Resolved issues
The following issues have been fixed in FortiEDR. For inquires about a particular bug, please contact Customer Service & Support.
Threat Hunting Repository - Build 1000
|
Bug ID |
Description |
|---|---|
| N/A | Memory management enhancements. |
Threat Hunting Repository - Build 925
|
Bug ID |
Description |
|---|---|
| 835261 | Registration to Middleware causes index rollover even when there are no changes. |
|
835262 |
Add Maintenance Controller to Middleware. |
|
835263 |
Support schema update when the version is different (not just higher). |
Threat Hunting Repository - Build 902
|
Bug ID |
Description |
|---|---|
| 816698 | "All Activity" counter is calculated incorrectly in dual data source environments in threat hunting page. |
|
819555 |
Adding "action.auto_create_index" to cluster settings causes reindex to stop working. |
Threat Hunting Repository - Build 677
|
Bug ID |
Description |
|---|---|
| 805997 | Degraded Core and disconnected Repository status due to wrong Middleware health check. |
|
793042 |
Loading Data Failed error on the threat hunting page following creation of a new organization. |
Threat Hunting Repository - Build 556
|
Bug ID |
Description |
|---|---|
|
790224 |
Deleting an organization in environments that were upgraded from build 5.0.2 deletes all threat hunting data. |
Threat Hunting Repository - Build 554
|
Bug ID |
Description |
|---|---|
|
789045 |
Threat hunting middleware upgrade from v5.0.2 to v5.0.3 fails due to incorrect storage validation. |
|
772481 |
Fix Middleware performance issues. |
Threat Hunting Repository - Build 477
|
Bug ID |
Description |
|---|---|
|
771161 |
A very slow restart of an environment with many organizations due to slow Threat Hunting Repository registration. |
|
771479 771568 |
Reduce the number of indexes by not including empty ones and by deleting indexes before limits are reached. |
Threat Hunting Repository - Build 449
|
Bug ID |
Description |
|---|---|
|
767855 |
Despite the non-exploitable nature of CVE-2021-44228 in FortiEDR Threat Hunting Repository, adjusted the Repository configuration for enhanced security against this vulnerability. |
Threat Hunting Repository - Build 323
|
Bug ID |
Description |
|---|---|
|
751618 |
Addressed malfunction in Organization creation triggered by wrong calculation of storage in longevity scenarios. |
Core - Build 968
|
Bug ID |
Description |
|---|---|
|
860943 863339 864542 |
A rare case of Core crash. |
Core - Build 953
|
Bug ID |
Description |
|---|---|
|
820151 |
Case of Core attempting to archive EDRv2 Database. |
|
814548ֿ 823885 |
Unable to export cloud core logs in Central Manager. |
|
845305 |
Prevent unnecessary creation of silent events. |
Core - Build 733
|
Bug ID |
Description |
|---|---|
|
807434 791308 |
Applications are not populating on Communication Control page. |
Core - Build 724
|
Bug ID |
Description |
|---|---|
|
800341 798975 802134 |
Core cannot handle bursts of threat hunting events and getting reputation updates. |
Core - Build 707
|
Bug ID |
Description |
|---|---|
|
754022 |
Collectors become autonomous and threat hunting data is not refreshing due to Core synchronization issue. |
|
791308 |
Communication control applications are not updated on manager. |
Core - Build 701
|
Bug ID |
Description |
|---|---|
|
795085 793287 |
Reduce events load on manager by improving Common Control events aggregation. |
|
756440 767740 |
Core is sometimes degraded following environment upgrade from v4. |
|
771542 770633 773946 771840 |
Core that was set to be Jumpbox only is reported as degraded. |
| 775334 | Improved security of Core / Manager registration process. |
Core - Build 413
|
Bug ID |
Description |
|---|---|
| 754022 | Threat hunting data is not refreshing when the Core machine is running with 8 CPUs. |
| 744665 | Allow setting a more specific Exception on network scan tool based on remote operation stack. |
Core - Build 334
|
Bug ID |
Description |
|---|---|
| 739881 | Allow setting more granular exceptions on scripts. |
| 734727 | Communication Control application usage is not being populated. |
