FortiOS 5.6.6 Release Notes

Resolved Issues

The following issues have been fixed in version 5.6.6. For inquires about a particular bug, please contact Customer Service & Support.

Authentication

Bug ID Description
433700 Support non-blocking LDAP authentication.
461580 Getting authentication portal by FQDN:1000/login? and /logout? does not work if using authredirect fqdn in policy.
474615 Not possible to allow expired certificates while blocking is revoked.
477437 authd crashes.
477856 FortiGate does not send RADIUS accounting interim updates to the configured accounting server.
Bug ID Description
479672 FortiTelemetry not blocking VIP.

AV

Bug ID Description
459986 Repeated scanunit signal 11 crash scan_for_base64_objects.
488492 Mobile Malware Subscription missing expire date.

Connectivity

Bug ID Description
463982 FortiManager IP is unset in FortiGate CM.
479607 Scheduled auto-update happens twice in 10 seconds but a log entry for the first try is not logged.

DLP

Bug ID Description
496255 Some XML-based MS Office files are recognized as ZIP file.

Endpoint Control

FIPS-CC

Bug ID Description
481535 Device suddenly goes down with FIPS error .

Firewall

Bug ID Description
478360 IPv6 VIP does not translate IP address.
497954 Netflow gives wrong reports for long lived sessions.
498188 Dirty_session_check in FortiGate drops all established VIP64 sessions.

FortiSwitch-Controller

Bug ID Description
497980 All managed FortiSwitches capwap tunnel down due to application cu_acd crashed.
498211 Connectivity fault during upgrade of FortiLink connected FSW.

FortiView

Bug ID Description
437272 FortiView bytes Sent/Received not matching the total data of the source when drilled down to details.
477994 Realtime FortiVIew > All Sessions, filtering entries by Application is not working.

GUI

Bug ID Description
438183 The exemption list of a cloned AV profile with Sandbox-inspection enabled affects the list of original AV profile.
449598 Remote LDAP User Definition wizard does not pull users.
450919 IPS sensor with >= 8192 signature entries should not be created from GUI.
457378 Show Matching Logs of IPv4 Policy does not work when Implicit Firewall Policies of Feature

Visibility is disabled.

462757 VPN map fails to load when using a custom management VDOM.
463539 Addresses page keep loading if nested addrgrp6 exists.
Bug ID Description
467175 Interface Bandwidth widget in NOC type dashboard disappears due to javascript after being added and then refreshed.
471578 Should not display cached/failed log status when FortiAnalyzer is store-and-upload and test connectivity succeed.
474645 After modifying system settings in GUI, gets wrong message and FGFM status is changed.
482628 CPU.Speculative.Execution.Timing.Information.Disclosure signature can’t be filtered if Application is selected.
485386 Adding a signature to existing IPS sensor profile gives internal server error -500 error message on web GUI.
488563 Purging expired account or deleting account through guest admin for user group name with spaces lead to blank page.
490409 FSSO configuration not displaying if the name contains spaces.
493140 Need to see application signature names instead of LDS under Logs & Report > System event logs.
493230 SNMP GUI page Apply button doesn’t work after the first time.

HA

Bug ID Description
408886 Uninterrupted upgrade from B718 to tag 9702 failed with 1.5M BGP routes and 6M sessions load.
459252 Hasync, Hatalk, and a few other processes go to D state when creating firewall policy or editing interface.
465849 Wrong diagnose sys ha dump-by vcluster display when cluster is on the same LAN.
471816 Policy route setting is synced in standalone-config-sync mode.
473806 Management interface IP address replicating to slave when using standalone management VDOMs.
480195 cmdbsvr process crashes with signal 6 and signal 11 while adding devices to a large device group.
482548 Conserve mode caused by hasync consuming most of memory.
488729 Box doesn not boot up when standalone-mgmt-vdom option is enabled in HA setting and rebooted.
491311 Management port has sync’ed when creating a new NAT VDOM.
493759 When vcluster2 is removed from HA config, all active sessions are killed once session-ttl is reached.
503118 Slave unit sends several false alert emails everyday after upgrade to 5.6.

IPS

Bug ID Description
423140 All IPS sessions lost when new custom signature added.
492193 DoS policies consume 20% more CPU than in FortiOS 5.2.
503895 Traffic drops for 15 seconds when UTM is enabled.
506234 Cannot configure IPS sensor severity or threat-weight category.

IPsec VPN

Bug ID Description
476461 IKE does not release the mode-cfg framed-IP assigned from RADIUS.
486756 Traffic is not fragmented for IPsec VPN when Proxy-based UTM is enabled.
487946 MSS value increases when AV or WEB filter in use resulting in Packet too big message.
490066 FortiClient with IPsec with Proxy / Webfilter – Fragmentation is needed.
492046 FortiGate does not respond to INFORMATIONAL exchange message as requested by RFC.
492366 100% system CPU usage when re-keying idle IPsec tunnels.

Log & Report

Bug ID Description
459163 QUAD File Dropped Reason = Unknown.
462471 Found miglogd crash on FG-240D.
496058 FortiAnalyzer is not able to show logs from some VDOMs.
497357 FortiGate logs show the action as block when we use DNS filter and if a DNS query timeout happens.

