Known issues
This section lists the known issues in FortiDDoS-F 6.5.1 release. For inquiries about particular bugs, please contact Fortinet Customer Service & Support.
Bug ID |
Description |
---|---|
0668077 |
External Authentication for LDAP and TACACS+ does not support 2-Factor Authentication. |
0780476 | In HA pairs, if a Primary system SPP is factory reset, the Secondary may not (reboot and) sync immediately. |
0779671 | HA Secondary systems may not display event logs for local events, such as logins.
These can be recovered using CLI
command execute recover-eventlog . |
0693789 | When FDD-VM is operating on a virtual machine with underlying hardware supporting SR-IOV, disabling ports leads to unexpected results. |
0678445 |
Purging a large number of ACLs from an SPP can take more than 30 seconds with no progress indication. |
0686846 | Online SCEP Enrollment Method of Certificate generation fails. |
0638555 |
Multiple Queries in a single TCP DNS session (SourceIP:Port-DestinationIP:53) are allowed to exceed TCP DNS Thresholds. Fortinet's experience is that this is a very rare possibility. To work around, setting DNS Anomaly Feature Controls: Query Anomaly: QDCount not One in Query will drop these Queries as anomalies. |
0714534 | If setting Private Key and Certificate from CLI, the event log creates a blank message. Use GUI. |
0750762 | FortiDDoS VMs support 1024 URL Hash Indexes while others support 64,000. This is by design. |
0801480 | When a new SPP is created and immediately sees traffic, it may take 10 minutes (2x 5-minute cycles) before drops and other information is shown. This is architectural and will not be changed. |
0849925 |
IDN entries (for example 한국.korea-fortiddos.com) will not work in DNS Profile Regex entries. This is a limitation of Regex. |
0846411 |
During DNS Profile FQDN List add/delete operations, normally blocked FQDNs will be allowed to pass while the list is recompiled. This may take 1-5 seconds. |
0853572 |
Login users with no local username but valid username/password credentials (RADIUS, LDAP, TACACS+) are allowed access to the GUI but have no permissions to read or write information. CLI users for the same condition are denied access. |
0882029 |
Release 6.5.0 graphs do not correctly display Y-axis units. Instead of pps or bps rates, only 1,2,3, etc., are shown on the Y-axis. Tool tip information is correct. Fortinet is working with the graph code provider to correct this in a later release. |
0847761 |
FortiDDoS-F FortiCare download folders include the RADIUS VSA "dictionary.fortinet" file. FortiDDoS-F does not currently support RADIUS VSAs. |
0881178 |
When navigating graphs, the colors of some graphs may change between views. Graph accuracy is not affected. Graphs that may change colors are: Protocols; TCP and UDP Ports; ICMP Type/Code; HTTP graphs and DNS Response Code. |
0868529 | FortiView graphs remain formatted like previous releases. |
0886708 |
Creating a local or emailed Report for Global ACLs results in an empty report. |
0889213 |
In Asymmetric Mode, for SPPs that have primarily outbound connection originations like Firewalls, WiFi gateways, etc., where FortiDDoS may not see the outbound SYNs, inbound Connections-per-Source Threshold is not set correctly and may silently drop connections. Workaround: For SPPs described above, after setting System Recommended Threshods, manually set the inbound Connections/Source Threshold to system maximum. This has no impact on DDoS mitigation for the SPP. |
0905564 |
SSL/TLS Block Incomplete Request and HTTP Incomplete Request Action (drop or aggressive aging) occur when cookie sizes exceed the MTU, resulting in packets becoming segmented. |
0904954 |
SPP ACLs cannot be re-ordered after saving. |
0901956 |
Safari browser users may experience a display issue where the Dashboard > System Resources table is rotated by 90 degrees. |
0886599 |
If the manual DNS Query Per Source threshold is set, over-threshold sources will be rate-limited even if the DNS Profile feature Block Identified Sources is not enabled. |
0886261 |
TCP Profile Sequence Validation may be too strict, dropping legitimate HTTP traffic. We recommend disabling this feature in all TCP Profiles until a fix is found. |