Fortinet black logo

FortiGate-7000 Release Notes

Known issues

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.2.3 Build 6252. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.2.3 release notes also applies to FortiGate-6000 and 7000 FortiOS 6.2.3 Build 6252.

Bug ID

Description

515590

The Session Rate: Management dashboard widget shows incorrect information when viewed on VDOM dashboards.

561722

Policies that block or allow devices based on device detection and identification using FortiClient may not work as expected because the MAC addresses used to identify the devices are not synchronized to all FPCs or FPMs. You can work around this issue using a flow rule similar to the following:

config load-balance flow-rule

edit 28

set status enable

set ether-type ip

set protocol tcp

set dst-l4port 8013-8013

set forward-slot load-balance

set comment "FCT Telemetry"

end

It may also work to change the load distribution method:

config load-balance setting

set dp-load-distribution-method src-ip

config workers

edit 1

end

end

581243

Under some conditions (for example, high CPU usage) the get system status command on some FPCs or FPMs may show an incorrect primary (master) FPC or FPM.

581990

Running the diagnose sys logdisk status command on a FortiGate-6301F or 6501F may show the status of the log disk as unknown even if the disk is available and in a known good state.

584078

When logged into an individual FPC or FPM, the Load Balance Monitor GUI page incorrectly shows all real servers as being down.

589613

Local-in deny policies may not successfully block the specified local-in traffic.

590136

In a virtual clustering configuration, under some conditions some FortiGate-6000 or 7000 components may not be able to reach DNS servers and will generate DNS error log messages.

591251

Enabling disk logging on a FortiGate-6501F or 6301F or enabling sending logs to a syslog server on a FortiGate-6000 or 7000 from the GUI does not work unless FortiAnalyzer logging is enabled.

601677

Under some conditions caused by communication problems, the get system status command run on a FortiGate-7000 primary FPM may incorrectly show that another FPM is the primary FPM or the FPM Master field show N/A.

600504

IPv6 ECMP is not supported.

603601 604304 606091

This release supports many, but not all, SDN connectors. Some workarounds may be required to support some features. For more information, see SDN connector support.

605065

You cannot set a management interface LAG to be the SLBC management interface by adding it to the config load-balance setting slbc-mgmt-intf option. For more information, see Management interface LAG limitations.

605069

FortiGate-6000 FPCs and the management board assign different MAC addresses to a management interface LAG. The management board uses the MAC address of the second interface in the member list while the FPCs use the MAC address of the first interface in the member list.

605073

The GUI or CLI doesn't prevent you from adding mgmt3 to a management lag.

605371

By default, for FortiOS 6.2.3 the auxiliary-sessions option of the config system settings command is disabled and with ECMP enabled, some TCP sessions may unexpectedly blocked. For more information, see Enabling auxiliary session support.

605411

Management traffic (local in and local out) is not accepted by inter-VDOM link interfaces if the inter-VDOM link type is set to ppp (point to point). The type is set to ppp by default when you add an inter-VDOM link from the GUI or CLI. To support management connections to the inter-VDOM link interfaces, you must manually change the type to ethernet from the CLI using the following command:

config system vdom-link

edit link-name

set type ethernet

end

606120
  • Usage-based ECMP load balancing is not supported. If the config system settings v4-ecmp-mode option is set to usage-based, all traffic uses the first ECMP route instead of being load balanced among all ECMP routes. All other ECMP load balancing options are supported, including source-ip-based, weight-based, and source-dest-ip-based.
  • 606785

    If you manually disable an interface that has been added to a LAG group, the interface disappears from the GUI interface list. To get the interface to appear on the list, you must enable it from the CLI.

    607139

    In a virtual clustering configuration, if virtual cluster 1 and virtual cluster 2 are on different FortiGates then dial up VPN servers in VDOMs in virtual cluster 2 will not work correctly because of missing IPsec routes. The workaround until this issue is resolved is to keep VDOMs with VPN servers in virtual cluster 1.

    607536

    An "image upgrade failed" message may appear on the GUI after a successful graceful upgrade of an HA cluster.

    607649

    If the FortiGate-6000 mgmt1, mgmt2, or mgmt3 interfaces are HA monitored interfaces they cannot be added to a management interface LAG.

    607921

    The Configuration Sync Monitor may show incorrect status information for the secondary FortiGate-6000 management board or FortiGate-7000 primary FIM.

    608940

    Management traffic can't be sent over an inter-VDOM link. For example, you can't connect from the mgmt-vdom to FortiGuard by creating and inter-VDOM link between mgmt-vdom and a VDOM connected to the internet. You also can't use inter-VDOM links to connect from mgmt-vdom to a FortiManager. To communicate with FortiGuard, mgmt-vdom must be able to connect to the internet or to a FortiManager without going through an inter-VDOM link.

    608632

    FortiGate-6000 dataplane sessions and session rate dashboard widgets show incorrect information when viewed from a traffic VDOM dashboard.

