Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Release Notes

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.8 Build 1823. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.4.8 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.8 Build 1823.

Bug ID

Description

511091 593747 615509 697873 751856 765696 765704 766337 767074 768357 768402 770588 768585 768027 766285 769377 771802 762281 593781 735634

Improvements to SD-WAN compatibility with SLBC.

544748

Setting the source-ip option when using the config system ntp command no set up NTP time services no longer prevents the FortiGate-6000 or 7000 from accessing the configured NTP server.

585437 Resolved some issues with link monitoring that could sometimes lead to incorrect link monitoring information appearing on some FPCs or FPMs.

594258

FortiSwitch management over FortiLink now works as expected on a FortiGate-7000 system when FIM2 is the primary FIM.

612483 Management connections to FortiManager, FortiAnalyzer, and FortiGuard from a FortiGate-6000 or 7000 traffic interface now works as expected.

674435

Web filtering quotas now work as expected.

677002

Resolved an issue that prevented FGSP configuration changes from being synchronized to all FPCs or FPMs.

693325

The slbc-mgmt-intf option is set to 1-mgmt1 by default and this setting is now visible from the default configuration.

695060 Changing FGSP settings using the config system standalone-cluster command no longer requires restarting the FortiGate-6000 or 7000 for the configuration changes to be synchronized to all FPCs or FPMs.
695189 Resolved an issue that caused the output of the diagnose test application fctrlproxyd 1 to contain MAC addresses that incorrectly appear as 00:00:00:00:00:00.

696715

Resolved an issue that caused the diagnose sys link-monitor stat command to displ;ay error messages.

697423

FortiGate-7000F cross-FIM LAGs now work as expected.

700337

Design changes implemented for FGSP to improve performance if the configuration includes more than three cluster sync entries.

704635

All supported transceiver types are now displayed correctly on the FortiGate-7000F GUI.

705958

Dialup server IPsec VPN tunnels are now successfully synchronized to all FPCs or FPMs when mode-cfg is enabled.

714538

The telnetd process now runs on FortiGate-7000F FIMs and the execute load-balance slot manage command works as expected when run from a FortiGate-7000F FIM CLI.

737087

Resolved an issue that could sometimes cause FortiGate-7000F NP7 load balancers to drop IPv6 FTP packets passing through a VLAN interface.

738266

The status of IPv6 links is now correctly synchronized to all FPCs and FPMs.

739043 Added the slot ID field to SSL log messages sent to FortiAnalyzer.
739627 Resolved an issue that prevented traffic log messages from being recorded for proxy sessions. Because of this the output of the diagnose wad stats policy list command is incorrect. As well, the wrong session count information was displayed on the firewall policy GUI.
740196 The get system {session | session6} status command now displays information for the FortiGate-6000 management board and all FPCs or for the FortiGate-7000 FIMs and FPMs.

744344

FortiGate-6000 and 7000 mirroring SSL inspected traffic (also called SSL port mirroring) now works as expected.

744596 Resolved an issue that could prevent RADIUS users from having to re-authenticate after the RADIUS server session timeout.
744636 Resolved an issue that could prevent FortiGate-6000 or 7000 FGCP clusters from synchronizing files received from FortiGuard after the cluster has been operating for 497 days.
746201 Resolved an issue that prevented dial-up IPsec VPN routes from being synchronized after a primary FPC or FPM failover.
747177 Resolved an FortiGate-7121F-related issue that caused latency with IPv6 active or passive FTP sessions.
747523 747335

The FortiGate-7121F can now successfully reassemble fragmented packets if ip-ressembly is enabled using the following command:

config system npu

config ip-reassembly

set status enable

end

747814 Removing an FPM from a FortiGate-7121F no longer causes synchronization issues.
748021 Resolved an issue that prevented FortiGate-7121F NP7 ESP sessions from expiring on time.

748258

The output of the get transceiver info command no longer includes error messages.