| 746785 | Core crashes when trying to read old event file. |
| 732769 | Core crashes following an upgrade. |
| 734587 | High CPU due to deadlock related to threat hunting data memory corruption. |
| 733436 | Core logs cannot be exported from UI. |
| 741886 | Cannot set an exception on malicious process parent. |
| 745165 | Missing parent on suspicious script alert. |
Central Manager - Build 876
|
Bug ID |
Description |
|---|---|
|
879182 891184 |
Executive summary report contains only EDRV1 repositories. |
|
890853 895263 |
A case of high memory usage. |
|
894944 887212 |
A case of high CPU load. |
Central Manager - Build 873
|
Bug ID |
Description |
|---|---|
|
875608 876345 |
Address issue with Rest API token expiry. |
|
875593 876337 |
Address issue with Rest API login hardening. |
|
861482 865823 867906 |
Java libraries update. |
|
875191 882944 878528 881876 841444 845306 868579 |
Console slowness related to redundant classification history. |
|
866109 869781 |
A case of covering query discrepancy. |
|
875191 881589 |
Improve internal resource management for Communication Control. |
Central Manager - Build 860
|
Bug ID |
Description |
|---|---|
|
865964 870383 |
Event search by agent name works slower than expected. |
|
843211 860220 870257 |
A case of Collector registration identification issue causing duplication. |
|
865696 868257 872737 |
Syslog messages stopped after a network failure. |
Central Manager - Build 853
|
Bug ID |
Description |
|---|---|
|
852093 860367 |
A case of empty user name entries in Audit Logs for Communication Control. |
|
856319 863114 858986 |
Registration failure when using an invalid ID. |
|
863631 867904 |
Memory optimization when loading event aggregations. |
|
848664 859592 |
IOT Device Discovery collector group exclusion not retaining settings. |
|
863850 868255 |
A rare case where a Collector is not successfully deleted, causing a configuration issue. |
|
868032 868583 |
Agents are running in autonomous mode due to configuration issue . |
|
852083 864558 |
A case of periodic scan indication discrepancy. |
|
860086 859455 860760 |
A case of failure to run Collectors report. |
|
861875 |
Upgrade step failure. |
|
840847 |
Change registration of VDI Collectors to be based on the vdi hostname. |
|
858971 |
Audit error when moving a Collector to an expired group. |
|
857296 |
Optimistic locking during security events handling. |
|
861510 |
A case of failure to retrieve data when non-UTF-8 characters exist. |
Central Manager - Build 844
|
Bug ID |
Description |
|---|---|
|
835075 |
Occurrence of events ״handled by״ username display issue. |
| 835446 | LDAP connection periodic warning. |
| 838183 | Dashboard security events and Event Viewer do not show exactly the same list of unhandled processes/events. |
|
843211 |
A rare issue with registering a Collector. |
|
844232 |
An issue with selecting all groups on assigning security policies. |
|
845307 |
Offloading load from the Central Manager. |
|
845384 |
"When created by" field in exception is inactive. |
|
849357 |
Issue of moving expired Collectors between groups/organizations. |
|
851572 |
Improve logs in applications learning flow. |
| 852990 | Display issue of Collectors that were moved from one tenant to another. |
|
853784 |
Disable AV signatures in Nginx. |
|
856319 |
A case of registration failure. |
|
856933 |
A case of rollback during handling of search requests. |
|
856942 |
Failure in deleting an empty Collector group. |
|
857296 |
Optimistic locking during security events handling |
|
858559 |
A case where a wrong OS family value leads to rollbacks. |
|
820239 830411 |
Case of management remediation action mapped to wrong RDI. |
|
822053 842231 |
Java permission error when viewing security events. |
|
833313 838895 |
Rare failure in generating Collectors report. |
|
844288 841058 |
Covering query performance improvement. |
|
854247 849898 |
A case of degraded status in macOS Collector. |
|
853336 842755 850671 |
Failure in opening specific events in the Forensics tab. |
|
847528 848524 843608 848358 854262 |
An issue with parent process resulting in uncovered RDI. |
