Fortinet black logo

FortiGate-6000 Release Notes

Known issues

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.2.4 Build 1116. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.2.4 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.2.4 Build 1116.

Bug ID

Description

479303

VLAN interface status monitoring using the config system ha-monitor command does not work.

600879

Firewall policy packet capturing, turned on by enabling capture in a firewall policy, does not work.

603601

Cisco ACI SDN connector traffic uses a data interface instead of a management interface.

606529

The FortiGate-6000 and 7000 are not compatible with FortiNAC.

608729

IPsec phase 2 auto-negotiation does not work with VPN load-balancing.

612622

SSL sessions to FortiSandbox are not initiated when set source-ip is enabled.

613139

DNS requests logs may contain incorrect source IP addresses.

613617

The source-ip setting when configuring FortiGuard and FortiSandbox and other services may not work as expected. As a result of configuring a source-ip, only the FortiGate-6000 management board or the FortiGate-7000 primary FIM can connect to the service. Services that only require management board or primary FIM connections will operate as expected. However, many services require FPCs or FPMs to be able to connect to the service. In these cases, setting a source-ip prevents FPCs and FPMs from connecting to the service.

For example, when you set a source-ip using the following command, only the management board or primary FIM can contact FortiGuard for updates.

config system fortiguard

set source-ip <ip-address>

end

624678

SSLVPN web mode RDP traffic is not load balanced to FPCs or FPMs.

627903 605065

You cannot set a management interface LAG to be the SLBC management interface by adding it to the config load-balance setting slbc-mgmt-intf option.

632954

In a FortiGate-6000 or 7000 HA configuration, if you configure a VLAN interface to be the system management interface, you cannot connect to individual FPMs or FPCs on the secondary FortiGate-6000 or 7000 using special management port numbers.

632961

In a FortiGate-7000 HA configuration, the secondary FortiGate-7000 cannot synchronize with the primary FortiGate-7000 after loading a configuration file with an external security fabric configuration.

635442

SDN connector dynamic addresses are not synchronized between the FortiGate-6000s or 7000s in an FGCP HA cluster.

635310

VLAN interfaces added to accelerated npu_vdom link interfaces cannot pass traffic.

635591

The reportd process may consume excessive amounts of CPU time.

640520

The diagnose wad session command is not available.

643032

In an HA configuration, the secondary FortiGate-6000 or 7000 may incorrectly generate event log messages similar to: Files were dropped by quard to FortiSandbox: 0 reached max retries.

649682

In some cases of FortiGate-6000 HA clusters with large configurations, the secondary FortiGate-6000 may not be able to synchronize with the primary FortiGate-6000. To workaround this issue, remove the secondary FortiGate-6000 from the cluster, reset it to factory defaults, and then restore its configuration using a backed up configuration file from the primary FortiGate-6000.

650894

The FortiManager IPsec Tunnel monitor may incorrectly show that FortiGate-6000 IPsec tunnels are down.

651743

IPsec SAs are not synchronized between cluster units in FCGP HA clusters.

652777

Because of an issue with how IPsec sessions are handled, the same session may incorrectly contain the synced and nosyn_ses flags.

653636

Some of the interfaces in a FortiGate-7000 cross-FIM LAG remain in the negotiating state instead of switching to the established state. You can workaround this problem by using the fnsysctl ifconfig <interface> {down | up} command to bring the problematic LAG members down and then back up.

654420

In an HA configuration, the secondary FortiGate-6000 or 7000 may record the following critical event log: Scanunit initiated a virus engine/definitions update.

664898

When a DoS attack is successfully detected and blocked, because the threshold is determined per-FPC or per-FPM, the FortiGate-6000 or 7000 does not create an anomaly log message or quarantine the source of the attack.

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.2.4 Build 1116. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.2.4 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.2.4 Build 1116.

Bug ID

Description

479303

VLAN interface status monitoring using the config system ha-monitor command does not work.

600879

Firewall policy packet capturing, turned on by enabling capture in a firewall policy, does not work.

603601

Cisco ACI SDN connector traffic uses a data interface instead of a management interface.

606529

The FortiGate-6000 and 7000 are not compatible with FortiNAC.

608729

IPsec phase 2 auto-negotiation does not work with VPN load-balancing.

612622

SSL sessions to FortiSandbox are not initiated when set source-ip is enabled.

613139

DNS requests logs may contain incorrect source IP addresses.

613617

The source-ip setting when configuring FortiGuard and FortiSandbox and other services may not work as expected. As a result of configuring a source-ip, only the FortiGate-6000 management board or the FortiGate-7000 primary FIM can connect to the service. Services that only require management board or primary FIM connections will operate as expected. However, many services require FPCs or FPMs to be able to connect to the service. In these cases, setting a source-ip prevents FPCs and FPMs from connecting to the service.

For example, when you set a source-ip using the following command, only the management board or primary FIM can contact FortiGuard for updates.

config system fortiguard

set source-ip <ip-address>

end

624678

SSLVPN web mode RDP traffic is not load balanced to FPCs or FPMs.

627903 605065

You cannot set a management interface LAG to be the SLBC management interface by adding it to the config load-balance setting slbc-mgmt-intf option.

632954

In a FortiGate-6000 or 7000 HA configuration, if you configure a VLAN interface to be the system management interface, you cannot connect to individual FPMs or FPCs on the secondary FortiGate-6000 or 7000 using special management port numbers.

632961

In a FortiGate-7000 HA configuration, the secondary FortiGate-7000 cannot synchronize with the primary FortiGate-7000 after loading a configuration file with an external security fabric configuration.

635442

SDN connector dynamic addresses are not synchronized between the FortiGate-6000s or 7000s in an FGCP HA cluster.

635310

VLAN interfaces added to accelerated npu_vdom link interfaces cannot pass traffic.

635591

The reportd process may consume excessive amounts of CPU time.

640520

The diagnose wad session command is not available.

643032

In an HA configuration, the secondary FortiGate-6000 or 7000 may incorrectly generate event log messages similar to: Files were dropped by quard to FortiSandbox: 0 reached max retries.

649682

In some cases of FortiGate-6000 HA clusters with large configurations, the secondary FortiGate-6000 may not be able to synchronize with the primary FortiGate-6000. To workaround this issue, remove the secondary FortiGate-6000 from the cluster, reset it to factory defaults, and then restore its configuration using a backed up configuration file from the primary FortiGate-6000.

650894

The FortiManager IPsec Tunnel monitor may incorrectly show that FortiGate-6000 IPsec tunnels are down.

651743

IPsec SAs are not synchronized between cluster units in FCGP HA clusters.

652777

Because of an issue with how IPsec sessions are handled, the same session may incorrectly contain the synced and nosyn_ses flags.

653636

Some of the interfaces in a FortiGate-7000 cross-FIM LAG remain in the negotiating state instead of switching to the established state. You can workaround this problem by using the fnsysctl ifconfig <interface> {down | up} command to bring the problematic LAG members down and then back up.

654420

In an HA configuration, the secondary FortiGate-6000 or 7000 may record the following critical event log: Scanunit initiated a virus engine/definitions update.

664898

When a DoS attack is successfully detected and blocked, because the threshold is determined per-FPC or per-FPM, the FortiGate-6000 or 7000 does not create an anomaly log message or quarantine the source of the attack.