Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Release Notes

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.6 Build 1783. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.4.6 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.6 Build 1783.

Bug ID

Description

586808

The GUI no longer incorrectly includes the mgmt-vdom when calculating the number of VDOMs.

587437

Running a packet capture from the GUI now works as expected.

616261 737750

Resolved an issue that caused the wad application to crash with a signal 11.

635310

VLAN interfaces added to accelerated npu_vdom link interfaces can now successfully pass traffic.

667050 667092 668365

Resolved multiple Security Fabric synchronization issues.

675484

Resolved an issue that could result in multiple updated processes may be running, some with CPU usage at 99%.

676444

Resolved an issue that could cause the confsyncd process to crash on idle FortiGate-6000s or 7000s.

677816

Added support for the Security Fabric when operating an HA cluster in transparent mode. Because transparent mode was not supported, FPCs and FPMs on the secondary FortiGate-6000 or 7000 in an HA cluster were not able to synchronize.

678054 678092 692694 695174 695684 708141 709876 709893 719886 739231 739278

EMAC-VLAN fixes.

680789

Resolved an issue that caused proxy policy traffic hit counters on the GUI remain at 0 even though the policy is processing traffic.

688736

Resolved an issue that prevented recording some traffic logs for DLP sessions.

690662 The diagnose hardware deviceinfo nic <interface> command output now includes CRC counters.

693013

Resolved an issue that caused the cmdbsvr process to crash and reduce throughput.

693209

Resolved an issue that caused the miglogd processes to use up to 99% of CPU resources after a configuration change to a FortiGate-6000 or 7000 with a large number of firewall policies.

693969

SNMP queries can now capture FortiGate-7000 FIM serial numbers.

694150

Resolved an issue that could sometimes prevent SNMP polling of FIM data from working as expected.

698935

Resolved an issue that caused FortiGate-7000F load balancing to send fragmented and non-fragmented packets from the same session to different FPMs.

700582

Resolved an issue that incorrectly caused the status of an IPsec interface to appear as down on the GUI even though the interface is actually up and passing traffic.

707785

The mechanism for synchronizing the FIB to FPCs or FPMs when a FPC or FPM reboots or after an HA failover is now more efficient and no longer causes errors or problems with BGP routing.

709848 716158

Fixed syntax errors in the FORTINET-CORE-MIB.mib FORTINET-FORTIGATE-MIB.mib files.

712327

MAC addresses set using the macaddr interface option now persist after the FortiGate-6000 or 7000 restarts.

712406

The FortiGate-6000 management board now shows policy hit counts for all FPCs for NGFW security policies.

712835

Resolved an issue that could sometimes prevented FortiOS from receiving accurate chassis information, such as the chassis serial number, from the SMM.

716273

Resolved an issue that caused routes to be lost when one phase 2 goes down in an IPsec VPN tunnel configuration that includes two phase 2 configurations.

718918

Resolved an issue that created duplicate backup routes after an HA failover. The same issue caused proto=20 routes to be deleted before route-ttl ends and sometimes caused excess memory usage. You can use the following command to clear proto=20 routes (also called backup routes): diagnose test application chlbd 15.

719290

Resolved an issue that could prevent Chromebook clients from communicating through L2TP IPsec tunnels.

721371

The config system global option miglog-affinity now works as expected.

725628

Resolved a number of related issues that could cause a FortiGate-6000 or 7000 to enter conserve mode because of high memory usage.

727526

Resolved an issue that caused output of the diagnose debug comlog read command to be interrupted before all of the messages are displayed when running the command on an FIM or FPC.

729134

Resolved an issue that could prevent OSPF from re-negotiating successfully after an FGCP HA failover.

731765

Wildcard.FQDN addresses are now synchronized to all FPCs and FPMs in a single FortiGate-6000 or 7000 and to both FortiGate-6000s and 7000s in an FGCP HA configuration.

732017

Resolved an issue that could cause OSPF adjacencies to fail after an FGCP HA failover even though the FortiGate configuration enables OSPF graceful restart.

732071

Resolved a timing issue that could cause an FPC or FPM to become unresponsive for an extended period of time after a firmware upgrade when the configuration includes a large number of UTM profile groups.

733041

SD-WAN health checking information is now available from all FPCs or FPMs.

733058

IPS TLS probe requests can now be configured from the mgmt-vdom VDOM. For example, the following configuration is now supported:

config ips global

config tls-active-probe

set interface-select-method specify

set interface "mgmt1"

set vdom "mgmt-vdom"

end

733261

Resolved an issue that caused SNMP queries to return empty values for some FPCs or FPMs.

733292

After FortiGate-6000 FGCP HA failover, the management board of the new primary FortiGate-6000 no longer looses its wildcard FQDN cache.

735313

Fixed syntax errors in FORTINET-CORE-MIB.mib FORTINET-FORTIGATE-MIB.mib.