    609131

    When DHCP leases are cleared from the primary FortiGate in an HA cluster, they are not cleared from the secondary FortiGate.

    610494

    Virtual clustering is not supported when operating in Split-Task VDOM mode. Virtual clustering GUI and CLI options to configure virtual clustering when operating in Split-Task VDOM mode will be removed in a future release.

    610779

    In some FortiGate-6000 and 7000 configurations, the forwarding information base (FIB) routing database may not be synchronized to all FPCs or FPMs. You can resolve this issue by forcing the FPCs or FPMs to re-synchronize the FIB by logging into the FPC or FPM CLI and entering diagnose test application chlbd 3. This problem can be difficult to detect because there can be a very large number of routes to compare. You can use the command diagnose ip route list | grep -c "proto=1[1,8]" from each FPC or from each FPM to display the number of routes. If one component has a different (usually lower) number, you can use the diagnose command to re-synchronize it.

    611830

    Error checking does not prevent you from moving a VDOM between virtual clusters that causes a VLAN to be in a different virtual cluster than the physical interface or LAG that the VLAN has been added to. FortiGate-6000 and 7000 virtual clustering requires that a VLAN must be in the same virtual cluster as the physical or LAG interface that the VLAN has been added to. See Virtual clustering VLAN/VDOM limitation.

    611834

    In a virtual clustering configuration, if a VLAN interface is in a different virtual cluster that the physical interface that it was added to, traffic to and from that Interface can pass through the virtual cluster that contains the physical interface.

    612357

    The execute factoryreset-shutdown command will not completely reset the configuration to factory defaults when run on a secondary FortiGate-6000F in an HA cluster with uninterruptible-upgrade enabled.

    612444

    When a FortiGate-6000 or 7000 forms a cluster with another FortiGate-6000 or 7000 already operating in HA mode, the active RSSO user list is not synchronized to the FPCs or FPMs in the newly joined FortiGate-6000 or 7000. This can happen, for example, in a operating cluster if one of the FortiGate-6000s or 7000s in the cluster restarts.

    613295

    When converting a FortiGate-6000 or 7000 system from FortiOS Carrier to normal FortiOS, after the system restarts it may be out of sync. You can resolve this problem by logging into the management board or primary FIM CLI and entering the following command to reset the darrp-optimize-schedules wireless controller setting.

    config wireless-controller setting

    unset darrp-optimize-schedules

    end

    Known issues

    The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.2.3 Build 6252. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.2.3 release notes also applies to FortiGate-6000 and 7000 FortiOS 6.2.3 Build 6252.

    Bug ID

    Description

    515590

    The Session Rate: Management dashboard widget shows incorrect information when viewed on VDOM dashboards.

    561722

    Policies that block or allow devices based on device detection and identification using FortiClient may not work as expected because the MAC addresses used to identify the devices are not synchronized to all FPCs or FPMs. You can work around this issue using a flow rule similar to the following:

    config load-balance flow-rule

    edit 28

    set status enable

    set ether-type ip

    set protocol tcp

    set dst-l4port 8013-8013

    set forward-slot load-balance

    set comment "FCT Telemetry"

    end

    It may also work to change the load distribution method:

    config load-balance setting

    set dp-load-distribution-method src-ip

    config workers

    edit 1

    end

    end

    581243

    Under some conditions (for example, high CPU usage) the get system status command on some FPCs or FPMs may show an incorrect primary (master) FPC or FPM.

    581990

    Running the diagnose sys logdisk status command on a FortiGate-6301F or 6501F may show the status of the log disk as unknown even if the disk is available and in a known good state.

    584078

    When logged into an individual FPC or FPM, the Load Balance Monitor GUI page incorrectly shows all real servers as being down.

    589613

    Local-in deny policies may not successfully block the specified local-in traffic.

    590136

    In a virtual clustering configuration, under some conditions some FortiGate-6000 or 7000 components may not be able to reach DNS servers and will generate DNS error log messages.

    591251

    Enabling disk logging on a FortiGate-6501F or 6301F or enabling sending logs to a syslog server on a FortiGate-6000 or 7000 from the GUI does not work unless FortiAnalyzer logging is enabled.

    601677

    Under some conditions caused by communication problems, the get system status command run on a FortiGate-7000 primary FPM may incorrectly show that another FPM is the primary FPM or the FPM Master field show N/A.

    600504

    IPv6 ECMP is not supported.

    603601 604304 606091

    This release supports many, but not all, SDN connectors. Some workarounds may be required to support some features. For more information, see SDN connector support.

    605065

    You cannot set a management interface LAG to be the SLBC management interface by adding it to the config load-balance setting slbc-mgmt-intf option. For more information, see Management interface LAG limitations.

    605069

    FortiGate-6000 FPCs and the management board assign different MAC addresses to a management interface LAG. The management board uses the MAC address of the second interface in the member list while the FPCs use the MAC address of the first interface in the member list.

