Resolved issues
The following issues have been fixed in FortiProxy 7.6.4. For inquiries about a particular bug, please contact Customer Service & Support.
|
Bug ID |
Description |
|---|---|
| 1130867 | LDAP groups are not updated regularly in the WAD cache. |
| 1142105 | Inline-CASB shared memory has memory corruption when loading the signature with header match rules. |
|
1140654 |
SAML authentication failure after configuration change. |
| 1146216 | Intermittent users traffic disconnection issues on FortiProxy VM after upgrading and applying a new user license. |
| 1093881 | Incorrect service name in inline IPS botnet log. |
|
1130795 |
Wrong certificate for client certificate exchange in action deny explicit policy. |
| 1103523, 1143534 | Error when deploying fpx_arm64_aws due to short of flash space. |
|
1139840 |
ZTNA web-portal authentication fails after configuration update. |
|
1133901 |
When "https-replacement-message" is disabled and traffic is blocked, FortiProxy aborts HTTP CONNECT without returning any error code to the HTTP CONNECT request. |
|
1040204, 1040494 |
Under FTP Active mode, AntiVirus NAC-quarantine will ban server side IP. |
| 1149344 | Client certificate is not offered without authenticated user when ssl-client-certificate is set to static. |
| 1030015 | BUFFER_SIZE found in UTM_Proxy. |
|
1145481 |
Adding some regex entries to URL filter causes other urlflter tables to stop working properly. |
|
1144621 |
Unicast HA with transparent VDOM fails to sync. |
| 1130882 | Missing field details in http-transaction logs for deep-inspect https CONNECT traffic. |
| 1147546 | Kernel panic when clearing sessions. |
|
1130928 |
ZTNA webportal's response contains body with HEAD method. |
| 1149807 | Policy lookup tool does not match source interface. |
| 1149760 | Inline-IPS does not match IPS sensor location. |
|
1149110 |
With a wrong URL(but with huge body) in OIDC discovery field, the CPU usage will reach 100% when HTTP verbose log is enabled in console. |
| 1143212 | The SSH fingerprint is changed when traffic passes through transparent mode FortiProxy. |
| 1140953 |
HTTP2 large file download may get stuck and fail. |
| 1144389 | Device hangs with no GUI/SSH/serial console access. Traffic processing halts completely. |
| 1143184 |
Policy test does not working on service set on app-service-type app-id |
|
1080366 |
The FURL license seat does not control the inline CASB feature. |
| 1154960 |
Failure in matching VIP in policy when multiple addresses are in the dstaddr list for transparent proxy. |
| 1155578 | When multiple VIPs are specified in dstaddr, crash may occur if the first VIP does not match and a subsequent VIP is checked for a match. |
| 1102925 |
WAD ssl_cert leak in ZTNA. |
|
1155170 |
Memory usage increases unexpectedly during high load when processing WAD-related tasks. |
|
859182 |
WAD crashed at fts_crypto_kxp_pub_key_verify_done. |
| 1155295 | Inline-CASB profile is not visible in the Profile Group in both CLI and GUI. |
|
1144818 |
Download failure occurs when accessing https://7-zip.de for domain objects.githubusercontent.com. |
| 1149600 |
In explicit proxy policy, if the outgoing interface type is pppoe, all traffic will be blocked when fast matching is enable. |
|
1152772 |
In non-transparent mode, enabling DNS protection for HTTP/HTTPS traffic causes the traffic to hang. |
|
1146601 |
Inline IPS raw scan can leak memory. |
|
1149337 |
IPsec tunnel does not forward traffic for certain interface port configurations. |
| 1121980 | Inline IPS blocks some LinkedIn pages that should be allowed. |
|
1152286 |
WCCP crash after enabling WCCP under interface in FortiProxy VM. |
| 1055898 | Downstream server cannot get the payload from forwarded HTTP/2 messages because Content-Length or Transfer-Encoding information is not included in the forwarded messages, which can also cause HTTP smuggling attack. |
| 1158174 | Cannot use internet-service in single IPv4 and IPv6 policy. |
|
1159963 |
Expired server certificates are issued during deep inspection. |
|
1116834 |
Authentication pop-up does not appear when accessing HTTPS websites through FortiProxy with Explicit Proxy when authentication rules, webproxy-forward-server, and certificate-inspection are configured in policy. |
|
1095498 |
After override enabled under endpoint-control.settings, traffic still matches the policies which use EMS tags under global VDOM. |
|
1102694 |
"utmref" and "utmaction" fields are missing in forward traffic log and http-transaction traffic log for long-tcp sessions. |
| 1156135 | Crashes when configuring policy with mix VIP and L7 addresses on GUI. |
| 1154043 | Fix incorrect locking and RCU usage in kernel. |
| 1001480 |
SSH policy display issues in both GUI and CLI. |