Central Manager - Build 834
|
Bug ID |
Description |
|---|---|
|
839641 834706 |
Exception covering query miscalculation when using parent process. |
|
839917 |
Case of FortiEDR Aggregator sporadically disconnection. |
| 835764 | Case of REST list-raw-data-items call failure. |
|
835446 |
LDAP connection periodic warning. |
| 845307 | Offloading load from the Manager by dropping suppressed events . |
|
844125 |
Optimization during security events and IoT deep scans. |
|
842870 |
Log JSON content in case invalid event is received. |
|
846974 |
Rare case of some syslog massages that are not received. |
Central Manager - Build 828
|
Bug ID |
Description |
|---|---|
| 839641 | Irrelevant exceptions are listed under different RDIs. |
|
839244 839917 |
Sporadically disconnected Connectors related to failure to get configuration. |
| 839748 | Exception covering query discrepancy when an event's process is missing. |
|
824323 820132 |
Exception covering query discrepancy in a case where Collector was removed. |
| 840456 | Improve performance of list-events Rest API. |
Central Manager - Build 827
|
Bug ID |
Description |
|---|---|
|
810081 810168 828134 |
Covering Query discrepancy when selecting parent process. |
| 831565 | Failure in get-events API, related to settings of events reduction mechanism. |
| 809270 | Organization expiration date is saved with an earlier than defined date. |
| 816402 | Covering query discrepancy when comparing parent process. |
| 821466 | Covering query discrepancy when event's process is missing. |
| 831124 | Events search is slow. |
| 835213 | Failure to login with 2 Factor Authentication after upgrade. |
|
835821 837985 |
Slowness and Console freeze related to IOT deadlock. |
| 837807 | Management deadlock during simultaneous collector delete and application learning from this collector. |
| 834581 | No applications learned when Collector moved from main account to new organization. |
| 822075 | Fixed issues of Aggregator registration. |
|
829534 832527 |
Hardening – limit exposure of internal services. |
|
836020 |
Upgrading to version 5.0.3.823 fails. |
|
834341 |
Resolved logic of same IP appearing in both "Included" and Excluded" in "Internal Destinations". |
Central Manager - Build 823
|
Bug ID |
Description |
|---|---|
|
826090 829671 831565 824442 |
Change settings of events reduction mechanism. |
| 831425 | Fixed Unhandled filter in Hoster view. |
| 830935 | A case when Event Viewer displays errors related to Database. |
| 828322 | Manager crash related to a case of over 100K applications when searching apps with no vendor selected. |
|
819083 |
Repeating system events on a migrated Collector that failed to register in the destination environment. |
|
816887 |
Event wrongly shown as covered by exception due to miscalculation related to User field. |
|
783936 832527 |
Hardening of interfaces. |
|
814217 |
Exception covering query "Listen on Port Attempt" causing exception to be shown as fully covered when it's actually partially covered. |
|
829902 |
Custom Connectors: new action cannot be added. |
|
819950 |
Playbook is now included in default Organization import/export. |
|
825264 |
Classification rules are not updated when content is uploaded unless a Management restart is performed, which might cause an exception on later content updates. |
|
831723 |
Custom Collector installer: add text for explaining limitations on supported collector versions for PVS. |
Central Manager - Build 815
|
Bug ID |
Description |
|---|---|
| 827768 | Cannot create an exception on 5.0.3.811 build due to incorrect restriction for old Collectors. |
|
825077 816863 |
Slow console due to Exception Covering Query calculation. |
|
814217 |
Exception Covering Query "Listen on Port Attempt" causing partially-covered exceptions to be shown as fully covered. |
|
827999 |
Login failure with LDAP user after restarting of management server. |
Central Manager - Build 811
|
Bug ID |
Description |
|---|---|
|
819783 |
Accommodate Microsoft SCCM’s default behavior with Powershell scripts within FortiEDR Security Policies. |
