Resolved issues
The following issues have been fixed in FortiProxy 7.4.9. For inquiries about a particular bug, please contact Customer Service & Support.
|
Description |
Bug ID |
|---|---|
|
1112600 |
The wad_ftp_session_task_start does not initiate while establishing the data connection. |
|
1115137 |
Increase the maximum value of proxy-auth-timeout from 600 to 4320 minutes. |
| 1113152 | BUFFER_SIZE found in daemon-wad - wad_chunk.c:wad_chunk_buf_get. |
| 1114438 | Policy test feature does not work when no WAD debug is running in the background. |
| 1105419 |
SSL inspection is being applied even though traffic matches a policy that has no inspection. |
| 1107077, 1107230 | No buffer size checking before memory copy and move operations. |
|
1111141 |
WAD process crashes continuously after ftgd-local-rating configuration. |
|
1074460 |
Buffer overflow issues related to corrupted traffic log files, which could lead to a crash. |
|
1118107 |
Non-HTTP traffic does not bypass app policy with deny and is dropped. |
|
1107113 |
SSL exempt logs "destination" and "destination-interface" fields are incorrect. |
|
1115595 |
Traffic log says utmaction="allowed" when the security profile is not configured so. |
|
1115799 |
VIP does not follow policy. |
|
1117526 |
list_entry should be typesafe. |
|
1089162 |
In transparent mode, IP address changes on management interface is not learned until reboot. |
|
1117013 |
wad_hash_cache timeout issue. |
|
1117213 |
Missing return value check in upd_ips_report.c. |
|
1115027 |
ICAP does not support sending SNI when FQDN is configured. |
|
1110873, 1121008, 1122890, 1125661, 1116906, 1126935, 1133247, 1134920, 1005491, 1148955, 1098827, 1116523 |
GUI issues. |
|
1119561 |
Update library logging defaults. |
| 1111239 | The lock IP address function does not work in explicit proxy mode. |
| 1054835, 1121171 | Proxy HTTP2 single file transfer is slow when IPS/APP/SSL inspect-all is enabled. |
| 924740 | Improve WAD trace log precision of process-id-by-src filter. |
| 1115120 | Incorrect service and URL in AV log when HTTP request via external proxy hit the AV infected URL cache. |
| 1121444 | Create custom SaaS applications for inline CASB causes HA to be out of sync. |
|
1125850 |
Fix the calculation of new buffer length. |
| 1080366 | The FURL license seat does not control the inline CASB feature. |
| 1119389 | Explicit proxy does not work via IPsec tunnel. |
| 1103476 | License leak. |
|
1119179 |
WAD crash with AV profile while accessing some websites. |
| 1128580 | FortiSandbox connection status shows error "Unreachable or not authorized" after upgrade. |
| 1095093, 1092529 | "utmref" and "utmaction" fields are missing in forward traffic log and long-tcp sessions are missing in http-transaction traffic log. |
|
1102694 |
"utmref" and "utmaction" fields are missing in forward traffic log and http-transaction traffic log for long-tcp sessions. |
| 1127033 | For a policy with IP pool enabled, IP pool change does not take effect unless you disable and enable IP pool in policy. |
| 1056498, 1075806, 1109306, 1110202 | Proxy inline IPS performance on HTTP traffic is much worse than the IPS engine. |
| 1109469 | FortiProxy SOCKS5 traffic is denied when detect-https-in-http-request is enabled. |
| 1128154 | "print tablesize" returns the wrong values. |
| 1128283 | Logs that should have duration 0 sometimes show wrong values. |
| 1131180 | Error message on console when FPX-4000E is booting. |
| 1110904 | Unable to see logs for traffic that matches transparent policy with action DENY. |
|
1128653 |
DNS resolution and latency issues after importing FQDN address objects. |
| 1127524 | web-proxy forward-server monitor URL does not work with HTTP scheme. |
|
1106807, 1129308 |
With a configuration that blocks bats.video.yahoo.com, visiting tw.sports.yahoo.com triggers HTTP2 PROTOCOL_ERROR. |
| 1123962 | diag wad policy list does not show implicit deny/allow policy. |
| 985311, 1121357, 1110850 | X-Forwarded-For header in webfilter log and "exec tac report" trace on console. |
|
1048296 |
Error in the HTTP2 framing layer when accessing a specific website via proxy with deep inspection configured. |
| 1126862 | Traffic is passed by transparent deny policy when log-http-transaction is enabled. |
| 1130067 | HTTP/2 traffic cannot pass through the explicit-policy when web filter is enabled. |
| 1133565 | Password protected msofficex and msoffice files are bypassed when encrypted-file is set to inspect. |
|
1127352 |
Inline-IPS duplicate and conflicting app control logs. |
| 1126749 | Duplicate session ID in traffic logs across different connections. |