| 1164161 | The first LDAP cache query always fails, even when both user node and group info are correct. |
|
1141275 |
The FortiProxy is shut down unexpectedly when Active Directory is used. |
|
1160001 |
Unexpected power off on FPX-400G. |
| 1164508 | Issue with machine account authentication in NTLM and Kerberos. |
| 1160444 | Global config wanopt content-delivery-network-rule is deleted after VDOM config restore. |
|
1164865 |
detect-https-in-http-request no longer works. |
| 1048549 | To allow SN prefix FPXVMR and FPXVMO for FortiFlex |
| 1162685 | Traffic blocked due to per-ip shaper when no shaping policies are configured. |
| 1155022 | Refine traffic log when forward server is down with server-down-option=block. |
| 1166774 | Policy "max-session-per-user" config update does not take effect. |
| 1098400 | Inline IPS custom app dependency issues. |
| 1148863 | Interface speed statistics are not shown if the interface is moved to a non-root VDOM. |
|
1096263 |
Intermittent 504 errors occur when an IPv6 HTTP request followed by an IPv4 request in the same pipeline goes through explicit proxy with outgoing-ip. |
| 1169854 | Tenant control is unavailable FortiProxy 7.4.9. |
| 1166902 | Under the transparent policy configured with SAML authentication, user traffic fails to redirect to the authentication window. |
|
1168193 |
SOCKS policy match user/group info is not assigned to session context. |
| 1167993 | Improve WAD statistics through shared memory. |
|
1168995 |
Login again from the same IP with a previous unfinished TFA form login causes crash. |
|
1170853 |
No PSU monitoring for FPX-400E. |
|
1139201 |
Internal resources are inaccessible via IP or FQDN when using agentless ZTNA Access proxy-portal with apptype web on FortiProxy. |
|
1174803 |
Crash during krb fallback traffic. |
| 1174060 | WAD crash on dia test app wad 110 for shm-stats. |
| 1155100 | Policy matching on WAD with VIP fails in transparent mode. |
| 1161799 | Incorrect MTU used for IPsec tunnel. |
| 1167782 | Unable to download archive with password. |
| 1104165 | GUI and CLI output for firewall and proxy authentication lists mismatch. |
|
1168911 |
Creating a new address object from GUI on the secondary device fails when it's done under policy edit. |
| 1156893 | WAD keeps crashing with signal 6 after creating a server-load-balance with no real server. |
| 1165461 | Failure in generating CSR with safenet HSM. |
| 1172637 | "Bad Request" error after clicking LOGIN on captive portal. |
| 1175018 | FortiProxy reboots when removing groups from a policy. |
| 1170884 | FortiProxy repeatedly reboots. |
| 1046939 | CASB profile should only be configurable when utm-status is enabled. |
|
1173302 |
Downstream nodes can not communicate with each other when root is unreachable in security fabric. |
| 1128026 | Video filter fails to effectively block YouTube videos. |
| 1161593 |
Cannot configure ssl-ssh-profile for explicit-web policy with action redirect. |
| 1177015 | When deep-inspection is enabled in policy and https-replacement-message is disabled, web filter log is not generated and traffic log's utmaction shows "allow" for traffic blocked by web filter. |
|
1174812 |
Password-protected files sent from FortiProxy cannot be opened or scanned by FortiSandbox. |
| 1177714 |
Traffic log for proxy traffic does not include explicit-web-proxy name. |
| 1178363 | Occasional SSL error and WAD crash. |
| 1177573 | Issues related to error handling with wad_str objects and buffer operations. |
|
1160437 |
DNS lookup does not work for IPv6. |
| 1098827, 1133648, 1156883, 1163061, 1173794, 1174460, 1175314, 1178985, 1183154, 1183758, 1183978, 1189849, 1200399, 1200651 | GUI issues. |
| 1174463, 1180682, 1182789, 1193761, 1194130 | Inline IPS crash. |
| 1172516 | Request fails to match VIP on WAD. |
|
1168867 |
Inconsistent behaviour with authenticated users when the XFF is in the HTTP header and IP-based authentication is enabled in authentication rule. |
| 1179521 | FortiProxy FortiView GUI does not work on HA secondary. |
| 1179713 | Some fields are missing when policy type is set to transparent-connect. |
|
1180738 |
Crash when executing |
| 1178564 | Unable to access any websites intermittently in explicit proxy. |
| 1177934 | WAD workers are at 99% CPU for more than 10 minutes after a firewall policy is enabled or disabled, impacting traffic. |
|
1175068 |
(SSL) HTTPS handshake fails when https-replacement-message is disable and authentication is required in policy. |
| 1159424 | Implicit deny does not include or block IPv6. |
| 1178166 | The web browser displays the certificate selection dialog when you access the FortiProxy GUI. |
| 1168782 | URL Catergory Deny not indicated in traffic logs. |
| 1133068 |
