Fortinet white logo
Fortinet white logo

FortiGate-7000 Release Notes

Known issues

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.10 Build 1875. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.10 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.10 Build 1875.

Bug ID

Description

653092

You cannot use the SLBC management interface IP address to manage a FortiGate-6000 or 7000 by connecting to a data interface.

724543

Outbound bandwidth traffic statistics are showing incorrectly on individual FIM and FPM GUI pages.

731789 860330

On a FortiGate-6000, when using the vd (VDOM) filter of the diagnose debug flow command from the management board CLI, the flow trace is only enabled on the management board and not on the FPCs. To see traffic on individual FPCs, you need to enter the diagnose debug flow command with the vd filter from each FPC CLI.

767742 Because of a limitation of the FIM-7921F switch hardware, the FortiGate 7121F with FIM-7921Fs does not support adding VLANs to flow rules. The vlan setting of the config load-balance flow-rule command is ignored.

768931

The FortiGate-7000F GUI does not show FPM-7620F P1 and P2 split interfaces.

773766 The fnbamd and radiusd processes may crash when the FortiGate-6000 or 7000 is managing large numbers of single sign on users.

778239

For all FortiGate-6000 and 7000 models, the CLI allows you to add up to 512 flow rules. However, the number of flow rules that you can add is actually limited by the FortiGate-6000 and 7000 internal switch hardware:

  • All FortiGate-6000F models support up to 256 flow rules.

  • All FortiGate-7000E models support up to 512 flow-rules.

  • A FortiGate-7000F with FIM-7941Fs supports up to 492 flow rules.

  • A FortiGate-7000F with FIM-7921Fs supports up to 52 flow rules.

782095 FortiGate-6000 FGCP cluster interfaces may be assigned virtual MAC addresses that overlap with the virtual MAC addresses assigned to the interfaces of other FortiGates in FGCP clusters, even if they have different group IDs. If you have a FortiGate-6000 FGCP cluster on the same network as FGCP clusters with other FortiGates, you can work around this issue by setting the group IDs of other FortiGate clusters on the same network to a value of 81 or higher.
782640 When viewing FortiView pages from a VDOM the FortiGate-6000 or 7000 may not be able to retrieve data from FortiAnalyzer. The FortiView pages will display the error message "Failed to retrieve FortiView data".
782978 If you attempt to create an FGCP HA cluster and the FortiGate-6000s or 7000s making up the cluster have difference firmware versions, the CLI of one of the FortiGate-6000s or 7000s may display incorrect error messages after restarting.

825029

From the FortiGate-6000 or 7000 GUI or CLI you can only run a policy lookup if the FortiGate-6000 or 7000 has a route to the destination and a properly configured firewall policy that allows traffic to the destination. Normally policy lookup operations only require a route to the destination.

854819

FGSP auto session synchronization randomly fails for some FPCs and FPMs when the MTU of the FGSP session synchronization data interface is set to maximum value of 9216 bytes. FGSP auto session synchronization occurs after an FPC or FPM or a FortiGate-6000 or 7000 in an FGSP cluster restarts. The workaround to this problem is to decrease the MTU of the data interface to 9200 bytes or less.

856706

After an IPsec tunnel is started on a primary FortiGate-6000 or 7000 in an FGCP HA configuration, the IPsec SA is synchronized on the secondary FortiGate-6000 or 7000 in the cluster. However, after a short while, the IPsec SA can be deleted from the secondary FortiGate. If this causes IPsec tunnels to go down after a failover, you can enter the command diagnose vpn ike gateway flush on the new primary FortiGate-6000 or 7000 to flush and then restore all IPsec VPN tunnels.

878934

Some relatively large routing configurations may cause the fctrlproxyd process to periodically use excessive amounts of CPU time (up to 99%), usually as a result of routing configuration changes.

Restarting the fctrlproxyd process is not recommended because this will not resolve the high CPU usage problem and can cause interface flapping.

Known issues

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.10 Build 1875. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.10 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.10 Build 1875.

Bug ID

Description

653092

You cannot use the SLBC management interface IP address to manage a FortiGate-6000 or 7000 by connecting to a data interface.

724543

Outbound bandwidth traffic statistics are showing incorrectly on individual FIM and FPM GUI pages.

731789 860330

On a FortiGate-6000, when using the vd (VDOM) filter of the diagnose debug flow command from the management board CLI, the flow trace is only enabled on the management board and not on the FPCs. To see traffic on individual FPCs, you need to enter the diagnose debug flow command with the vd filter from each FPC CLI.

767742 Because of a limitation of the FIM-7921F switch hardware, the FortiGate 7121F with FIM-7921Fs does not support adding VLANs to flow rules. The vlan setting of the config load-balance flow-rule command is ignored.

768931

The FortiGate-7000F GUI does not show FPM-7620F P1 and P2 split interfaces.

773766 The fnbamd and radiusd processes may crash when the FortiGate-6000 or 7000 is managing large numbers of single sign on users.

778239

For all FortiGate-6000 and 7000 models, the CLI allows you to add up to 512 flow rules. However, the number of flow rules that you can add is actually limited by the FortiGate-6000 and 7000 internal switch hardware:

  • All FortiGate-6000F models support up to 256 flow rules.

  • All FortiGate-7000E models support up to 512 flow-rules.

  • A FortiGate-7000F with FIM-7941Fs supports up to 492 flow rules.

  • A FortiGate-7000F with FIM-7921Fs supports up to 52 flow rules.

782095 FortiGate-6000 FGCP cluster interfaces may be assigned virtual MAC addresses that overlap with the virtual MAC addresses assigned to the interfaces of other FortiGates in FGCP clusters, even if they have different group IDs. If you have a FortiGate-6000 FGCP cluster on the same network as FGCP clusters with other FortiGates, you can work around this issue by setting the group IDs of other FortiGate clusters on the same network to a value of 81 or higher.
782640 When viewing FortiView pages from a VDOM the FortiGate-6000 or 7000 may not be able to retrieve data from FortiAnalyzer. The FortiView pages will display the error message "Failed to retrieve FortiView data".
782978 If you attempt to create an FGCP HA cluster and the FortiGate-6000s or 7000s making up the cluster have difference firmware versions, the CLI of one of the FortiGate-6000s or 7000s may display incorrect error messages after restarting.

825029

From the FortiGate-6000 or 7000 GUI or CLI you can only run a policy lookup if the FortiGate-6000 or 7000 has a route to the destination and a properly configured firewall policy that allows traffic to the destination. Normally policy lookup operations only require a route to the destination.

854819

FGSP auto session synchronization randomly fails for some FPCs and FPMs when the MTU of the FGSP session synchronization data interface is set to maximum value of 9216 bytes. FGSP auto session synchronization occurs after an FPC or FPM or a FortiGate-6000 or 7000 in an FGSP cluster restarts. The workaround to this problem is to decrease the MTU of the data interface to 9200 bytes or less.

856706

After an IPsec tunnel is started on a primary FortiGate-6000 or 7000 in an FGCP HA configuration, the IPsec SA is synchronized on the secondary FortiGate-6000 or 7000 in the cluster. However, after a short while, the IPsec SA can be deleted from the secondary FortiGate. If this causes IPsec tunnels to go down after a failover, you can enter the command diagnose vpn ike gateway flush on the new primary FortiGate-6000 or 7000 to flush and then restore all IPsec VPN tunnels.

878934

Some relatively large routing configurations may cause the fctrlproxyd process to periodically use excessive amounts of CPU time (up to 99%), usually as a result of routing configuration changes.

Restarting the fctrlproxyd process is not recommended because this will not resolve the high CPU usage problem and can cause interface flapping.