Fortinet black logo

Release Notes

Home FortiProxy 7.4.3 Release Notes
7.4.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.17
7.0.16
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0

Resolved issues

Resolved issues

The following issues have been fixed in FortiProxy 7.4.3. For inquiries about a particular bug, please contact Customer Service & Support.

Bug ID Description

985560

Application IDs do not show up in CLI.

972058

Proxy inline IPS service should be "HTTPS" instead of "https" in IPS log for HTTPS traffic.

985686

OpenSSL fails to encrypt and decrypt VD licenses.

982273

Certificate authentication group information query fails.

982883

Attack traffic for inline IPS cannot be exempted if set src-ip/dst-ip for both direction are in exempt-ip list.

982015

IP addresses are removed after factory reset when more than 4 ports are configured.
968509, 968524

Raw data and attack context are missing from inline IPS log.
985198 IP address threat feed connection status indicates "Other Error".

955481

983897

 When fast-policy-match is enabled, traffic is matched to wrong policy during a specific period of time.
980527 CLI should not allow the FTP protocol in config web-proxy isolator-server.
980994 External-resource type other than address and domain are not filtered out for firewall.policy.dstaddr6 and srcaddr6.
977734 Access to secondary unit is not granted when you use the SVI interface for management in HA.
979936 When configuring ipv6 addresses in the CLI, all types of external-resource for ipv6 address are listed. Only the external-resources of type "domain" and "address" should be listed.
986971 WAD crash on wad_secure_webproxy_ssl_set.
982669 IPS filter type protocol does not detect matched signature and bypass traffic with proxy inline-ips enabled.
948042 Failed to create VDOM with a name longer than 11 characters in the CLI when long-vdom-name is enabled.

984179

984948

 Application Control profile does not work on non-root VDOM.
988098 Crash during smtp-over-http.
983920

Policy with dnat vip is denied when log-http-transaction is set to "all".

976775

When policy based routing is configured and traffic is redirected to WAD, traffic from the FortiProxy back to the client is routed via static routing.

980297

GUI shows empty remote groups while CLI configuration shows the correct remote group configuration.

980702

URL rating lookup does not support valid URLs with forward slash.

987777

Policy ID is not available for disabled policies in the FortiProxy GUI.

974938

Remove references to unsupported features in FortiProxy log IDs.

978473

982156

URL local/user category rating result shows only one best match category but not the other matched local/user categories configured in the profile.

945197

Configuration value of the interface IP address should not be synced within a FortiProxy HA cluster on Azure.

982637

Cannot start a capture in a non-root VDOM.

985485

FortiProxy interface does not respond when HA has multiple vclusters.

947928

In Policy & Objects > Proxy Auth Settings, you cannot unset a CA certificate once it is set.

964747

No method legend in User Monitor widget.
990142 Interfaces with no members are allowed to be aggregated in GUI.

773815

988544

 AD group cache update issue.
986806 Crash in WAD user-info process.

988402

Cannot use HA reserved management interface to send log to FortiAnalyzer.

982614

Anti-virus incorrectly blocks the upload of good Excel files to OneDrive with corrupted archive error.

989515

Crash on building fast match table when the source interface is configured with an empty system zone.

967538

Traffic that should get IPS scanned passes through when IPS is out of service.

985374

HA is out of sync after automatic reboot.

981069

981546

ICAP is unable to bypass when ICAP remote server is offline and health-monitor is disabled.

987387

On a non-root VDOM with multiple explicit-web entries, changes to policies are not applied properly.

981193

FortiProxy do not send authentication request after proxy-re-authentication-time is passed.

972919

Buffer overflow and format string vulnerabilities.

985058

Weak key derivation for backup file.

992186

Packet capture warning message is irrelevant and confusing.
986713 Config restore takes the device into system maintenance mode and makes it inaccessible.
989621 utmref is missing in forward traffic logs with http transaction log enabled.
977905 AV proxy profile causes issues with SMB access.
990161 HA secondary acts like primary in vcluster1 after the switch of primary and secondary in vluster2.
983371 WAD procmgr hangs on waitpid.

977645

Incorrect output when viewing FortiView Proxy Policy with source set to FortiAnalyzer.
991641 Unable to save changes shaping policy when dstaddr6 is set to be an IPv6 FQDN address with wildcard (*).
993581 GUI DLP rules ID duplicate issue when you delete one and add another.
993799 Remove Fabric Overlay Orchestrator from GUI.
993597 WAD crashes when user LDAP server is configured.
915834 HA active-passive flip: standby FortiProxy tries to reach out to FortiGuard services through HA port.
987687 "Can not create query" error while deleting VDOMs.
988015, 992933 "sysctl ifconfig" does not work when the interface belongs to a non-root VDOM.
989798 Out-of-bounds write in SSL VPN.
983298 Forward logs for non-root VDOM are only visible in root VDOM.
992167 Providing an invalid client certificate during certificate authentication can create a redirection loop.
985049 XSS vulnerability in reboot page.
989784 Access to other users' bookmarks in SSL VPN web mode.
979936 When configuring ipv6 addresses in the CLI, all types of external-resource for ipv6 address are listed. Only the external-resources of type "domain" and "address" should be listed.
980994 External-resource type other than address and domain are not filtered out for firewall.policy.dstaddr6 and srcaddr6.