Inconsistent blocking behaviors of banned IPs for different policy types and protocols. |
| 1173584 |
Bypass for oversize files does not work. |
| 1178203 | FortiProxy becomes unresponsive (all interfaces down, no serial access) during traffic peak. |
|
1185301 |
OIDC authentication timeout with session-based access in ZTNA. |
|
1160110 |
Expired user seats are counted as valid in license sharing. |
|
1026921 |
Application control cannot block QUIC when proxy-inline-ips is enabled in the policy. |
|
1180491, 1188287 |
SOCKS request which matches any explicit-web-connect policy skips matching of explicit-web policies. |
|
1187632 |
Duplicate log_id in WAD traffic logs when the forward server is down. |
|
1185663 |
LDAP group queries do not work. |
|
1189360 |
Inaccurate seat calculation for FNBI and FCAS license types during license sharing. |
|
1189482 |
License sharing crash issue. |
|
1050336 |
When MFA method is used for administrator users and OTP length is set to 8 on FortiToken, FortiProxy will not log the user in with an error "Authentication failure" even if the OTP is correct. |
|
1193771 |
When using cookie-based authentication, auth_method shows "NULL" instead of "Cookie". |
|
1188912 |
Incorrect and misleading logs for files detected as malware by FortiSandbox. |
|
1190655 |
Webfilter service is not enabled when deny policy configured with url-category. |
|
1166666 |
Upper case domain name triggered domain-fronting block on http1.1 |
|
1178104 |
External resource HTTP password cannot be blank when username is set. |
|
1187553 |
Increase external resource password length to 512 from 128. |
|
1185498, 1189006 |
Count file not generated for threat feed external resource. |
|
1186795 |
Incorrect URL is displayed after form authentication. |
|
1180336 |
Authentication is not triggered for deny and redirect policy. |
|
1138074 |
Log display issue when inline IPS is enabled. |
|
1191149 |
CSF member does not update upstream path when HA AP switches from active to standby. |
|
1028368, 1177336 |
Improve ICAP connection pool counting to count overall connections from multiple workers. |
|
1138959 |
For parameterized signatures, inline IPS does not include parameter value in the msg field of utm app log. |
| 1177408, 1177663, 1181700, 1181736, 1181744, 1181930, 1181958, 1185020, 1187659, 1192982, 1193199, 1194087 | Replacement message issues. |
| 1177720 | Cannot connect to FortiGate Cloud. |
| 1194732 | ICAP server get policy deny for all ICAP req mode request |
| 1179919 | Fix `ftgd-wf` configuration in "sniff-profile" to match other default profiles. |
| 1185240 | Fix source address added to unknown http header on virtual server |
| 1188619 | HTTPS over SOCKS traffic fails when `inspect-all deep-inspection` is configured. |
| 1192922 | iptables cannot match DNS server hosted on loop interface. |
| 1170843 | The ZTNA web-portal page show "{EXPAND}" instead of expected content. |
| 1197206 | WAD url-lookup fails to find webproxy if the first web-proxy explicit-proxy is invalid. |
| 1018161 | Improve DLP EDM optional field when optional columns are configured in CLI. |
| 1199135 | The username to be authenticated is not converted to lowercase when username-case-sensitivity is disabled. |
| 1186176 | File download hangs with medium severity IPS sensor. |
| 1198497 | ICAP debug log issues. |
|
1198548 |
ICAP response ISTag header content should be quoted-string. |
| 1193984, 1194819, 1197596 | Crash when printing more than 25 forward servers |
| 1182981 | SSH matching behaviors against isolate policy are inconsistent under different configurations. It fails to match the desired policy in some cases. |
| 1201324 | Missing default "web-proxy explicit-proxy" entry "web-proxy". |
| 1200290 | Crash for YouTube player request when the request is blocked. |
| 1200844 | Unable to change "Invalid SSL certificates" when "Inspect All" is enable on "SSL/SSH Inspection" page. |
| 776013 | Authentication refactor to support multiple authentication request so as to prevent race condition. |
|
1184283 |
ZTNA web portal with dynamic ldap attribute bookmark does not work when the authentication method is form-based. |
| 1200594 | After uploading image to a HA cluster, the active unit responds passive unit's MAC address to the ARP request, which leads to client wrongly connect to the passive unit when trying to access the cluster with the cluster IP. |
Common vulnerabilities and exposures
FortiProxy 7.6.4 is no longer vulnerable to the following CVE references. Visit https://fortiguard.com/psirt for more information.
|
Bug ID |
CVE reference |
|---|---|
|
1187887, 1192040 |
|
|
1081024 |
|
|
1179551 |
|
| 1151885 | CVE-2025-31366 |
| 1081024 | CVE-2025-25255 |
| 1196322 | CVE-2025-31514 |