| 1137505 |
If the LDAP returns a user with group "a", it will match group "a1", "a2", which is incorrect. |
| 1096529 | WAD crash at wad_ctrl_workers_close_ips_db once. |
|
1135709 |
Ipset is unable to handle maximum external resource size. |
|
1125699 |
Inline IPS PCRE pattern matching issues. |
|
1102796 |
Passive proxy member send LDAP requests to the LDAP servers. |
|
1104821 |
WAD has signal 6 crash at wad_ftp_data_session_make. |
|
1012742 |
With fast-policy-match enabled, proxy fails to match policy for traffic with SD-WAN logical interface index. |
|
1121249 |
CASB fails to block the HTTP request when CASB profile is enabled and the header name is a known header like "Accept", "Content-type", "User-Agent", or "Host" set header-name "user-agent". |
|
1134310 |
SSL exemption not working on policy in case of partial match. |
|
1142196 |
Cannot perform DNS lookup in VDOMs in transparent mode unless a DNS server is specified. |
| 1133901 | Improve HTTP CONNECT response when "https-replacement-message" is disabled. |
| 1138959 | For parameterized signatures, inline IPS does not include parameter value in the message field of utm app log. |
| 1111368, 1142863, 1143212 |
Source IPs are banned without any quarantine features enabled. |
|
1135096 |
In HTTP transaction log, when certificate inspection is set, the URL filed lost protocol information if traffic passes through. |
|
1139414 |
WAD signal 11 crash with "wad_mem_free". |
| 1096529 | WAD crash at wad_ctrl_workers_close_ips_db once. |
| 1070388 | FortiProxy does not respond to an ICMP request from directly connected interfaces. |
| 1130867 | LDAP groups are not updated regularly in the WAD cache. |
| 1142105 | Inline-CASB shared memory has memory corruption when loading the signature with header match rules. |
| 1144621 | Unicast HA with transparent VDOM fails to sync. |
| 1093881 | Incorrect service name in inline IPS botnet log. |
|
1130795 |
Wrong certificate for client certificate exchange in action deny explicit policy. |
|
1144280 |
HA becomes out-of-sync after upgrading and requires a reboot to force it to sync again. |
|
1105211 |
Inline IPS blocks customer application signature without generating replacement message or log. |
| 1030015 | BUFFER_SIZE found in UTM_Proxy. |
| 1149344 | Client certificate is not offered without authenticated user when ssl-client-certificate is set to static. |
| 1147546 | Kernel panic when clearing sessions. |
| 1130882 | Missing field details in http-transaction logs for deep-inspect https CONNECT traffic. |
| 1102925 |
WAD ssl_cert leak in ZTNA. |
|
1127366 |
Unable to coalesce TCP connection between the FortiProxy and web for multiple HTTPS requests from different clients. |
| 1146216 | Intermittent users traffic disconnection issues on FortiProxy VM after upgrading to 7.4.8 and applying a new user license. |
| 1148949 | Inconsistent behavior on the log disk GUI and CLI when the Security Fabric is enabled. |
| 1149807 | Policy lookup tool does not match source interface. |
| 1149760 | Inline-IPS does not match IPS sensor location. |
| 1143212 | The SSH fingerprint is changed when traffic passes through transparent mode FortiProxy. |
| 1151886 | Security Fabric devices are not shown, disconnected, and removed from configuration. |
| 1150516, 1150517 | RESOURCE_LEAK in Routing_Authentication. |
| 1143184 |
Policy test does not working on service set on app-service-type app-id |
| 1144389 | Device hangs with no GUI/SSH/serial console access. Traffic processing halts completely. |
| 1148794 |
Some websites were blocked by FortiProxy DLP. |
| 1055898 | Downstream server cannot get the payload from forwarded HTTP/2 messages because Content-Length or Transfer-Encoding information is not included in the forwarded messages, which can also cause HTTP smuggling attack. |
| 1012811 | Log time is one hour behind NTP after daylight savings time change. |
| 1140953 |
HTTP2 large file download may get stuck and fail. |
| 1148219 | Server IPs are missing from the admin trusted hosts. |
| 1121980 | Inline IPS blocks some LinkedIn pages that should be allowed. |
|
1146601 |
Inline IPS raw scan can leak memory. |
|
1149337 |
IPsec tunnel does not forward traffic for certain interface port configurations. |
|
1152772 |
In non-transparent mode, enabling DNS protection for HTTP/HTTPS traffic causes the traffic to hang. |
Common vulnerabilities and exposures
FortiProxy 7.4.9 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.
|
Bug ID |
CVE reference |
|---|---|
|
1125742 |
|
|
1117346 |
|
|
1121042 |
|
|
1125742 |
|
|
1109747 |
|
|
928124 |