735492

Resolved an issue that may cause one or more FPCs or FPMs to become unresponsive and for the console to print error messages that include unregister_netdevice.

736124

Resolved an issue that caused a wad application memory leak.

736418 SNMP queries to fgSysLowMemUsage now return correct values.

736496

Resolved an SD-WAN routing issue that prevented SD-WAN load balancing from working as expected.

737263 739908

Management, local-out, and IPsec VPN traffic over NPU inter-VDOM links and with VLANs added to NPU inter-VDOM links works as expected.

737576 Resolved an issue that prevented firewall policy stats from being aggregated correctly to the FortiGate-6000 management board firewall policy GUI pages.
739153 SNMP queries to fgSysCpuUsage now return correct values.

740073

Resolved an issue that caused the ntpd process running on an FPC to crash.

741274 Resolved an issue that caused BGP flapping during IPsec phase 2 re-keying, resulting in dropped IPsec VPN sessions.
741973 Resolved an issue the incorrectly allowed administrators to change the FortiAnalyzer and FortiManager IP address from a FortiGate in a Security Fabric configuration that is not the root FortiGate.
742176 Resolved an issue that could cause a FortiGate-6000 or 7000 to stop responding when enabling or disabling the FortiOS Carrier license.
743869 Resolved an issue that could cause a FortiGate-6000 or 7000 managed by FortiManager to send an invalid configuration to FortiManager.
744596 Resolved an issue that could prevent RADIUS users from having to re-authenticate after the RADIUS server session timeout.
744706 It is now possible to set the dp-udp-idle-timer setting to 0.
744944 Resolved an issue that could cause a FortiGate-6000 or 7000 to take too long to synchronize a very large configuration the configuration after the system starts up. After this fix, very large configurations should normally take no longer than approximately 30 minutes to synchronize.

744944

Resolved an issue that caused configuration synchronization delays for systems with very large configurations (for example: 200K filrewall policies and 256 VDOMs).

745196 Resolved an issue that could prevent ESP sessions from expiring according to the dp-udp-idle-timer setting.

738001

Resolved an issue that caused repeated HA failovers after restarting both FortiGate-6000s in an FGCP HA cluster at the same time.

Common vulnerabilities and exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

711576 713993

FortiOS 6.4.6 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-26109

739011

FortiOS 6.4.6 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-36173

713992

FortiOS 6.4.6 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-26108

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.6 Build 1783. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.4.6 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.6 Build 1783.

Bug ID

Description

586808

The GUI no longer incorrectly includes the mgmt-vdom when calculating the number of VDOMs.

587437

Running a packet capture from the GUI now works as expected.

616261 737750

Resolved an issue that caused the wad application to crash with a signal 11.

635310

VLAN interfaces added to accelerated npu_vdom link interfaces can now successfully pass traffic.

667050 667092 668365

Resolved multiple Security Fabric synchronization issues.

675484

Resolved an issue that could result in multiple updated processes may be running, some with CPU usage at 99%.

676444

Resolved an issue that could cause the confsyncd process to crash on idle FortiGate-6000s or 7000s.

677816

Added support for the Security Fabric when operating an HA cluster in transparent mode. Because transparent mode was not supported, FPCs and FPMs on the secondary FortiGate-6000 or 7000 in an HA cluster were not able to synchronize.

678054 678092 692694 695174 695684 708141 709876 709893 719886 739231 739278

EMAC-VLAN fixes.

680789

Resolved an issue that caused proxy policy traffic hit counters on the GUI remain at 0 even though the policy is processing traffic.

688736

Resolved an issue that prevented recording some traffic logs for DLP sessions.

690662 The diagnose hardware deviceinfo nic <interface> command output now includes CRC counters.

693013

Resolved an issue that caused the cmdbsvr process to crash and reduce throughput.

693209

Resolved an issue that caused the miglogd processes to use up to 99% of CPU resources after a configuration change to a FortiGate-6000 or 7000 with a large number of firewall policies.

693969

SNMP queries can now capture FortiGate-7000 FIM serial numbers.

694150

Resolved an issue that could sometimes prevent SNMP polling of FIM data from working as expected.

698935

Resolved an issue that caused FortiGate-7000F load balancing to send fragmented and non-fragmented packets from the same session to different FPMs.

700582

Resolved an issue that incorrectly caused the status of an IPsec interface to appear as down on the GUI even though the interface is actually up and passing traffic.

707785

The mechanism for synchronizing the FIB to FPCs or FPMs when a FPC or FPM reboots or after an HA failover is now more efficient and no longer causes errors or problems with BGP routing.

709848 716158

Fixed syntax errors in the FORTINET-CORE-MIB.mib FORTINET-FORTIGATE-MIB.mib files.

