Fortinet black logo

Release Notes

Home FortiDDoS-F 6.5.1 Release Notes
6.5.1
7.0.0
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.2
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0

Known issues

Known issues

This section lists the known issues in FortiDDoS-F 6.5.1 release. For inquiries about particular bugs, please contact Fortinet Customer Service & Support.

Bug ID

Description

0668077

External Authentication for LDAP and TACACS+ does not support 2-Factor Authentication.
0780476 In HA pairs, if a Primary system SPP is factory reset, the Secondary may not (reboot and) sync immediately.
0779671 HA Secondary systems may not display event logs for local events, such as logins. These can be recovered using CLI command execute recover-eventlog.
0693789 When FDD-VM is operating on a virtual machine with underlying hardware supporting SR-IOV, disabling ports leads to unexpected results.

0678445

Purging a large number of ACLs from an SPP can take more than 30 seconds with no progress indication.
0686846 Online SCEP Enrollment Method of Certificate generation fails.

0638555

Multiple Queries in a single TCP DNS session (SourceIP:Port-DestinationIP:53) are allowed to exceed TCP DNS Thresholds. Fortinet's experience is that this is a very rare possibility. To work around, setting DNS Anomaly Feature Controls: Query Anomaly: QDCount not One in Query will drop these Queries as anomalies.
0714534 If setting Private Key and Certificate from CLI, the event log creates a blank message. Use GUI.
0750762 FortiDDoS VMs support 1024 URL Hash Indexes while others support 64,000. This is by design.
0801480 When a new SPP is created and immediately sees traffic, it may take 10 minutes (2x 5-minute cycles) before drops and other information is shown. This is architectural and will not be changed.

0849925

IDN entries (for example 한국.korea-fortiddos.com) will not work in DNS Profile Regex entries. This is a limitation of Regex.

0846411

During DNS Profile FQDN List add/delete operations, normally blocked FQDNs will be allowed to pass while the list is recompiled. This may take 1-5 seconds.

0853572

Login users with no local username but valid username/password credentials (RADIUS, LDAP, TACACS+) are allowed access to the GUI but have no permissions to read or write information. CLI users for the same condition are denied access.

0882029

Release 6.5.0 graphs do not correctly display Y-axis units. Instead of pps or bps rates, only 1,2,3, etc., are shown on the Y-axis. Tool tip information is correct. Fortinet is working with the graph code provider to correct this in a later release.

0847761

FortiDDoS-F FortiCare download folders include the RADIUS VSA "dictionary.fortinet" file. FortiDDoS-F does not currently support RADIUS VSAs.

0881178

When navigating graphs, the colors of some graphs may change between views. Graph accuracy is not affected. Graphs that may change colors are: Protocols; TCP and UDP Ports; ICMP Type/Code; HTTP graphs and DNS Response Code.
0868529 FortiView graphs remain formatted like previous releases.

0886708

Creating a local or emailed Report for Global ACLs results in an empty report.

0889213

In Asymmetric Mode, for SPPs that have primarily outbound connection originations like Firewalls, WiFi gateways, etc., where FortiDDoS may not see the outbound SYNs, inbound Connections-per-Source Threshold is not set correctly and may silently drop connections.

Workaround: For SPPs described above, after setting System Recommended Threshods, manually set the inbound Connections/Source Threshold to system maximum. This has no impact on DDoS mitigation for the SPP.

0905564

SSL/TLS Block Incomplete Request and HTTP Incomplete Request Action (drop or aggressive aging) occur when cookie sizes exceed the MTU, resulting in packets becoming segmented.

0904954

SPP ACLs cannot be re-ordered after saving.

0901956

Safari browser users may experience a display issue where the Dashboard > System Resources table is rotated by 90 degrees.

0886599

If the manual DNS Query Per Source threshold is set, over-threshold sources will be rate-limited even if the DNS Profile feature Block Identified Sources is not enabled.

