Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Release Notes

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.0.8 Build 6599. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID

Description

546794

An RSSO user may not be de-authenticated from the management board when the system administrator de-authenticates the user from the GUI.

586984

HA heartbeat communication may not work with some Cisco ACI switches using QnQ if the switch requires the inner tag to use Ethertype 0x8100.

592170

In a FortiGate-6000 or 7000 HA cluster, if both devices in the cluster are configured with the same chassis ID, the device with the lowest serial number will be shut down. For more information, see Resolving HA cluster chassis ID conflicts.

594548

Some GUI pages that should have a large number of entries, for example the IPv4 firewall policy page, may not be able to successfully display some or all data or may display error messages.

595851

An LDAP user session may have different expiry times on different FPCs or FPMs.

596347

FSSO users that have logged off may still be seen as logged on and will appear in the diagnose debug authd fsso list command output. In addition, the FSSO users lists may be different on individual FPCs or FPMs.

596458

Antivirus scanning may allow an infected file to download over HTTP if the initially blocked session is resumed. A workaround for this issue is to use the following command to set the load balancing method to src-dst-ip:

config load-balance setting

set dp-load-distribution-method src-dst-ip

end

598950

Running the diagnose sys session clear command from an FIM CLI can temporarily reduce FortiGate-7000 data processing performance. Consider only using this command during a maintenance window or quiet time.

598991

The get system fortiguard command displays different results when run from different FortiGate-6000 or 7000 components on the secondary FortiGate in an HA cluster.

599009

Some FortiView drill down pages don't display all sessions.

599999

The trusted host feature does not block management traffic from an untrusted IP address using the FortiGate-6000 and 7000 special management ports.

600486

593509

If a FortiGate-6000 or 7000 is managing a large number of FSSO or RSSO users, its possible that the confsyncd process may be using excessive amounts of memory. This problem has been observed in different situations, for example, after a graceful firmware upgrade of an HA cluster with a large number of currently logged in FSSO or RSSO users, or during normal operation with a large number of logged in RSSO or FSSO users.

You can use the command diagnose sys top-summary "-n 30 -i 5 -s mem" to show the amount of memory currently used by different processes, including confsynced. The amount of memory used by confsyncd can vary, but if you run this command at different times, such as before and after a graceful upgrade you may find confsyncd memory use spikes.

As a workaround, you can use the diagnose test application confsyncd 20 command to free the extra memory being used by the confsyncd process.

600727 Under some conditions, IPsec VPN phase 2 routing information may be missing from the DP processor routing cache. You can use the diagnose test application fctrlproxyd 2 command to view the DP routing cache. If some of the expected routes are missing, you can use the diagnose test application fctrlproxyd 9 command to force an update of the DPx processor routing cache which should add the missing routes.

600900

The internal FortiOS packet sniffer shows that FortiOS incorrectly creates multiple DP assistant packets for IPsec VPN sessions. DP assistant packets are labeled with (DP Sess).

600999

The FortiGate-7000 HA heartbeat does not fail over correctly when the switch interface connected to the secondary FortiGate-7000 2-M1 interface is disabled.

601006

On an HA cluster with a large number of active RSSO and FSSO users, if the secondary FortiGate is restarted the system may enter conserve mode.

601007

In a FortiGate-6000 HA cluster, the primary FortiGate-6000 may temporarily stop receiving data traffic for ten to fifteen minutes. Management traffic, such as GUI access and remote logging, continue to operate normally.

600879

The set capture {disable | enable} firewall policy option is not available.

601564

In some cases, SSL VPN users may be unable to download FortiClient from the SSL VPN web portal running on the FortiGate-6000 or 7000.

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.0.8 Build 6599. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID

Description

546794

An RSSO user may not be de-authenticated from the management board when the system administrator de-authenticates the user from the GUI.

586984

HA heartbeat communication may not work with some Cisco ACI switches using QnQ if the switch requires the inner tag to use Ethertype 0x8100.

592170

In a FortiGate-6000 or 7000 HA cluster, if both devices in the cluster are configured with the same chassis ID, the device with the lowest serial number will be shut down. For more information, see Resolving HA cluster chassis ID conflicts.

594548

Some GUI pages that should have a large number of entries, for example the IPv4 firewall policy page, may not be able to successfully display some or all data or may display error messages.

595851

An LDAP user session may have different expiry times on different FPCs or FPMs.

596347

FSSO users that have logged off may still be seen as logged on and will appear in the diagnose debug authd fsso list command output. In addition, the FSSO users lists may be different on individual FPCs or FPMs.

596458

Antivirus scanning may allow an infected file to download over HTTP if the initially blocked session is resumed. A workaround for this issue is to use the following command to set the load balancing method to src-dst-ip:

config load-balance setting

set dp-load-distribution-method src-dst-ip

end

598950

Running the diagnose sys session clear command from an FIM CLI can temporarily reduce FortiGate-7000 data processing performance. Consider only using this command during a maintenance window or quiet time.

598991

The get system fortiguard command displays different results when run from different FortiGate-6000 or 7000 components on the secondary FortiGate in an HA cluster.

599009

Some FortiView drill down pages don't display all sessions.

599999

The trusted host feature does not block management traffic from an untrusted IP address using the FortiGate-6000 and 7000 special management ports.

600486

593509

If a FortiGate-6000 or 7000 is managing a large number of FSSO or RSSO users, its possible that the confsyncd process may be using excessive amounts of memory. This problem has been observed in different situations, for example, after a graceful firmware upgrade of an HA cluster with a large number of currently logged in FSSO or RSSO users, or during normal operation with a large number of logged in RSSO or FSSO users.

You can use the command diagnose sys top-summary "-n 30 -i 5 -s mem" to show the amount of memory currently used by different processes, including confsynced. The amount of memory used by confsyncd can vary, but if you run this command at different times, such as before and after a graceful upgrade you may find confsyncd memory use spikes.

As a workaround, you can use the diagnose test application confsyncd 20 command to free the extra memory being used by the confsyncd process.

600727 Under some conditions, IPsec VPN phase 2 routing information may be missing from the DP processor routing cache. You can use the diagnose test application fctrlproxyd 2 command to view the DP routing cache. If some of the expected routes are missing, you can use the diagnose test application fctrlproxyd 9 command to force an update of the DPx processor routing cache which should add the missing routes.

600900

The internal FortiOS packet sniffer shows that FortiOS incorrectly creates multiple DP assistant packets for IPsec VPN sessions. DP assistant packets are labeled with (DP Sess).

600999

The FortiGate-7000 HA heartbeat does not fail over correctly when the switch interface connected to the secondary FortiGate-7000 2-M1 interface is disabled.

601006

On an HA cluster with a large number of active RSSO and FSSO users, if the secondary FortiGate is restarted the system may enter conserve mode.

601007

In a FortiGate-6000 HA cluster, the primary FortiGate-6000 may temporarily stop receiving data traffic for ten to fifteen minutes. Management traffic, such as GUI access and remote logging, continue to operate normally.

600879

The set capture {disable | enable} firewall policy option is not available.

601564

In some cases, SSL VPN users may be unable to download FortiClient from the SSL VPN web portal running on the FortiGate-6000 or 7000.