712327

MAC addresses set using the macaddr interface option now persist after the FortiGate-6000 or 7000 restarts.

712406

The FortiGate-6000 management board now shows policy hit counts for all FPCs for NGFW security policies.

712835

Resolved an issue that could sometimes prevented FortiOS from receiving accurate chassis information, such as the chassis serial number, from the SMM.

716273

Resolved an issue that caused routes to be lost when one phase 2 goes down in an IPsec VPN tunnel configuration that includes two phase 2 configurations.

718918

Resolved an issue that created duplicate backup routes after an HA failover. The same issue caused proto=20 routes to be deleted before route-ttl ends and sometimes caused excess memory usage. You can use the following command to clear proto=20 routes (also called backup routes): diagnose test application chlbd 15.

719290

Resolved an issue that could prevent Chromebook clients from communicating through L2TP IPsec tunnels.

721371

The config system global option miglog-affinity now works as expected.

725628

Resolved a number of related issues that could cause a FortiGate-6000 or 7000 to enter conserve mode because of high memory usage.

727526

Resolved an issue that caused output of the diagnose debug comlog read command to be interrupted before all of the messages are displayed when running the command on an FIM or FPC.

729134

Resolved an issue that could prevent OSPF from re-negotiating successfully after an FGCP HA failover.

731765

Wildcard.FQDN addresses are now synchronized to all FPCs and FPMs in a single FortiGate-6000 or 7000 and to both FortiGate-6000s and 7000s in an FGCP HA configuration.

732017

Resolved an issue that could cause OSPF adjacencies to fail after an FGCP HA failover even though the FortiGate configuration enables OSPF graceful restart.

732071

Resolved a timing issue that could cause an FPC or FPM to become unresponsive for an extended period of time after a firmware upgrade when the configuration includes a large number of UTM profile groups.

733041

SD-WAN health checking information is now available from all FPCs or FPMs.

733058

IPS TLS probe requests can now be configured from the mgmt-vdom VDOM. For example, the following configuration is now supported:

config ips global

config tls-active-probe

set interface-select-method specify

set interface "mgmt1"

set vdom "mgmt-vdom"

end

733261

Resolved an issue that caused SNMP queries to return empty values for some FPCs or FPMs.

733292

After FortiGate-6000 FGCP HA failover, the management board of the new primary FortiGate-6000 no longer looses its wildcard FQDN cache.

735313

Fixed syntax errors in FORTINET-CORE-MIB.mib FORTINET-FORTIGATE-MIB.mib.

735492

Resolved an issue that may cause one or more FPCs or FPMs to become unresponsive and for the console to print error messages that include unregister_netdevice.

736124

Resolved an issue that caused a wad application memory leak.

736418 SNMP queries to fgSysLowMemUsage now return correct values.

736496

Resolved an SD-WAN routing issue that prevented SD-WAN load balancing from working as expected.

737263 739908

Management, local-out, and IPsec VPN traffic over NPU inter-VDOM links and with VLANs added to NPU inter-VDOM links works as expected.

737576 Resolved an issue that prevented firewall policy stats from being aggregated correctly to the FortiGate-6000 management board firewall policy GUI pages.
739153 SNMP queries to fgSysCpuUsage now return correct values.

740073

Resolved an issue that caused the ntpd process running on an FPC to crash.

741274 Resolved an issue that caused BGP flapping during IPsec phase 2 re-keying, resulting in dropped IPsec VPN sessions.
741973 Resolved an issue the incorrectly allowed administrators to change the FortiAnalyzer and FortiManager IP address from a FortiGate in a Security Fabric configuration that is not the root FortiGate.
742176 Resolved an issue that could cause a FortiGate-6000 or 7000 to stop responding when enabling or disabling the FortiOS Carrier license.
743869 Resolved an issue that could cause a FortiGate-6000 or 7000 managed by FortiManager to send an invalid configuration to FortiManager.
744596 Resolved an issue that could prevent RADIUS users from having to re-authenticate after the RADIUS server session timeout.
744706 It is now possible to set the dp-udp-idle-timer setting to 0.
744944 Resolved an issue that could cause a FortiGate-6000 or 7000 to take too long to synchronize a very large configuration the configuration after the system starts up. After this fix, very large configurations should normally take no longer than approximately 30 minutes to synchronize.

744944

Resolved an issue that caused configuration synchronization delays for systems with very large configurations (for example: 200K filrewall policies and 256 VDOMs).

745196 Resolved an issue that could prevent ESP sessions from expiring according to the dp-udp-idle-timer setting.

738001

Resolved an issue that caused repeated HA failovers after restarting both FortiGate-6000s in an FGCP HA cluster at the same time.

Common vulnerabilities and exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

711576 713993

FortiOS 6.4.6 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-26109

739011

FortiOS 6.4.6 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-36173

713992

FortiOS 6.4.6 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-26108