988016

Aggregate interface is not initialized on startup when the aggregate is in a non-root VDOM.

982716

False warning "unresovled FQDN" for all FQDN addresses other than wildcard FQDN.

956570, 975752, 990586, 991059

Inline CASB UTM log issues.

980924, 983161

Inline CASB upgrade issues.

993080

Irrelevant fields in the VDOM configuration window in GUI.

989660, 989668

rawdataid/rawdata, forwardedfor, and trueclntip are missing from inline IPS utm log.

983856

"unknown-1" is listed in FortiView proxy applications tab.

985902, 987198, 987298, 987310, 988250

Inline CASB CLI bug fixes.
993108 CLI hangs after you delete a VDOM from the CLI.
994230 WAD crashes when SOCKS request fails to connect to LDAP server.
995622 SOCKS request is unable to match web-proxy entity in auth rule and WAD crashes.
985557 HA in transparent mode fails to form due to dropped ARP requests.
979908

No validation for source interface field for "ssh-tunnel" type policy in GUI.
997177 FortiProxy GUI cannot display ICAP log.

992245

FQDN ipset is not populated after the captive portal configuration changes from IP to FQDN.

989694

ICAP secure server with webfilter crashes on the first request.

977530

HTTPS over locally resolved SOCKS webfilter not working.
992599 UTM action and count information is missing in http-transaction-log for HTTPS request when tp-policy is certificate-inspect.
992853 After matching an url-match in SOCKS proxy forwarding, the original IP rather than the fw_server ip is used to get the interface for policy matching.
979219 FortiProxy A/A cluster with VDOMs drop packets.
981211 Global system default settings for TLS 1.2 are not applied upon LDAP connection to domain controller.

990257

Forward message sends the cookie header with original length but corrupted data.

998086

New CASB entries are not created on none-root VDOM during CASB DB upgrade.

998488

worker.tcp fails in "diag wad stats".

999050

Certificate tab keeps loading the certificate is selected.

997336

Cannot establish FSSO connection from FortiProxy VDOMs.

997001

External resource cannot update for IPv6 hosts.

975685

FortiProxy 400E possible WAD memory leak.

996012, 997905

SOCKS policy match does not support url-list dstaddr type.

959421

Cannot download files with a size of more than 5 MB via FPX with SSL deep inspection and DLP profile enabled.

997868

Error during auth TLS for FTP service.

992632

Inline CASB log is missing policytype field.

992245

FQDN ipset is not populated after the captive portal configuration changes from IP to FQDN.

995824

Counter value returns 0 for non-root interface when polling via SNMP.

994749

URL filter fails to block transparent HTTPS traffic with IP hostname.

868634

Bypass of root file system integrity checks at boot time.

993166

When managed by FortiManager, HA-mode FortiPoxy triggers an auto update every 30 minutes.

999664

Unable to allow the connections to match existing configured policy.

923920

ICAP 204-response is not shown correctly and cannot be edited in GUI.

986713

After configuration restore, the device changes to system maintenance mode and becomes inaccessible.

993506

Remove CLI for in band HA management, which is not supported by FortiProxy.

975759

When multiple control options are taking action in inline CASB, only the first action generates a UTM log.

FortiNBI

The following issues have been fixed in FortiNBI. For inquiries about a particular bug, please contact Customer Service & Support.

Bug ID Description

886077, 930915, 934251, 956123, 959594, 962908, 977250, 979177, 993669, 989676, 996544, 996542, 988642

FortiNBI bug fixes.
959232 Crash when downloading the FortiNBI installer.
959263 FortiNBI rating error and all pages are broken in the FortiNBI application.

N/A

Log collection fails if the isolator is not installed.

N/A

Instability issues caused by isolator state tracking.

N/A

Isolator download timeout is too long.

N/A

Service state are not accurate in edge scenarios during restart.

N/A

GUI is unavailable due to a broken link to Windows App SDK.

N/A

No timeout when task fails to start repeatedly.

