitch when triggered. | ||
| 1255325 | When FortiProxy blocks an expired server certificate in VIP, the certificate information does not show CN. | ||
| 1252947 |
Web proxy does not replace or reject existing X-Authenticated-User header from original request. |
||
| 1256952, 1261976 | No support for TLS1.3 HRR in proxy 1way server. | ||
| 1224090, 1252573 | Reject deprecated elliptic curves per RFC 8422. | ||
| 1252221, 1252783, 1255206 | ICAP crash and abort on ICAP server group config flush. | ||
| 1272393 | Kerberos authenticated user not matching with correct user group. | ||
| 1202928 | Video filter does not work as expected after YouTube API update. | ||
| 1254558, 1261311, 1266707 | ICAP remote server FQDN config lost and config update issue. | ||
| 1273009 | Add explicit-web-proxy name to http-transaction log for proxy traffic. | ||
| 1272628 | Prevent QUIC socket file descriptor leak during scheduler event teardown. | ||
| 1252787, 1264976 | A few issues with QUIC. | ||
| 1262906, 1265904 |
When web filter profile is applied in the ICAP server, and when the Action of FortiGuard Web Filtering categories is set to Block, web traffic still passes through the ICAP server. |
||
| 1251833 | The authentication rule for certificate authentication is lost after upgrade. | ||
| 1227469, 1257924 | Crash at wad_http_scan_handle_unblock. | ||
| 1243551 | WAD crashes @wad_http_session_scan_done. | ||
| 1223904, 1275635 |
User access denied when the limit of licenses has not been reached. |
||
| 1266546 | Prevent saving protocol change for forward server when object is in use. | ||
| 1254420 | Sporadic errors when browsing sites: "504 DNS lookup failed" when multiple dns proxy instances start to show high CPU utilization. | ||
| 1266983 |
UDP port‑forward VIP works for traffic but is not shown correctly in the GUI and do not update policy/log byte counters. |
||
| 1284868 | WAD crash at wad_ssl_port_caps_initiator_key_shares(). | ||
| 1282023, 1282589 |
HA fails to sync config due to different ssl.root snmp-index if no interface is assigned to ssl.root after deployment.
|
||
| 1278274 | Secondary HA unit becomes inaccessible (GUI/SSH/PING) after failover from primary to secondary. | ||
| 1277701 | Failure in adding an empty policy by selecting Insert empty policy. | ||
| 1046504, 1268904 | Various loopback issues including deletion and management. | ||
| 1286260 | Cannot choose proxy addresses (URL-List type) as destination on Authentication Rules via GUI. | ||
|
1286767 |
The device only checks the first certificate when multiple certificates are defined in an SSL profile in replace mode, causing issues with certificate validation. |
||
| 1287642 | TLS 1.2 secure renegotiation fails with handshake failure when reusing session ticket. | ||
| 1207834 | Remove table size enforcement changes due to large decreases in table size. | ||
| 1286238 | port7 and port8 do not detect 1G SFP FN-TRAN-SX. | ||
| 1277552 | LDAP cache: user entry is not removed when user object is deleted on the domain controller. | ||
| 1276292 | Interface not available on GUI. | ||
| 1279792, 1280772 | wanopt PSK length truncation issue. | ||
| 1288916 | External connector search field does not filter results. It only highlights entries. | ||
| 1051088, 1264398, 1266177, 1268094 | Fix FortiProxy conserve mode and a potential auth dead loop. | ||
| 1118701, 1289354 | Connection issues for Kentik application using http2 gRPC occur with proxy and deep inspection. | ||
| 1244480, 1290307 | WAD crashes when accessing HTTP/3 website with FSSO enabled | ||
| 1010829 | FortiProxy cannot mount FAT USB drives. | ||
| 1276400 | Forticron failed to learn dynamic sdn address list config change. | ||
|
1281302 , 1283666, 1288106, 1288118 |
ICAP issues. |
||
|
1124132 |
Cloning of access-proxy firewall policies fails in CLI. |
||
|
1284883, 1291729 |
forticldd crash for NULL-terminated buffer issue when handling response from server. |
||
|
1290852, 1290920 |
crashes in wad_quic_conn_rx_1rtt_pkt and wad_quic_conn_rx_hspkt caused by assigning negative value to unsigned int. |
||
|
1285943 |
Incorrect source IP for deep inspection traffic when client IP header exists only in CONNECT. |
||
|
1291175 , 1291909 |
WAD SOCKS and web-proxy fwd-svr related read-block handling issues. |
||
|
1292129 |
Add upgrade code to ensure application matching continues working after upgrade. |
||
|
1292767 |
VLAN interfaces in non-root vdom are not working. |
||
|
1098087 , 1289354 |
HTTP2 traffic with two HEADERS frame cannot pass through policy. |
||
|
|
|
Common vulnerabilities and exposures
FortiProxy 7.4.14 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.
|
Bug ID |
CVE reference |
|---|---|
|
1278217 |