Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Release Notes

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.8 Build 1823. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.8 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.8 Build 1823.

Bug ID

Description

653092

You cannot use the SLBC management interface IP address to manage a FortiGate-6000 or 7000 by connecting to a data interface.

674979

The GUI incorrectly shows more traffic on FortiGate-6000 HA interfaces than what is actually occurring.
682426 Traffic log messages are only transmitted through a dedicated HA management interface when ha-direct is enabled.

715541

FortiGate-7000E platforms do not support using a LAG for FGSP session synchronization.

724543

Outbound bandwidth traffic statistics are showing incorrectly on individual FIM and FPM GUI pages.

734898

Under some conditions when a FortiGate-6000 or 7000 is very busy, when making configuration changes either manually or using a script, the cmdbsvr application may crash with a signal 11 segmentation fault. This problem can occur on a standalone FortiGate-6000 or 7000 or on FortiGate-6000s or 7000s in an FGCP HA cluster.

752402 In some cases traffic may be blocked from passing through a FortiGate-7000F because FortiOS assigned an incorrect MAC address to a VLAN interface. This problem may resolve itself after the system has been operating for a few minutes. Restarting the FortiGate-7000F will also resolve the problem.
752402

Some of the VLAN interfaces added to a LAG may be set up with incorrect MAC addresses. Because of this problem, traffic may not be able to connect to these VLAN interfaces. You can work around this issue by doing one of the following:

  • Waiting at least 30 seconds after creating the LAG before adding VLANs to it.

  • Check the MAC addresses of the VLANs as you add them. Remove and re-add the VLAN if its MAC address begins with address begins with 70:4c:a5.

  • Restart the FortiGate-6000 or 7000 after adding all of the VLAN interfaces.

767742 Because of a limitation of the FIM-7921F switch hardware, the FortiGate-7121F with FIM-7921Fs does not support adding VLANs to flow rules. The vlan setting of the config load-balance flow-rule command is ignored.

771680

Configuring SSL VPN Web portals from the GUI does not work correctly. Configuring SSL VPN Web portals from the CLI does work as expected.

773766 The fnbamd and radiusd processes may crash when the FortiGate-6000 or 7000 is managing large numbers of single sign on users.
777415 In a FortiGate-6000 or 7000 FGCP HA configuration, dynamic addresses received by an SDN connector may not be synchronized to the secondary FortiGte-6000 or 7000 in the cluster.

778239

For all FortiGate-6000 and 7000 models, the CLI allows you to add up to 512 flow rules. However, the number of flow rules that you can add is actually limited by the FortiGate-6000 and 7000 internal switch hardware:

  • All FortiGate-6000F models support up to 256 flow rules.

  • All FortiGate-7000E models support up to 512 flow-rules.

  • A FortiGate-7000F with FIM-7941Fs supports up to 492 flow rules.

  • A FortiGate-7000F with FIM-7921Fs supports up to 52 flow rules.

780296

IP addresses received by an ACI SCN connector are not always synchronized to all FPCs or FPMs, especially if a relatively large number of address are to be synchronized, for example 2000 addresses.

782095 FortiGate-6000 FGCP cluster interfaces may be assigned virtual MAC addresses that overlap with the virtual MAC addresses assigned to the interfaces of other FortiGates in FGCP clusters, even if they have different group IDs. If you have a FortiGate-6000 FGCP cluster on the same network as FGCP clusters with other FortiGates, you can work around this issue by setting the group IDs of other FortiGate clusters on the same network to a value of 81 or higher.
782338

A single SSL VPN user session can tie up multiple IP addresses, resulting in no more IP addresses being available for new SSL VPN sessions. You may be able to help reduce the impact of this issue by disabling limiting user logins, by entering the following command:

config vpn ssl web portal

edit "name"

set limit-user-logins disable

end

You can also use the following command to list all active SSL VPN tunnels:

execute vpn sslvpn list

The command output lists all active SSL VPN tunnels in order by index number. If there are missing index numbers, you can use the following command to delete tunnels with those missing index numbers, freeing up the IP addresses that were tied up by those tunnels:

execute vpn sslvpn del-tunnel <missing index>

782640 When viewing FortiView pages from a VDOM the FortiGate-6000 or 7000 may not be able to retrieve data from FortiAnalyzer. The FortiView pages will display the error message "Failed to retrieve FortiView data".
782978 If you attempt to create an FGCP HA cluster and the FortiGate-6000s or 7000s making up the cluster have difference firmware versions, the CLI of one of the FortiGate-6000s or 7000s may display incorrect error messages after restarting.

783689

Because of a software issue, FortiGate-6000F DC models with only one DC PSU connected to power may become unstable, causing some FPCs to restart. A single DC PSU should be able to supply sufficient power to operate the management board and all of the FPCs in every FortiGate-6000F DC model.

786659

If you are managing a FortiGate-7121F FGCP HA cluster using FortiManger, in some cases the confsyncd process running on the primary FIM of the primary FortiGate-7121F can crash and after the crash, configuration changes are no longer synchronized to the FPMs in the primary FortiGate-7121F.

This problem does not to affect the secondary FortiGate-7121F in the cluster, so to resume normal operation you can cause an HA failover, causing the secondary FortiGate-7121F to become the primary FortiGate-7121F. Check with Fortinet Support for assistance with restoring operation of the primary FortiGate-7121F.

792717

A dialup IPSec VPN tunnel can take a couple of minutes before allowing traffic through it, even though the tunnel appears to be up when viewed from the FortiGate GUI or CLI. This can happen if dead peer detection (DPD) is enabled on a large number of VPN clients accessing the tunnel. Receiving the DPD messages from many clients at the same time can trigger this issue. To work around the problem, you can disable dead peer detection on all FortiClients that access the tunnel.