    605073

    The GUI or CLI doesn't prevent you from adding mgmt3 to a management lag.

    605371

    By default, for FortiOS 6.2.3 the auxiliary-sessions option of the config system settings command is disabled and with ECMP enabled, some TCP sessions may unexpectedly blocked. For more information, see Enabling auxiliary session support.

    605411

    Management traffic (local in and local out) is not accepted by inter-VDOM link interfaces if the inter-VDOM link type is set to ppp (point to point). The type is set to ppp by default when you add an inter-VDOM link from the GUI or CLI. To support management connections to the inter-VDOM link interfaces, you must manually change the type to ethernet from the CLI using the following command:

    config system vdom-link

    edit link-name

    set type ethernet

    end

    606120
  • Usage-based ECMP load balancing is not supported. If the config system settings v4-ecmp-mode option is set to usage-based, all traffic uses the first ECMP route instead of being load balanced among all ECMP routes. All other ECMP load balancing options are supported, including source-ip-based, weight-based, and source-dest-ip-based.
  • 606785

    If you manually disable an interface that has been added to a LAG group, the interface disappears from the GUI interface list. To get the interface to appear on the list, you must enable it from the CLI.

    607139

    In a virtual clustering configuration, if virtual cluster 1 and virtual cluster 2 are on different FortiGates then dial up VPN servers in VDOMs in virtual cluster 2 will not work correctly because of missing IPsec routes. The workaround until this issue is resolved is to keep VDOMs with VPN servers in virtual cluster 1.

    607536

    An "image upgrade failed" message may appear on the GUI after a successful graceful upgrade of an HA cluster.

    607649

    If the FortiGate-6000 mgmt1, mgmt2, or mgmt3 interfaces are HA monitored interfaces they cannot be added to a management interface LAG.

    607921

    The Configuration Sync Monitor may show incorrect status information for the secondary FortiGate-6000 management board or FortiGate-7000 primary FIM.

    608940

    Management traffic can't be sent over an inter-VDOM link. For example, you can't connect from the mgmt-vdom to FortiGuard by creating and inter-VDOM link between mgmt-vdom and a VDOM connected to the internet. You also can't use inter-VDOM links to connect from mgmt-vdom to a FortiManager. To communicate with FortiGuard, mgmt-vdom must be able to connect to the internet or to a FortiManager without going through an inter-VDOM link.

    608632

    FortiGate-6000 dataplane sessions and session rate dashboard widgets show incorrect information when viewed from a traffic VDOM dashboard.

    609131

    When DHCP leases are cleared from the primary FortiGate in an HA cluster, they are not cleared from the secondary FortiGate.

    610494

    Virtual clustering is not supported when operating in Split-Task VDOM mode. Virtual clustering GUI and CLI options to configure virtual clustering when operating in Split-Task VDOM mode will be removed in a future release.

    610779

    In some FortiGate-6000 and 7000 configurations, the forwarding information base (FIB) routing database may not be synchronized to all FPCs or FPMs. You can resolve this issue by forcing the FPCs or FPMs to re-synchronize the FIB by logging into the FPC or FPM CLI and entering diagnose test application chlbd 3. This problem can be difficult to detect because there can be a very large number of routes to compare. You can use the command diagnose ip route list | grep -c "proto=1[1,8]" from each FPC or from each FPM to display the number of routes. If one component has a different (usually lower) number, you can use the diagnose command to re-synchronize it.

    611830

    Error checking does not prevent you from moving a VDOM between virtual clusters that causes a VLAN to be in a different virtual cluster than the physical interface or LAG that the VLAN has been added to. FortiGate-6000 and 7000 virtual clustering requires that a VLAN must be in the same virtual cluster as the physical or LAG interface that the VLAN has been added to. See Virtual clustering VLAN/VDOM limitation.

    611834

    In a virtual clustering configuration, if a VLAN interface is in a different virtual cluster that the physical interface that it was added to, traffic to and from that Interface can pass through the virtual cluster that contains the physical interface.

    612357

    The execute factoryreset-shutdown command will not completely reset the configuration to factory defaults when run on a secondary FortiGate-6000F in an HA cluster with uninterruptible-upgrade enabled.

    612444

    When a FortiGate-6000 or 7000 forms a cluster with another FortiGate-6000 or 7000 already operating in HA mode, the active RSSO user list is not synchronized to the FPCs or FPMs in the newly joined FortiGate-6000 or 7000. This can happen, for example, in a operating cluster if one of the FortiGate-6000s or 7000s in the cluster restarts.

    613295

    When converting a FortiGate-6000 or 7000 system from FortiOS Carrier to normal FortiOS, after the system restarts it may be out of sync. You can resolve this problem by logging into the management board or primary FIM CLI and entering the following command to reset the darrp-optimize-schedules wireless controller setting.

    config wireless-controller setting

    unset darrp-optimize-schedules

    end