Resolved issues
The following issues have been fixed in FortiProxy 7.4.2. For inquiries about a particular bug, please contact Customer Service & Support.
| Bug ID | Description |
|---|---|
| 759153 | FortiProxy ignores ARP requests to aggregated port with LACP mode set to active or passive. |
| 790426 | WAD crashes at wad_ssl_cache_ssl_redir_server. |
| 806556 | WAD crash at "wad_h2_resume_run". |
|
829691 |
WAD application signal 11 crash during SSL Proxy AV HTTPS throughput test. |
| 845361 | WAD crashes at wad_cifs_file_free. |
| 854913 | License widget shows modules that irrelevant to FortiProxy. |
|
869999 |
Order of isolator profile entries cannot be adjusted. |
| 872707 | Search bar is missing in the User Monitor Dashboard. |
| 920401 | Traffic dropped when policy with action "isolate" is added in the configuation. |
| 924398 | FTP passive mode fails to establish data channel via DNAT as the IP/port provided by the server is not translated. |
| 927494 | Web filter logs only one HTTP request from an HTTP connection that includes multiple HTTP requests. |
|
934392 |
Upgrade configuration errors. |
|
941390 |
In certificate inspection, FortiProxy blocks blocklist certificate with no replacement message. |
| 941531 | Error when saving a shaping policy with the destination interface set to a zone. |
| 945197 | Configuration value of the interface IP address should not be synced within a FortiProxy HA cluster on Azure. |
|
946926 |
QUIC connection fails to enter bypass when the server does not issue retry packet. |
| 946944 | WAD stats reset after process crashes. |
| 948257 | Successfully authenticated user is prompted to re-login to Microsoft Edge. |
| 948486 | "dia sys vd stats" does not show VDOM status information. |
| 948498 | Management traffic failed if the management interface is in a non-root VDOM. |
| 949393 | Files exceeding the configured size in DLP sensor still gets downloaded. |
|
951108 |
Crash at wad_sec_policy_result_free. |
| 952276 | FortiProxy widgets show no statistics for interfaces in non-root VDOMs. |
| 952563 | When forward server is enabled with masquerade disabled and central SNAT map has IP pool enabled, traffic still goes to the forward server using a masquerade address instead of the IP pool address. |
| 952694 | FortiProxy-4000E scanunit daemon crashes continuously at load_SearchFile. |
| 953240 | Memory leak on ICAP forward headers. |
| 953727 | Inline CASB custom control option configuration is missing. |
| 954248 | ICAP local server hostname is not shown correctly in DLP log when you use ICAP local server with DLP profile. |
| 954402 | config-error-log errors when loading CASB.profile configuration due to incorrect handling the CASB DB deleted entries. |
|
954541 |
In WANOPT transparent mode, WAN optimization does not keep the original source address of the packets. |
|
954642 |
Redirect errors during ZTNA SAML authentication. |
| 954913 | CSF preferred seat should be capped at model max to prevent misconfiguration. |
| 955517 | The interface in non-management VDOMs cannot send out ARP. |
| 956493 | Number of events exceeds limit and and bytes are dropped in traffic shaping. |
| 956495 | Webfilter log shows wrong category description. |
| 957580 | cloudinit crashes when reading "User Data" (e.g. lic file) during FortiProxy AWS deployment. |
| 958051 | Potential memory leaks and crashes. |
| 958922 | Wrong policy match when URL list is set as destination. |
|
959204 |
WAD crash when using load balancing with SSL offloading. |
| 959421 | Cannot download files with a size greater than 5 MB via FortiProxy with SSL deep inspection and DLP profile enabled. |
| 959498 | All traffic transactions are unsuccessful in proxy AV and IPS HTTP throughput test. |
| 959608 | Failed to build vimeo-app with inline CASB. |
|
959998 |
HA secondary device keeps rebooting when it has a different disk usage set for the first disk than the primary and the configuration to be synced is massive. |
| 960182 | Remove some unused options for creating a new isolator profile. |
| 960604 | admin-server-cert configuration should not be synced in config-sync cluster. |
| 960677 | HTTP transaction log does not have category information and drops logs sometimes. |
| 960923 | Error "Can not create query" occurs when you set ha-direct enable in CLI. |
| 961454 | User ldap group cache is not updated in time as the timer. |
| 961488 | VPN user IP spoofing. |
| 961688 | Crash in IP tables generation due to invalid shaping policy configuration. |
| 962137 | HTTP CONNECT requests should not be redirected during cert-based authentication. |
| 962816 | Cannot delete disabled customized SaaS applications from inline CASB profile. |
| 963085 | Forticron crash causing external threat feed not to refresh or fetch new information. |
|
963418 |
File name is missing in oversized file blocking replacement messages. |
| 964134 | FortiProxy should not allow a combination of FTP and other protocols during forward server configuration. |
|
964146 |
Issues with forward server "Health Monitor" configuration option for different protocols. |
| 965226 | File types configured as blocked can still be downloaded from web mail. |
| 965254 | FortiProxy uses interface IP instead of IP pool setting when multiple IP pools are configured on the firewall policy. |
|
965642 |
No default certificate for firewall ssl-server entries. |
| 966238 | Restore image crash. |
|
966459 |
WAD memory leak during stress testing. |
|
966597 |
Number of proxy/UTM sessions does not reflect actual usage. |
|
966602 |
Log fields "filename" and "clouduser" are missing for cloud DAC signatures after enabling the proxy inline IPS. |
|
966647 |
Video filter cannot obtain channel ID. |
|
966780 |