|
819076 819073 |
Fixed Aggregator OOM case. |
| 816584 | Unhandled event does not populate under Unhandled filter. |
| 817636 | Fixed Aggregator registration failure edge case. |
|
816887 761953 793155 796235 |
Fixed Exception Covering Query indication. |
| 806614 | Fixed Hoster view of Unmanaged devices to display all. |
| 806578 | Fixed user password reset failure edge case. |
| 811066 | Core degraded due to wrong configuration related to XDR policy. |
| 802617 | Fixed Automatic Collectors Update when core is updated. |
| 803646 | Fixed moving only selected Collectors from search results to another Collector group. |
|
801620 817661 816437 |
Fixed Collector degradation issue due to missing configuration. |
| 800949 | Fixed degraded Collector case when configuration uses wildcard characters on exclusion path. |
| 787991 | Fixed login session timeout configuration. |
| 796874 | Fixed security events not showing on Manager due to connection restore. |
| 790839 |
REST API method unable to retrieve list of collectors that are in running state within a time range. |
|
771167 791770 792560 |
Fixed inaccurate CVE data presentation for application. |
| 784040 | Fixed incorrect number of events showing in Forensics tab. |
| 798467 | Fixed deleting applications failure due to access prevention. |
| 761756 | Removed Communication Control error indication due to 1k applications limit in old Collector. |
| 822075 | Fixed existing external Aggregator registration failure on upgrade. |
|
814294 800046 |
Fixed internal error when enriching Communication Control application triggered from many collectors. |
| 785521 | Fixed EDRV2 showing as degraded in the dashboard. |
Central Manager - Build 684
|
Bug ID |
Description |
|---|---|
|
819728 822280 |
Manager out-of-memory failure. |
| 811066 | Exception covering discrepancy when using process script. |
|
813470 |
Communication Control Application not shown due to missing details when deleting an agent group. |
|
814292 |
Slow loading of Security Events screen with Unhandled filter. |
|
817496 |
Enhanced response time of search on Communication Control Applications page. |
Central Manager - Build 678
|
Bug ID |
Description |
|---|---|
|
809972 |
Manager crashes when many connector actions take place at once. |
| 811066 | Core becomes degraded when XDR policies are cloned. |
|
812774 784287 |
Hardening related to Fortinet Fabric connectors and port configuration. |
Central Manager - Build 672
|
Bug ID |
Description |
|---|---|
|
797173 804704 |
Improved handling of syslog failures. |
| 803035 | Events search is very slow. |
| 808059 | Cores become degraded once XDR policy is cloned. |
| 810010 | VDI registration fails when VDI groupName is updated. |
| 810825 | VDI registration of an existing VDI should not overide existing group. |
| 785976 | Exception Excel report cannot be exported for more than 200 records. |
| 799281 | Threat hunting query do not auto complete MITRE field values. |
| 794021 | FP on new FortiClient. |
Central Manager - Build 576
|
Bug ID |
Description |
|---|---|
|
778909 779480 763962 763598 786650 778039 748220 761303 779000 |
Security events' emails are not sent or are sent with a delay. |
|
786047 784055 |
Failure sending emails when configured to work with Office365 with TLS. |
|
779000 763598 |
Security events' syslog messages are not being sent. |
| 781326 | Manager slowness and rejection of Collectors registrations. |
| 791456 | License seats miscalculation. |
| 775507 | Cannot extract system logs due to operation timeout. |
|
792971 766168 |
Collectors displayed as disconnected due to stas task slowing down manager. |
| 782891 | Missing data in the exported report of communicating applications when selecting all filtered applications checkbox. |
| 781514 | Organization import fails when done from an organization with no threat hunting to an environment with threat hunting license. |
| 788961 | Organization import fails due to old audit log items. |
| 787779 | Exception does not show as covering when specific destinations are selected. |