Proxy and WebProxy

Bug ID Description
487096 SSL handshake fails when activate ESET application.
491417 FortiGate is dropping server hello packets when URLFILTER is enabled.
500182 UDP over SOCKS proxy.
500965 In FG-200E kernel conserve mode, WAD process consuming high memory.
Bug ID Description
503633 Some traffic forwarded to different gateway when proxy based UTM profiles are used.
507155 System went into conserve mode due to WAD after upgrade to 5.6.5.

Router

Bug ID Description
443948 High memory usage for zebos_launcher and isisd.
460959 WAN link monitor (HTTP) log issue.
465957 Backup VPN static route remains after failback when explicit proxy and NAT are configured.
490312 When we set keepalive-interval > 0 in GRE tunnel, static route to remote site becomes inactive.
491423 BGP shutdown neighbor capability-default-originate parameter always in use.
491679 FortiGate chooses higher metric OSPF E2 route for traffic under some circumstance.
505189 Kernel is missing routes.
506219 Worker blade doesn’t update the FT routing cache when phase1 is bound to a loopback interface.

SSL VPN

Bug ID Description
382223 SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.
456027 SMB bookmark in SSL VPN portal doesn’t work with dynamic user-mapping and gets Invalid HTTP request error.
466438 High CPU usage by sslvpnd.
483253 FQDN doesn’t work well through SSL VPN web mode.
486918 SSL VPN web mode unable to load the page correctly.
491733 SSL VPN process taking 99% of CPU utilization {tunnel mode only).
491895 Web mode SSL VPN HTTP bookmark not working.
492066 High memory usage in SSL VPN even when there is only one connection.
492654 SSLVPND process crashes and users are disconnected from SSL VPN.
494960 SSL VPN web mode has trouble loading internal web application.
496584 SSL VPN bad password attempt causes excessive bindRequests against LDAP and lockout of accounts.
507251 SSLVPND is continuously crashing.

Switch

Bug ID Description
487444 FortiGate stops accepting traffic from any interface in a hardware switch after HA failover in 80/81E.
493685 Hardware switch flooding traffic.

System

Bug ID Description
414081 SMB1 support has been by default disabled under part models.
435388 The parent physical interface cannot be in zone list when VLAN interface is added to zone.
436399 snmpd crashes with signal 11 in get_fgHaStatsEntry.
463409 FG-3700D/DX issue with FQDN.
467060 Virtual Wire Pair wrongly tag the VLAN when passing from Native VLAN to Tagged VLAN.
475745 Backup password for administrator account is not working when interface is down.
478264 VPN traffic across VLAN NPU VDOM link fails after being offloaded.
484281 Asymmetric traffic issue.
491441 FWF-60D-POE: Null pointer KP happened a few times.
493052 Sometimes 5001D slave blade loses kernel static route after down/up traffic interface in 5001D/5913C SLBC system.
493747 High CPU was observed when changing the policy when large number of policies were configured.
494040 Creating or modifying security profiles generate multiple logs with misleading action.
494707 FortiGate trusthost settings not respected.
495994 Observes lots of IPS syntax errors on the console screen.
496590 FQDN address object does not accept numbers at the end.
498032 Sometimes 5001E blade crashes during traffic testing with UTM enabled in firewall policy.
499332 No error message when configuring address .067 and address converted with .55.
501098 A specific SFP shared port’s LED (port15 to 18 on FG-800C) is not lit properly.
503638 config system ipip-tunnel is lost after reboot when using pppoe interface.
505930 FG-3700D freezes when deleting VDOM.
507060 Packet loss on startup when interfaces are in bypass mode.
507061 Longer time to put interfaces in bypass mode during shutdown.

VM

Bug ID Description
464979 Encounter cannot set MAC address(6) after enabling HA on FGT_VM64_XEN.
476617 FortiGate VM on AWS using C5 instance can’t upgrade or downgrade image.
496951 Cannot create 802.3ad Aggregate with more than one member in KVM FGT-VM.
498653 FortiOS VM stops passing traffic after failover.
501886 Azure SDN connector does not work for some regions.
506221 azd keep crashing with signal 11.

VoIP

Bug ID Description
478634 Debug commands for SIP filter are not applied.
508277 Non-SIP packet send to SIP ALG gets dropped with no log.

Web Filter

Bug ID Description
470650 DNS filter getting purged by FortiManager when not used in a policy because FortiGate DNS filter does not contain static entry.
476806 FortiOS incorrectly sends ICMP “Destination Unreachable” with WF/certificate inspection.
485685 Proceeding from a web filter warning page intermittently results in the BLOCK page shown instead of the expected web site.
486466 HTTPS web page is blocked after clicking Proceed button.
489286 Renaming web filter profile does not take effect.
504238 Incorrect log action blocked even user is “passthrough” in web filter log with warning-prompt per domain.

WiFi

Bug ID Description
471638 FortiGate disconnects all clients when they roam from AP to AP.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID Description
450553 FortiOS5.6.6 is no longer vulnerable to the following CVE Reference:

l CVE-2017-12150 l CVE-2017-12151 l CVE-2017-12163

476125 FortiOS5.6.6 is no longer vulnerable to the following CVE Reference:

l CVE-2018-9185

478185 FortiOS5.6.6 is no longer vulnerable to the following CVE Reference:

l CVE-2017-11227 l CVE-2014-9295 l CVE-2017-9793

487421 FortiOS5.6.6 is no longer vulnerable to the following CVE Reference:

l CVE-2018-13365

This entry was posted in Fortinet, FortiOS 5.6, Release Notes on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiOS 5.6.6 Release Notes

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.