Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Release Notes

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 6.2.9 Build 1206. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.2.9 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.2.9 Build 1206.

Bug ID

Description

587400

In an FGCP HA configuration, VDOMs on the backup FortiGate-6000 or 7000 can now send files to FortiSandbox.

589613

Traffic from banned IP addresses can no longer pass through the FortiGate-6000 or 7000.

594258

FortiSwitch management over FortiLink now works as expected on a FortiGate-7000 system when FIM2 is the primary FIM.

601442

Resolved an issue that blocked local-out pings from the FortiGate-6000 management board through a transparent mode VDOM, when the option dp-icmp-distribution-method is changed from the default setting (the default setting is to-master).

616261 737750

Resolved an issue that caused the wad application to crash with a signal 11.

635310

VLAN interfaces added to accelerated npu_vdom link interfaces can now successfully pass traffic.

682869 680789

The management board and primary FIM GUIs now display correct byte and hit count data for proxy policies set up to allow traffic through the explicit web proxy.

690662 The diagnose hardware deviceinfo nic <interface> command output now includes CRC counters.

693325

The slbc-mgmt-intf option is set to 1-mgmt1 by default and this setting is now visible from the default configuration.

694516

The FortiGate-7000F Log settings GUI page now shows correct log usage information.

705958

Dialup server IPsec VPN tunnels are now successfully synchronized to all FPCs or FPMs when mode-cfg is enabled.

714538

The telnetd process now runs on FortiGate-7000F FIMs and the execute load-balance slot manage command works as expected when run from a FortiGate-7000F FIM CLI.

723528

The Sessions: Management widget now shows the correct % distribution of CPU and SPU sessions.

725139

Resolved an issue that could sometimes prevent administrators from removing quarantined IP addresses from the Quarantine Monitor.

728524

The diagnose test application chlbd 3 command now works as expected to recover the FIB form a sync failed state.

729134

Resolved an issue that could prevent OSPF from re-negotiating successfully after an FGCP HA failover.

732017

Resolved an issue that could cause OSPF adjacencies to fail after an FGCP HA failover even though the FortiGate configuration enables OSPF graceful restart.

732071

Resolved a timing issue that could cause an FPC or FPM to become unresponsive for an extended period of time after a firmware upgrade when the configuration includes a large number of UTM profile groups.

733058

IPS TLS probe requests can now be configured from the mgmt-vdom VDOM. For example, the following configuration is now supported:

config ips global

config tls-active-probe

set interface-select-method specify

set interface "mgmt1"

set vdom "mgmt-vdom"

end

733261

Resolved an issue that caused SNMP queries to return empty values for some FPCs or FPMs.

735492 735279

Resolved an issue that may cause one or more FPCs or FPMs to become unresponsive and for the console to print error messages that include unregister_netdevice.

736124

Resolved an issue that caused a wad application memory leak.

740073

Resolved an issue that caused the ntpd process running on an FPC to crash.

741274 Resolved an issue that caused BGP flapping during IPsec phase 2 re-keying, resulting in dropped IPsec VPN sessions.
742176 Resolved an issue that could cause a FortiGate-6000 or 7000 to stop responding when enabling or disabling the FortiOS Carrier license.

742994

Resolved an issue that caused BGP received prefix lifetimes to be reset every 60 seconds.

743869 Resolved an issue that could cause a FortiGate-6000 or 7000 managed by FortiManager to send an invalid configuration to FortiManager.
744204

When consolidated firewall mode is enabled, policy statistics such as the number of active sessions, packets, bytes, and so on are now available from the management board or primary FIM. The management board GUI and primary FIM GUI can now successfully display policy statistics and REST API calls and SNMP queries to the management board or primary FIM for policy statistics work as expected. For information about consolidated firewall mode, see Combined IPv4 and IPv6 policy.

744344

FortiGate-6000 and 7000 mirroring SSL inspected traffic (also called SSL port mirroring) now works as expected.

744596 Resolved an issue that could prevent RADIUS users from having to re-authenticate after the RADIUS server session timeout.
744636 Resolved an issue that could prevent FortiGate-6000 or 7000 FGCP clusters from synchronizing files received from FortiGuard after the cluster has been operating for 497 days.
744944 Resolved an issue that could cause a FortiGate-6000 or 7000 to take too long to synchronize a very large configuration the configuration after the system starts up. After this fix, very large configurations should normally take no longer than approximately 30 minutes to synchronize.
747819 Resolved an issue that caused incorrect reporting of the number of large packets processed by a loopback interface.

748258

The output of the get transceiver info command no longer includes error messages.

749357 Resolved a memory leak that caused high memory usage on the primary FPC or FPM.
750185 736418 Fixed SNMP MIB file syntax errors.

752602 731974

Resolved several issues with fragmented packet load balancing.

755579

You can now successfully use the FortiManager Connect to CLI via SSH device manager option to connect to the FortiGate-6000 or 7000 CLI.

758445 Increase the FortiGate-7000F boot partition size. This change allows the FortiGate-7000F to support larger more complex configurations that include more VDOMs and firewall policies. Because of this change, the process of upgrading to 6.2.9 Build 1206 will take longer than normal and during this time the FortiGate-7000F will not be able to process traffic.

737263

Management, local-out, and IPsec VPN traffic over NPU inter-VDOM links and with VLANs added to NPU inter-VDOM links works as expected.

Common vulnerabilities and exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

669673

FortiOS 6.2.9 for FortiGate-6000 and 7000 series is no longer vulnerable to the following CVE Reference:

  • CVE-2021-26103

752134

FortiOS 6.2.9 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-42757

752450

FortiOS 6.2.9 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-44168

711576 713993

FortiOS 6.2.9 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-26109

739011

FortiOS 6.2.9 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-36173

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 6.2.9 Build 1206. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.2.9 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.2.9 Build 1206.