| 785521 | Collector is not assigned to a group and leads to dashboard/Inventory UI and reports showing inconsistent data. |
| 777140 | A deleted Collector fails to re-register and remains degraded with no configuration. |
| 789227 | Raw data items paging always switches back to first page upon Exception setting or editing. |
|
773097 794427 |
Ad-hoc scan cannot be performed for selected Collectors. |
|
778863 780549 794512 |
Delayed or missing configuration leads to degraded Core and/or Collectors that do not switch in time to simulation. |
| 802832 | Bad threat hunting and communication control events handling due to Jumpbox being marked as Core and sent in Collectors configuration by mistake. |
| 795436 | Aggregator OOM on environments with many Cores. |
| 799603 | Collectors become degraded following an organization migration. |
| 795886 | Central Manager performance degradation due to an inefficient handling of application CVE data. |
| 795885 | IoT partial data due to missing deep scans in build 556. |
Central Manager - Build 553
|
Bug ID |
Description |
|---|---|
| 758297 | When logged in with Admin MSSP, user data from the default organization is sometimes displayed rather than the selected organization data. |
| 766546 | All Collectors become degraded when the agent configuration is stuck. |
|
768709 |
Failure in creating, deleting, or editing organizations due to Threat Hunting Repository allocations. |
|
766464 |
Drilling down from Forensics to Threat Hunting by PID doesn't always yield results. |
|
773916 |
Duplicate users columns in Events Excel report. |
|
734309 |
AV Scan of specific Collectors/Collector Groups is not working. |
|
763047 |
Security events are repeatedly reclassified after being handled. |
|
774937 |
LDAP authentication failures. |
|
769332 |
Inaccurate tooltip for process path in the Exception window. |
|
744741 |
Exporting a large number of Events to Excel is stuck. |
|
770568 |
Exceptions with URL are sometimes not sent to Collectors. |
|
773398 |
Creating Exception fails with "System Busy" Error on UI. |
|
766103 |
Custom integration script is populated with the wrong device IP. |
|
770843 |
Incorrect hash value is displayed for an event. |
|
776704 |
Rest API Collector sorting by lastSeenTime does not work as expected. |
|
749213 |
Events RDI paging button doesn't work. |
|
784379 |
Not all users are populated in the Exception window. |
|
784726 |
VDI device registration doesn't work well when device ID is considered. |
|
784190 |
Error while filtering Communication Control events. |
|
783277 |
Collectors degraded due to an error in the configuration related to communication control decision. |
|
778016 |
Cannot list events when there is a large number of RDIs. |
|
771428 |
Errors in FCS response is causing delays in Collectors registration. |
|
749768 |
Target executable for Library Load events cannot be queried. |
|
775334 |
Improved security of Core / Collectors registration process |
Central Manager- Build 506
|
Bug ID |
Description |
|---|---|
|
768571 |
The Central Manager is slow to respond following playbook actions of device isolation due to a redundant full configuration. |
|
770042 |
Threat hunting export logs show inconsistent results. |
|
768182 |
High CPU on the Central Manager server due to deadlock with handling IOT devices responses. |
|
762666 |
Central Manager UI crashes when trying to load events with a long reclassification history. |
|
770887 |
OOTB connectors actions do not work with shared cores that serve as Jump Box. |
|
774253 |
SQL error displayed on Events page. |
|
761963 |
Exceptions are loaded very slowly on UI. |
|
772545 |
Internal DB failure when deleting applications. |
|
769232 766168 |
Collector registration fails when it is allocated with the same ID of a deleted Collector. |
|
769854 |
Central Manager is inaccessible when running full configuration in an environment with lots of exceptions. |
|
763127 |
IoT license seat calculation is wrong. |
|
760023 |
IoT changes in settings such as auto-grouping cannot be saved. |
|
772501 767850 766885 |
Slow free-text search on the Events page. |
|
730826 |