0886261

TCP Profile Sequence Validation may be too strict, dropping legitimate HTTP traffic. We recommend disabling this feature in all TCP Profiles until a fix is found.
Previous
Next

Known issues

This section lists the known issues in FortiDDoS-F 6.5.1 release. For inquiries about particular bugs, please contact Fortinet Customer Service & Support.

Bug ID

Description

0668077

External Authentication for LDAP and TACACS+ does not support 2-Factor Authentication.
0780476 In HA pairs, if a Primary system SPP is factory reset, the Secondary may not (reboot and) sync immediately.
0779671 HA Secondary systems may not display event logs for local events, such as logins. These can be recovered using CLI command execute recover-eventlog.
0693789 When FDD-VM is operating on a virtual machine with underlying hardware supporting SR-IOV, disabling ports leads to unexpected results.

0678445

Purging a large number of ACLs from an SPP can take more than 30 seconds with no progress indication.
0686846 Online SCEP Enrollment Method of Certificate generation fails.

0638555

Multiple Queries in a single TCP DNS session (SourceIP:Port-DestinationIP:53) are allowed to exceed TCP DNS Thresholds. Fortinet's experience is that this is a very rare possibility. To work around, setting DNS Anomaly Feature Controls: Query Anomaly: QDCount not One in Query will drop these Queries as anomalies.
0714534 If setting Private Key and Certificate from CLI, the event log creates a blank message. Use GUI.
0750762 FortiDDoS VMs support 1024 URL Hash Indexes while others support 64,000. This is by design.
0801480 When a new SPP is created and immediately sees traffic, it may take 10 minutes (2x 5-minute cycles) before drops and other information is shown. This is architectural and will not be changed.

0849925

IDN entries (for example 한국.korea-fortiddos.com) will not work in DNS Profile Regex entries. This is a limitation of Regex.

0846411

During DNS Profile FQDN List add/delete operations, normally blocked FQDNs will be allowed to pass while the list is recompiled. This may take 1-5 seconds.

0853572

Login users with no local username but valid username/password credentials (RADIUS, LDAP, TACACS+) are allowed access to the GUI but have no permissions to read or write information. CLI users for the same condition are denied access.

0882029

Release 6.5.0 graphs do not correctly display Y-axis units. Instead of pps or bps rates, only 1,2,3, etc., are shown on the Y-axis. Tool tip information is correct. Fortinet is working with the graph code provider to correct this in a later release.

0847761

FortiDDoS-F FortiCare download folders include the RADIUS VSA "dictionary.fortinet" file. FortiDDoS-F does not currently support RADIUS VSAs.

0881178

When navigating graphs, the colors of some graphs may change between views. Graph accuracy is not affected. Graphs that may change colors are: Protocols; TCP and UDP Ports; ICMP Type/Code; HTTP graphs and DNS Response Code.
0868529 FortiView graphs remain formatted like previous releases.

0886708

Creating a local or emailed Report for Global ACLs results in an empty report.

0889213

In Asymmetric Mode, for SPPs that have primarily outbound connection originations like Firewalls, WiFi gateways, etc., where FortiDDoS may not see the outbound SYNs, inbound Connections-per-Source Threshold is not set correctly and may silently drop connections.

Workaround: For SPPs described above, after setting System Recommended Threshods, manually set the inbound Connections/Source Threshold to system maximum. This has no impact on DDoS mitigation for the SPP.

0905564

SSL/TLS Block Incomplete Request and HTTP Incomplete Request Action (drop or aggressive aging) occur when cookie sizes exceed the MTU, resulting in packets becoming segmented.

0904954

SPP ACLs cannot be re-ordered after saving.

0901956

Safari browser users may experience a display issue where the Dashboard > System Resources table is rotated by 90 degrees.

0886599

If the manual DNS Query Per Source threshold is set, over-threshold sources will be rate-limited even if the DNS Profile feature Block Identified Sources is not enabled.

0886261

TCP Profile Sequence Validation may be too strict, dropping legitimate HTTP traffic. We recommend disabling this feature in all TCP Profiles until a fix is found.
Previous
Next