Common vulnerabilities and exposures

FortiProxy 7.4.3 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE reference

989784

CVE-2024-23112

989798

CVE-2024-21762

993863

CVE-2024-23113

868634

CVE-2023-28002

Previous
Next

Resolved issues

The following issues have been fixed in FortiProxy 7.4.3. For inquiries about a particular bug, please contact Customer Service & Support.

Bug ID Description

985560

Application IDs do not show up in CLI.

972058

Proxy inline IPS service should be "HTTPS" instead of "https" in IPS log for HTTPS traffic.

985686

OpenSSL fails to encrypt and decrypt VD licenses.

982273

Certificate authentication group information query fails.

982883

Attack traffic for inline IPS cannot be exempted if set src-ip/dst-ip for both direction are in exempt-ip list.

982015

IP addresses are removed after factory reset when more than 4 ports are configured.
968509, 968524

Raw data and attack context are missing from inline IPS log.
985198 IP address threat feed connection status indicates "Other Error".

955481

983897

 When fast-policy-match is enabled, traffic is matched to wrong policy during a specific period of time.
980527 CLI should not allow the FTP protocol in config web-proxy isolator-server.
980994 External-resource type other than address and domain are not filtered out for firewall.policy.dstaddr6 and srcaddr6.
977734 Access to secondary unit is not granted when you use the SVI interface for management in HA.
979936 When configuring ipv6 addresses in the CLI, all types of external-resource for ipv6 address are listed. Only the external-resources of type "domain" and "address" should be listed.
986971 WAD crash on wad_secure_webproxy_ssl_set.
982669 IPS filter type protocol does not detect matched signature and bypass traffic with proxy inline-ips enabled.
948042 Failed to create VDOM with a name longer than 11 characters in the CLI when long-vdom-name is enabled.

984179

984948

 Application Control profile does not work on non-root VDOM.
988098 Crash during smtp-over-http.
983920

Policy with dnat vip is denied when log-http-transaction is set to "all".

976775

When policy based routing is configured and traffic is redirected to WAD, traffic from the FortiProxy back to the client is routed via static routing.

980297

GUI shows empty remote groups while CLI configuration shows the correct remote group configuration.

980702

URL rating lookup does not support valid URLs with forward slash.

987777

Policy ID is not available for disabled policies in the FortiProxy GUI.

974938

Remove references to unsupported features in FortiProxy log IDs.

978473

982156

URL local/user category rating result shows only one best match category but not the other matched local/user categories configured in the profile.

945197

Configuration value of the interface IP address should not be synced within a FortiProxy HA cluster on Azure.

982637

Cannot start a capture in a non-root VDOM.

985485

FortiProxy interface does not respond when HA has multiple vclusters.

947928

In Policy & Objects > Proxy Auth Settings, you cannot unset a CA certificate once it is set.

964747

No method legend in User Monitor widget.
990142 Interfaces with no members are allowed to be aggregated in GUI.

773815

988544

 AD group cache update issue.
986806 Crash in WAD user-info process.

988402

Cannot use HA reserved management interface to send log to FortiAnalyzer.

982614

Anti-virus incorrectly blocks the upload of good Excel files to OneDrive with corrupted archive error.

989515

Crash on building fast match table when the source interface is configured with an empty system zone.

967538

Traffic that should get IPS scanned passes through when IPS is out of service.

985374

HA is out of sync after automatic reboot.

981069

981546

ICAP is unable to bypass when ICAP remote server is offline and health-monitor is disabled.

987387

On a non-root VDOM with multiple explicit-web entries, changes to policies are not applied properly.

981193

FortiProxy do not send authentication request after proxy-re-authentication-time is passed.

972919

Buffer overflow and format string vulnerabilities.

985058

Weak key derivation for backup file.

992186

Packet capture warning message is irrelevant and confusing.
986713 Config restore takes the device into system maintenance mode and makes it inaccessible.
989621 utmref is missing in forward traffic logs with http transaction log enabled.
977905 AV proxy profile causes issues with SMB access.
990161 HA secondary acts like primary in vcluster1 after the switch of primary and secondary in vluster2.
983371 WAD procmgr hangs on waitpid.

977645

Incorrect output when viewing FortiView Proxy Policy with source set to FortiAnalyzer.
991641 Unable to save changes shaping policy when dstaddr6 is set to be an IPv6 FQDN address with wildcard (*).
993581 GUI DLP rules ID duplicate issue when you delete one and add another.
993799 Remove Fabric Overlay Orchestrator from GUI.
993597 WAD crashes when user LDAP server is configured.
915834 HA active-passive flip: standby FortiProxy tries to reach out to FortiGuard services through HA port.
987687 "Can not create query" error while deleting VDOMs.
988015, 992933 "sysctl ifconfig" does not work when the interface belongs to a non-root VDOM.
989798 Out-of-bounds write in SSL VPN.
983298 Forward logs for non-root VDOM are only visible in root VDOM.
992167 Providing an invalid client certificate during certificate authentication can create a redirection loop.
985049 XSS vulnerability in reboot page.
989784 Access to other users' bookmarks in SSL VPN web mode.
979936 When configuring ipv6 addresses in the CLI, all types of external-resource for ipv6 address are listed. Only the external-resources of type "domain" and "address" should be listed.
980994 External-resource type other than address and domain are not filtered out for firewall.policy.dstaddr6 and srcaddr6.

