Hot!FortiOS 6.0.8 Is Out

Author
SecurityPlus
Gold Member
  • Total Posts : 305
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
2020/01/17 20:21:13 (permalink)
0

FortiOS 6.0.8 Is Out

I notice that 6.0.8 is available. Has anyone installed it yet? Any issues discovered?
 
I see a note that there is a change to the FortiGuard protocol and port number.
 
I see a message in the Release Notes that says:
 FortiOS 6.0.8 is no longer vulnerable to the following CVE Reference:
    CVE-2018-9195

FWF30E, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D
FortiOS 5.2, 5.4, 5.6, and 6.0
FortiSwitch FS-224E-POE
FAP-221E, FAP-221C
#1

7 Replies Related Threads

    kd007
    Bronze Member
    • Total Posts : 34
    • Scores: 2
    • Reward points: 0
    • Status: offline
    Re: FortiOS 6.0.8 Is Out 2020/01/17 21:01:33 (permalink)
    0
    I am running into some significant issues with RDP since the install. RDP sessions will frequently fail to connect, or will constantly disconnect after a very short period. Happening on multiple clients, both on and off of VPN, where the FortiOS update is the only common denominator.
    #2
    tanr
    Platinum Member
    • Total Posts : 790
    • Scores: 36
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: FortiOS 6.0.8 Is Out 2020/01/18 09:31:15 (permalink)
    0
    We've been running 6.0.8 for a couple months now.  No issues that weren't in the release notes so far.
     
    @kd007, we use Windows RDP semi-regularly, between vlans, and across our IPsec VPN.  Haven't had any failures that I've seen.  Have you been able to pull the logs for some of these failures?
    #3
    TecnetRuss
    Bronze Member
    • Total Posts : 24
    • Scores: 8
    • Reward points: 0
    • Joined: 2017/02/27 13:14:44
    • Status: offline
    Re: FortiOS 6.0.8 Is Out 2020/01/18 15:11:14 (permalink)
    0
    We've also been running 6.0.8 on all our FortiGates since December and have moved most of our clients' devices to 6.0.8.  There are VPNs and RDP/RDS Gateway clients connected nearly 24/7 and we haven't heard any complaints at all.
     
    The CVE-2018-9195 fix is pretty important.  Note that the 6.0.8 upgrade adds HTTPS as a FortiGuard protocol option but doesn't enable it (unless you start fresh with a 6.0.8 factory reset config), so to be protected from the CVE-2018-9195 vulnerability you have to set the FortiGuard protocol to HTTPS after you upgrade to 6.0.8.
     
    https://docs.fortinet.com/document/fortigate/6.0.8/fortios-release-notes/901852/fortiguard-protocol-and-port-number
     
    Russ
    #4
    kd007
    Bronze Member
    • Total Posts : 34
    • Scores: 2
    • Reward points: 0
    • Status: offline
    Re: FortiOS 6.0.8 Is Out 2020/01/18 21:16:31 (permalink)
    0
    tanr
    @kd007, we use Windows RDP semi-regularly, between vlans, and across our IPsec VPN.  Haven't had any failures that I've seen.  Have you been able to pull the logs for some of these failures?

    tanr and Russ, thanks for the reply. Working on this again tonight trying to sort it out and hoping I don't have to get on the phone with support on Monday. What we're seeing is frequent action="timeout" messages in the log. I'm working on setting up packet captures right now to see if that tells me anything.
    Here is the pattern I've noticed:
    1. First attempt to connect = enter in RDP creds, tries to connect but fails.
    2. Second attempt to connect = enter RDP creds, Windows login screen starts to log you in and then you're disconnected before you hit the desktop.
    3. Third attempt to connect = enter RDP creds, make it all the way to the desktop. Usually it will kick you out after a minute or two, but less frequently it stays connected for longer periods.
    These issues were absolutely not present before the 6.0.8 update - hardware is a FG-500D a/p cluster. We have other hardware on 6.0.6 that I'm not updating until I sort this out.
    If you care, here's an example log message that we see:
    Jan 18 21:42:53 1.2.3.4 date=2020-01-18 time=21:42:53 devname="FG500D" devid="FGT5HDxxxxxxxxxx" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1579408973 srcip=5.6.7.8 srcport=7276 srcintf="ssl.root" srcintfrole="undefined" dstip=1.2.3.5 dstport=3389 dstintf="SERVER" dstintfrole="lan" poluuid="7ebdf02a-39b0-51ea-a6c4-9b3ea3471f8f" sessionid=77601623 proto=6 action="timeout" user="me" group="SSLVPN" authserver="LDAP" policyid=1000 policytype="policy" service="RDP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=1 sentbyte=12052 rcvdbyte=8248 sentpkt=52 rcvdpkt=48 fctuid="12345678901234567890abcdefghijkl" unauthuser="me" unauthusersource="forticlient" appcat="unscanned" crscore=5 craction=262144 crlevel="low"
     
    More to come... or if you just want me to be quiet that is fine too 
    #5
    kd007
    Bronze Member
    • Total Posts : 34
    • Scores: 2
    • Reward points: 0
    • Status: offline
    Re: FortiOS 6.0.8 Is Out 2020/01/23 11:03:06 (permalink)
    0
    We haven't solved this yet; but interestingly enough a new bug popped up with the recent release of v6.0.9:

    SSL VPN

    Bug ID
    Description
    582265
    RDP sessions terminate (disconnect) unexpectedly.
     
    Our issue happens with any connection and not just VPN but I have a feeling that it is related.
    #6
    Toshi Esumi
    Expert Member
    • Total Posts : 2093
    • Scores: 194
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: online
    Re: FortiOS 6.0.8 Is Out 2020/01/28 09:51:18 (permalink)
    0
    You should open a case with TAC if you haven't done yet. We did that and had two co-op debugging sessions so far with TAC and our customer who is experiencing RDP drops relatively consistently, if not always, via SSL VPN. We just upgraded the SSL VPN server FG1500D to 6.0.8 without checking this thread (too late). The TAC is suspecting our case is the same as the one with the BUG ID.  We're now waiting for their outcome after analyzing the log data captured through the tests.
    #7
    Toshi Esumi
    Expert Member
    • Total Posts : 2093
    • Scores: 194
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: online
    Re: FortiOS 6.0.8 Is Out 2020/01/28 16:29:04 (permalink)
    0
    TAC identified our symptom same as the bug report. What TAC explained to us is when authd handles a timeout event related to the host, but unrelated to RDP, it unexpectedly drop sessions with the host, in our case the RDP process.
    This customer uses LDAP authentication for SSL VPN and FSSO as well. So the event to authd can be related to either of them. And there is no workaround. And the fix will be implemented with 6.0.10.
    Since 6.0.9 just came out last week, I would guess the next version would be out in early March.
    #8
    Jump to:
    © 2020 APG vNext Commercial Version 5.5