Bug ID

Description

587400

In an FGCP HA configuration, VDOMs on the backup FortiGate-6000 or 7000 can now send files to FortiSandbox.

589613

Traffic from banned IP addresses can no longer pass through the FortiGate-6000 or 7000.

594258

FortiSwitch management over FortiLink now works as expected on a FortiGate-7000 system when FIM2 is the primary FIM.

601442

Resolved an issue that blocked local-out pings from the FortiGate-6000 management board through a transparent mode VDOM, when the option dp-icmp-distribution-method is changed from the default setting (the default setting is to-master).

616261 737750

Resolved an issue that caused the wad application to crash with a signal 11.

635310

VLAN interfaces added to accelerated npu_vdom link interfaces can now successfully pass traffic.

682869 680789

The management board and primary FIM GUIs now display correct byte and hit count data for proxy policies set up to allow traffic through the explicit web proxy.

690662 The diagnose hardware deviceinfo nic <interface> command output now includes CRC counters.

693325

The slbc-mgmt-intf option is set to 1-mgmt1 by default and this setting is now visible from the default configuration.

694516

The FortiGate-7000F Log settings GUI page now shows correct log usage information.

705958

Dialup server IPsec VPN tunnels are now successfully synchronized to all FPCs or FPMs when mode-cfg is enabled.

714538

The telnetd process now runs on FortiGate-7000F FIMs and the execute load-balance slot manage command works as expected when run from a FortiGate-7000F FIM CLI.

723528

The Sessions: Management widget now shows the correct % distribution of CPU and SPU sessions.

725139

Resolved an issue that could sometimes prevent administrators from removing quarantined IP addresses from the Quarantine Monitor.

728524

The diagnose test application chlbd 3 command now works as expected to recover the FIB form a sync failed state.

729134

Resolved an issue that could prevent OSPF from re-negotiating successfully after an FGCP HA failover.

732017

Resolved an issue that could cause OSPF adjacencies to fail after an FGCP HA failover even though the FortiGate configuration enables OSPF graceful restart.

732071

Resolved a timing issue that could cause an FPC or FPM to become unresponsive for an extended period of time after a firmware upgrade when the configuration includes a large number of UTM profile groups.

733058

IPS TLS probe requests can now be configured from the mgmt-vdom VDOM. For example, the following configuration is now supported:

config ips global

config tls-active-probe

set interface-select-method specify

set interface "mgmt1"

set vdom "mgmt-vdom"

end

733261

Resolved an issue that caused SNMP queries to return empty values for some FPCs or FPMs.

735492 735279

Resolved an issue that may cause one or more FPCs or FPMs to become unresponsive and for the console to print error messages that include unregister_netdevice.

736124

Resolved an issue that caused a wad application memory leak.

740073

Resolved an issue that caused the ntpd process running on an FPC to crash.

741274 Resolved an issue that caused BGP flapping during IPsec phase 2 re-keying, resulting in dropped IPsec VPN sessions.
742176 Resolved an issue that could cause a FortiGate-6000 or 7000 to stop responding when enabling or disabling the FortiOS Carrier license.

742994

Resolved an issue that caused BGP received prefix lifetimes to be reset every 60 seconds.

743869 Resolved an issue that could cause a FortiGate-6000 or 7000 managed by FortiManager to send an invalid configuration to FortiManager.
744204

When consolidated firewall mode is enabled, policy statistics such as the number of active sessions, packets, bytes, and so on are now available from the management board or primary FIM. The management board GUI and primary FIM GUI can now successfully display policy statistics and REST API calls and SNMP queries to the management board or primary FIM for policy statistics work as expected. For information about consolidated firewall mode, see Combined IPv4 and IPv6 policy.

744344

FortiGate-6000 and 7000 mirroring SSL inspected traffic (also called SSL port mirroring) now works as expected.

744596 Resolved an issue that could prevent RADIUS users from having to re-authenticate after the RADIUS server session timeout.
744636 Resolved an issue that could prevent FortiGate-6000 or 7000 FGCP clusters from synchronizing files received from FortiGuard after the cluster has been operating for 497 days.
744944 Resolved an issue that could cause a FortiGate-6000 or 7000 to take too long to synchronize a very large configuration the configuration after the system starts up. After this fix, very large configurations should normally take no longer than approximately 30 minutes to synchronize.
747819 Resolved an issue that caused incorrect reporting of the number of large packets processed by a loopback interface.

748258

The output of the get transceiver info command no longer includes error messages.

749357 Resolved a memory leak that caused high memory usage on the primary FPC or FPM.
750185 736418 Fixed SNMP MIB file syntax errors.

752602 731974

Resolved several issues with fragmented packet load balancing.

755579

You can now successfully use the FortiManager Connect to CLI via SSH device manager option to connect to the FortiGate-6000 or 7000 CLI.

758445 Increase the FortiGate-7000F boot partition size. This change allows the FortiGate-7000F to support larger more complex configurations that include more VDOMs and firewall policies. Because of this change, the process of upgrading to 6.2.9 Build 1206 will take longer than normal and during this time the FortiGate-7000F will not be able to process traffic.

737263

Management, local-out, and IPsec VPN traffic over NPU inter-VDOM links and with VLANs added to NPU inter-VDOM links works as expected.

Common vulnerabilities and exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

669673

FortiOS 6.2.9 for FortiGate-6000 and 7000 series is no longer vulnerable to the following CVE Reference:

  • CVE-2021-26103

752134

FortiOS 6.2.9 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-42757

752450

FortiOS 6.2.9 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-44168

711576 713993

FortiOS 6.2.9 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-26109

739011

FortiOS 6.2.9 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-36173