An RSSO user may not be de-authenticated from the management board when the system administrator de-authenticates the user from the GUI.

HA heartbeat communication may not work with some Cisco ACI switches using QnQ if the switch requires the inner tag to use Ethertype 0x8100.

In a FortiGate-6000 or 7000 HA cluster, if both devices in the cluster are configured with the same chassis ID, the device with the lowest serial number will be shut down. For more information, see Resolving HA cluster chassis ID conflicts.

Some GUI pages that should have a large number of entries, for example the IPv4 firewall policy page, may not be able to successfully display some or all data or may display error messages.

An LDAP user session may have different expiry times on different FPCs or FPMs.

FSSO users that have logged off may still be seen as logged on and will appear in the diagnose debug authd fsso list command output. In addition, the FSSO users lists may be different on individual FPCs or FPMs.

Antivirus scanning may allow an infected file to download over HTTP if the initially blocked session is resumed. A workaround for this issue is to use the following command to set the load balancing method to src-dst-ip:

config load-balance setting

set dp-load-distribution-method src-dst-ip

end

Running the diagnose sys session clear command from an FIM CLI can temporarily reduce FortiGate-7000 data processing performance. Consider only using this command during a maintenance window or quiet time.

The get system fortiguard command displays different results when run from different FortiGate-6000 or 7000 components on the secondary FortiGate in an HA cluster.

Some FortiView drill down pages don't display all sessions.

The trusted host feature does not block management traffic from an untrusted IP address using the FortiGate-6000 and 7000 special management ports.

If a FortiGate-6000 or 7000 is managing a large number of FSSO or RSSO users, its possible that the confsyncd process may be using excessive amounts of memory. This problem has been observed in different situations, for example, after a graceful firmware upgrade of an HA cluster with a large number of currently logged in FSSO or RSSO users, or during normal operation with a large number of logged in RSSO or FSSO users.

You can use the command diagnose sys top-summary "-n 30 -i 5 -s mem" to show the amount of memory currently used by different processes, including confsynced. The amount of memory used by confsyncd can vary, but if you run this command at different times, such as before and after a graceful upgrade you may find confsyncd memory use spikes.

As a workaround, you can use the diagnose test application confsyncd 20 command to free the extra memory being used by the confsyncd process.

The internal FortiOS packet sniffer shows that FortiOS incorrectly creates multiple DP assistant packets for IPsec VPN sessions. DP assistant packets are labeled with (DP Sess).

The FortiGate-7000 HA heartbeat does not fail over correctly when the switch interface connected to the secondary FortiGate-7000 2-M1 interface is disabled.

On an HA cluster with a large number of active RSSO and FSSO users, if the secondary FortiGate is restarted the system may enter conserve mode.

In a FortiGate-6000 HA cluster, the primary FortiGate-6000 may temporarily stop receiving data traffic for ten to fifteen minutes. Management traffic, such as GUI access and remote logging, continue to operate normally.

The set capture {disable | enable} firewall policy option is not available.