Setting a vendor as allowed on a Communication Control Policy does not propagate to application and version. Hence the application is still blocked. |
|
773436 770200 |
MITRE tag links do not work for part of the rules. |
|
769249 773049 |
Expired Collectors are not properly calculated so no proper message is displayed on the Licensing page, and the corresponding system events are not being sent. |
|
772081 |
Failure starting manager when LDAP configuration has spaces due to missing escaping. |
|
770756 |
Low disk space alerts since Aggregator holds references to deleted configurations. |
|
771428 |
NPE during the processing of FCS response is causing delays in Collectors registration. |
|
757709 |
Managed devices with multiple mac addresses are wrongly displayed as unmanaged devices. |
|
773051 |
Repeating system events on a migrated Collector that failed to register in the destination environment. |
|
771484 |
Collectors in degraded on and upgraded environment with isolated Collectors. |
Central Manager - Build 448
|
Bug ID |
Description |
|---|---|
|
767494 766484 760266 765038 766707 762466 |
Collectors or Cores become disconnected/degraded due to failure in creating full configuration. |
| 768508 | Full configuration fails on an environment with thousands of security rules. |
| 764440 | When using an MSSP hoster view, the total number of Collectors on the Inventory tab is displayed for the wrong, non-selected, account. |
| 762466 | Improve events learning efficiency by removing an unnecessary global update. |
| 766168 | New VDI Collector is registered but stays as disconnected. |
Central Manager - Build 418
|
Bug ID |
Description |
|---|---|
|
741154 |
Collectors failed to register with the Central Manager. |
|
744863 |
Events are triggered even when there is Exception that is using IP Set. |
|
752314 |
Aggregator malfunction due to load of Events. |
|
753159 |
Communication Control tab is slow. |
|
741148 |
Cannot set Exception on Listen events due to missing IP. |
|
746463 |
Email notifications arrive with delay. |
|
752710 |
Playbook failed to trigger when “Move to High Security Group” is selected. |
|
742699 |
Error when creating communication control policy rule with many vendors. |
|
754817 754457 757020 746464 749050 |
Central Manager general slowness. |
|
742403 742404
|
Collectors displayed as disconnected on Central Manager although they are running. |
|
732242 |
IOT devices are not discovered across multiple subnets . |
|
748696 |
Events advanced search window opens up very slowly. |
|
741155 |
Manager fails to start due to incorrect LDAP/SAML settings . |
|
743387 |
Failed deleting a security event in an environment with many events. |
|
753598 |
LDAP configuration cannot be saved when done with Local Admin permissions. |
|
753598 |
LDAP configuration cannot be saved when done with Local Admin permissions. |
|
748792 753161 |
Pivoting from Forensics to Threat Hunting using PID yields empty results. |
|
743881 |
Cannot run a file scan if there are more than 20K Collectors in the specified Collector group . |
|
734622 |
Failed to export Exceptions report . |
Central Manager - Build 264
|
Bug ID |
Description |
|---|---|
|
732901 |
Installations of on-premises Threat Hunting repository is not supported. |
|
733536 |
IOT allow option to ignore external IP when looking for managed devices. |
|
732805 |
Network discovery wrongly marks devices with existing Collectors as unmanaged devices and makes duplications of IOT devices. |
|
732834 |
IOT scan cannot be configured to be performed from a Windows server. |
|
732723 |
Deleting Collectors and tenants can take a very long time. |
|
732722 |
Search for Collectors last seen on Inventory works well only for part of the Collector Groups. |
|
732756 |
Export Collectors from Inventory is not working when done on search results. |
|
732838 |
Request Collectors installers group dropdown is empty when there are more than 100 groups in the environment. |
|
732885 |
XDR events falsely trigger also for Collector Groups that are not assigned to the XDR policy (group assignment is ignored). |