988016

Aggregate interface is not initialized on startup when the aggregate is in a non-root VDOM.

982716

False warning "unresovled FQDN" for all FQDN addresses other than wildcard FQDN.

956570, 975752, 990586, 991059

Inline CASB UTM log issues.

980924, 983161

Inline CASB upgrade issues.

993080

Irrelevant fields in the VDOM configuration window in GUI.

989660, 989668

rawdataid/rawdata, forwardedfor, and trueclntip are missing from inline IPS utm log.

983856

"unknown-1" is listed in FortiView proxy applications tab.

985902, 987198, 987298, 987310, 988250

Inline CASB CLI bug fixes.
993108 CLI hangs after you delete a VDOM from the CLI.
994230 WAD crashes when SOCKS request fails to connect to LDAP server.
995622 SOCKS request is unable to match web-proxy entity in auth rule and WAD crashes.
985557 HA in transparent mode fails to form due to dropped ARP requests.
979908

No validation for source interface field for "ssh-tunnel" type policy in GUI.
997177 FortiProxy GUI cannot display ICAP log.

992245

FQDN ipset is not populated after the captive portal configuration changes from IP to FQDN.

989694

ICAP secure server with webfilter crashes on the first request.

977530

HTTPS over locally resolved SOCKS webfilter not working.
992599 UTM action and count information is missing in http-transaction-log for HTTPS request when tp-policy is certificate-inspect.
992853 After matching an url-match in SOCKS proxy forwarding, the original IP rather than the fw_server ip is used to get the interface for policy matching.
979219 FortiProxy A/A cluster with VDOMs drop packets.
981211 Global system default settings for TLS 1.2 are not applied upon LDAP connection to domain controller.

990257

Forward message sends the cookie header with original length but corrupted data.

998086

New CASB entries are not created on none-root VDOM during CASB DB upgrade.

998488

worker.tcp fails in "diag wad stats".

999050

Certificate tab keeps loading the certificate is selected.

997336

Cannot establish FSSO connection from FortiProxy VDOMs.

997001

External resource cannot update for IPv6 hosts.

975685

FortiProxy 400E possible WAD memory leak.

996012, 997905

SOCKS policy match does not support url-list dstaddr type.

959421

Cannot download files with a size of more than 5 MB via FPX with SSL deep inspection and DLP profile enabled.

997868

Error during auth TLS for FTP service.

992632

Inline CASB log is missing policytype field.

992245

FQDN ipset is not populated after the captive portal configuration changes from IP to FQDN.

995824

Counter value returns 0 for non-root interface when polling via SNMP.

994749

URL filter fails to block transparent HTTPS traffic with IP hostname.

868634

Bypass of root file system integrity checks at boot time.

993166

When managed by FortiManager, HA-mode FortiPoxy triggers an auto update every 30 minutes.

999664

Unable to allow the connections to match existing configured policy.

923920

ICAP 204-response is not shown correctly and cannot be edited in GUI.

986713

After configuration restore, the device changes to system maintenance mode and becomes inaccessible.

993506

Remove CLI for in band HA management, which is not supported by FortiProxy.

975759

When multiple control options are taking action in inline CASB, only the first action generates a UTM log.

FortiNBI

The following issues have been fixed in FortiNBI. For inquiries about a particular bug, please contact Customer Service & Support.

Bug ID Description

886077, 930915, 934251, 956123, 959594, 962908, 977250, 979177, 993669, 989676, 996544, 996542, 988642

FortiNBI bug fixes.
959232 Crash when downloading the FortiNBI installer.
959263 FortiNBI rating error and all pages are broken in the FortiNBI application.

N/A

Log collection fails if the isolator is not installed.

N/A

Instability issues caused by isolator state tracking.

N/A

Isolator download timeout is too long.

N/A

Service state are not accurate in edge scenarios during restart.

N/A

GUI is unavailable due to a broken link to Windows App SDK.

N/A

No timeout when task fails to start repeatedly.

Common vulnerabilities and exposures

FortiProxy 7.4.3 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE reference

989784

CVE-2024-23112

989798

CVE-2024-21762

993863

CVE-2024-23113

868634

CVE-2023-28002

Previous
Next