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.8 Build 1823. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.8 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.8 Build 1823.

Bug ID

Description

653092

You cannot use the SLBC management interface IP address to manage a FortiGate-6000 or 7000 by connecting to a data interface.

674979

The GUI incorrectly shows more traffic on FortiGate-6000 HA interfaces than what is actually occurring.
682426 Traffic log messages are only transmitted through a dedicated HA management interface when ha-direct is enabled.

715541

FortiGate-7000E platforms do not support using a LAG for FGSP session synchronization.

724543

Outbound bandwidth traffic statistics are showing incorrectly on individual FIM and FPM GUI pages.

734898

Under some conditions when a FortiGate-6000 or 7000 is very busy, when making configuration changes either manually or using a script, the cmdbsvr application may crash with a signal 11 segmentation fault. This problem can occur on a standalone FortiGate-6000 or 7000 or on FortiGate-6000s or 7000s in an FGCP HA cluster.

752402 In some cases traffic may be blocked from passing through a FortiGate-7000F because FortiOS assigned an incorrect MAC address to a VLAN interface. This problem may resolve itself after the system has been operating for a few minutes. Restarting the FortiGate-7000F will also resolve the problem.
752402

Some of the VLAN interfaces added to a LAG may be set up with incorrect MAC addresses. Because of this problem, traffic may not be able to connect to these VLAN interfaces. You can work around this issue by doing one of the following:

  • Waiting at least 30 seconds after creating the LAG before adding VLANs to it.

  • Check the MAC addresses of the VLANs as you add them. Remove and re-add the VLAN if its MAC address begins with address begins with 70:4c:a5.

  • Restart the FortiGate-6000 or 7000 after adding all of the VLAN interfaces.

767742 Because of a limitation of the FIM-7921F switch hardware, the FortiGate-7121F with FIM-7921Fs does not support adding VLANs to flow rules. The vlan setting of the config load-balance flow-rule command is ignored.

771680

Configuring SSL VPN Web portals from the GUI does not work correctly. Configuring SSL VPN Web portals from the CLI does work as expected.

773766 The fnbamd and radiusd processes may crash when the FortiGate-6000 or 7000 is managing large numbers of single sign on users.
777415 In a FortiGate-6000 or 7000 FGCP HA configuration, dynamic addresses received by an SDN connector may not be synchronized to the secondary FortiGte-6000 or 7000 in the cluster.

778239

For all FortiGate-6000 and 7000 models, the CLI allows you to add up to 512 flow rules. However, the number of flow rules that you can add is actually limited by the FortiGate-6000 and 7000 internal switch hardware:

  • All FortiGate-6000F models support up to 256 flow rules.

  • All FortiGate-7000E models support up to 512 flow-rules.

  • A FortiGate-7000F with FIM-7941Fs supports up to 492 flow rules.

  • A FortiGate-7000F with FIM-7921Fs supports up to 52 flow rules.

780296

IP addresses received by an ACI SCN connector are not always synchronized to all FPCs or FPMs, especially if a relatively large number of address are to be synchronized, for example 2000 addresses.

782095 FortiGate-6000 FGCP cluster interfaces may be assigned virtual MAC addresses that overlap with the virtual MAC addresses assigned to the interfaces of other FortiGates in FGCP clusters, even if they have different group IDs. If you have a FortiGate-6000 FGCP cluster on the same network as FGCP clusters with other FortiGates, you can work around this issue by setting the group IDs of other FortiGate clusters on the same network to a value of 81 or higher.
782338

A single SSL VPN user session can tie up multiple IP addresses, resulting in no more IP addresses being available for new SSL VPN sessions. You may be able to help reduce the impact of this issue by disabling limiting user logins, by entering the following command:

config vpn ssl web portal

edit "name"

set limit-user-logins disable

end

You can also use the following command to list all active SSL VPN tunnels:

execute vpn sslvpn list

The command output lists all active SSL VPN tunnels in order by index number. If there are missing index numbers, you can use the following command to delete tunnels with those missing index numbers, freeing up the IP addresses that were tied up by those tunnels:

execute vpn sslvpn del-tunnel <missing index>

782640 When viewing FortiView pages from a VDOM the FortiGate-6000 or 7000 may not be able to retrieve data from FortiAnalyzer. The FortiView pages will display the error message "Failed to retrieve FortiView data".
782978 If you attempt to create an FGCP HA cluster and the FortiGate-6000s or 7000s making up the cluster have difference firmware versions, the CLI of one of the FortiGate-6000s or 7000s may display incorrect error messages after restarting.

783689

Because of a software issue, FortiGate-6000F DC models with only one DC PSU connected to power may become unstable, causing some FPCs to restart. A single DC PSU should be able to supply sufficient power to operate the management board and all of the FPCs in every FortiGate-6000F DC model.

786659

If you are managing a FortiGate-7121F FGCP HA cluster using FortiManger, in some cases the confsyncd process running on the primary FIM of the primary FortiGate-7121F can crash and after the crash, configuration changes are no longer synchronized to the FPMs in the primary FortiGate-7121F.

This problem does not to affect the secondary FortiGate-7121F in the cluster, so to resume normal operation you can cause an HA failover, causing the secondary FortiGate-7121F to become the primary FortiGate-7121F. Check with Fortinet Support for assistance with restoring operation of the primary FortiGate-7121F.

792717

A dialup IPSec VPN tunnel can take a couple of minutes before allowing traffic through it, even though the tunnel appears to be up when viewed from the FortiGate GUI or CLI. This can happen if dead peer detection (DPD) is enabled on a large number of VPN clients accessing the tunnel. Receiving the DPD messages from many clients at the same time can trigger this issue. To work around the problem, you can disable dead peer detection on all FortiClients that access the tunnel.