Inline IPS is rebuilt on reboot or upgrade, causing high CPU usage. |
|
967025, 966827, 968848, 967049, 967029, 966956, 968971, 968938, 968994, 966973 |
Issues with inline CASB. |
| 967177 | Oversize limit does not work correctly. |
| 967488 | Unable to configure GRE tunnel. |
|
967522 |
Block page displays the name of the content of the zip file instead of the actual zip file name. |
|
967528 |
Crash at http3/wad_qpack when HTTP header value is empty. |
| 967579 | Per-IP traffic shaper does not function when the shaping policy's destination address is a proxy-address of type url-category. |
|
967823 |
Inline IPS behavior issues. |
|
968000 |
Settings for rate-based IPS signature are not honored for inline IPS. |
| 968143 |
Port number is stripped off for forwarding servers. |
| 968514 | WAD CPU reaches 99.9% and causes service impact due to buffer overflow. |
| 968660 | Traffic log gets trimmed if the size exceeds 1900. |
|
969007 |
Transport parameters error for QUIC peer connection. |
| 969539 | "Forward Server Monitor" Widget shows blank results. |
| 969997 | FortiProxy username is not shown in log if the authentication failed. |
|
970003, 972976, 978538, 979741 |
GUI issues. |
|
970863 |
FortiProxy fails to match google-translate regex matching rule. |
|
970895 |
http-transaction log incorrectly records the forward server IP as the destination IP/port. |
| 970975 | Web filter fails to get sub-category of plain HTTP based on URL path in certificate inspection mode. |
|
970993 |
Traffic is not blocked as expected when you set application with parameters to block in inline IPS. |
| 971068 |
Unable to match first group attribute from SAML assertion and requests may be denied. |
|
971232 |
Youtube application cannot be blocked by inline CASB. |
|
971380 |
Wad memory leak in inline IPS during stress testing. |
|
971506 |
Crash at qpack sanity test. |
| 971759 | Fix cookie_v4 kernel panic. |
|
972306 |
Cannot change captive portal SSL port number in transparent mode. |
|
972312 |
When the type is set to Geography for an address object, the Country/Region list is empty. |
| 972980 | Cannot create VDOM link on FPX-4000G. |
| 973055 | Remove unnecessary wad debug logs. |
|
973312 |
Downloading by FTP-over-HTTP with FTPS EPSV mode gets hung up when inspect-all is applied to web proxy policy. |
| 973457 | cmdbsvr crash when accssing CMDB complexes. |
|
973506 |
Inline IPS crash when IPS sensor has CVE set. |
|
973994 |
IP table does not have a dedicate field for virtual-server vsid. |
|
974170 |
Wad memory leak in inline IPS during stress testing. |
| 974307 | WAD crashes if scanunit crashes when scanning a file. |
|
974938 |
Wrong product references in FortiProxy log IDs. |
| 975392 | When you create an ICAP server group, the first ICAP server on the server list is dropped. |
|
975404 |
URL category proxy address configuration change does not take effect on shaping policy. |
|
975749 |
Potential performance issues caused by inline IPS database building. |
|
975833 |
When CVE is set in an IPS sensor, traffic could mismatch custom signatures even if they are not set in the filter. |
|
976129 |
Issues with botnet violation log when proxy inline IPS is enabled. |
|
976198 |
Missing port check for ICAP local server when configuring port in other services. |
|
976713 |
Connection is closed during SSL offload by "config firewall ssl-server". |
|
977581 |
"FortiProxy scheduled update failed" error. |
|
977605 |
An IPS configuration learning issue may cause failure in rule matching after you update a CVE or vuln-type-based IPS sensor entry to rule-based. |
|
977734 |
Access to secondary unit is not granted when you use the SVI interface for management in HA. |
|
977972 |
The GUI terminal cannot show the "dia sys top" correctly. |
|
978389 |
Inline IPS matching performance issue. |
| 978544 | When a request is sent with header "Cache-Control: max-age=0", the content is not returned and the connection is closed. |
|
978621, 978635, 978644, 978816 |
Inline IPS memory corruption and memory leak issue. |
|
978788 |
The kernel will panic when running a debug trace with vd/vd-name set to a non-root vdom. |
|
979936 |
When configuring ipv6 addresses in the CLI, all types of external-resource for ipv6 address are listed. Only the external-resources of type "domain" and "address" should be listed. |
|
980407 |
ICAP client fails to close tcp-port on connect error, resulting in leak session-context. |
|
980503 |
Cannot create an isolator server on the proxy policy page in the GUI. |
|
981332 |
Traffic cannot access Internet via non-root VDOM's transparent proxy policy. |
|
981551 |
WAD crashes with SSL ICAP local server when the ICAP server has an invalid SSL certificate. |
|
906712 949847 |
Crash on wad_diag_stats_policy_list. |
|
928048 955219 |
Match file name is wrong when downloading xz file from Google Drive. |
|
936771 936874 |
Wrong replacement message when outbreak prevention and file filter or DLP profile (both attached the to same policy) are enabled. |
|
943784 976103 |
The Inline CASB HTTP header change function does not update the new header name and value length correctly. |
|
944302 962671 |
Configuring inline CASB to block an application causes the access to the complete application-related domains to be blocked. |
|
967083 967507 |
Firewall policy schedule does not work correctly. |
|
940149 964421 966762 |
Rapid reset HTTP/2 DOS. |
|
960116 964872 967196 |
Issues in the inline CASB CLI. |
|
970051 970264 971551 |
Session monitor and Interface bandwidth widgets do not work. |
Common vulnerabilities and exposures
FortiProxy 7.4.2 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.
|
Bug ID |
CVE reference |
|---|---|
|
973351 |
|
|
958440 |
|
|
964421 |
|
|
855912 |
|
|
961488 |
|
|
961494 |