749074 Firewall sessions for firewall uses that authenticate using RADIUS are deleted when the firewall authentication idle time is reached and the FortiGate is configured to ignore RADIUS session timeouts set by the RADIUS server. Before this bug was fixed, RADIUS user sessions would never time out if the FortiGate was configured to ignore RADIUS session timeouts.
749357 Resolved a memory leak that caused high memory usage on the primary FPC or FPM.

753586

Management traffic can now be sent over an inter-VDOM link. For example, you can connect from the mgmt-vdom to FortiGuard by creating an inter-VDOM link between mgmt-vdom and a VDOM connected to the internet. You can also use inter-VDOM links to connect from mgmt-vdom to a FortiManager.

755579

You can now successfully use the FortiManager Connect to CLI via SSH device manager option to connect to the FortiGate-6000 or 7000 CLI.

755833

Resolved a timing issue that could cause an FPM to stop starting up and display a waiting for data heartbeat message after using the system management module to cycle the power of both FIMs.

757521

Resolved an issue that could result in the output of the get sys interface transceiver command missing the serial numbers of some supported transceivers.

757780 768778

The primary FPC or FPM GUI firewall policy GUI pages now display the correct firewall policy usage data (for example, active sessions, hit counts, and so on).

758217 The global command get ipsec tunnel list now lists status information for IPsec tunnels from all VDOMs.
758445 Increase the FortiGate-7000F boot partition size. This change allows the FortiGate-7000F to support larger more complex configurations that include more VDOMs and firewall policies. Because of this change, the process of upgrading a FortiGate-7000F system to 6.4.8 Build 1823 will take longer than normal and during this time the FortiGate-7000F will not be able to process traffic.
758714 Resolved an issue that would sometimes cause the FortiGate-7121F to unexpectedly select a new primary FPM.

758785

The following commands now work as expected when input from the management board or the primary FIM:

get vpn ssl monitor

diagnose vpn ssl list

diagnose vpn ssl mux

diagnose vpn ssl statistics

760263

When an FPC or FPM is disabled, its entry is now removed from the Security Fabric tree.

760778 746476

All CLI command output, GUI pages, log messages, and SNMP queries and traps use the terminology "primary" and "secondary" in place of "master" and "slave". This change does not currently apply to config CLI options. The command execute load-balance slot set-master-worker has been changed to execute load-balance slot set-primary-worker.

761052 Resolved an issue that prevented management traffic from being sent from an IPsec VPN interface.

763074

Resolved an issue that could cause two interfaces to be incorrectly assigned the same SNMP index.

767175 Resolved an issue that prevented switching a VDOM between transparent and NAT mode if all licensed VDOMs have been created.
767666 Resolved an issue that caused traffic to be dropped after adding an EMAC-VLAN interface

769865

Information formerly displayed by Management plane and data plane dashboard widgets is not displayed by the Configuration Sync Monitor.

770280 753798 746008 FortiGate-6000s or 7000s in a virtual clustering configuration can now correctly resolve domain names.
771677 Resolved an issue with displaying firewall policy statistics on the FortiGate-6000 management board GUI.
772287 Local-in and local-out traffic now works as expected for FPCs or FPMs on a FortiGate 6000 or 7000 that is operating as the primary FortiGate for virtual cluster 2.
772294 Resolved an issue with IPv4 BFD packet handling that blocked finding OSPF and BGP neighbors.
772414 Resolved an issue that sometimes prevented sending log messages from FPCs or FPMs.
778296 Resolved an issue that could block passthrough or local-in traffic for a newly-created VDOM. The issue did not affect local-out traffic.

Common vulnerabilities and exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

752134

FortiOS 6.4.8 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-42757

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.8 Build 1823. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.4.8 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.8 Build 1823.

Bug ID

Description

511091 593747 615509 697873 751856 765696 765704 766337 767074 768357 768402 770588 768585 768027 766285 769377 771802 762281 593781 735634

Improvements to SD-WAN compatibility with SLBC.

544748

Setting the source-ip option when using the config system ntp command no set up NTP time services no longer prevents the FortiGate-6000 or 7000 from accessing the configured NTP server.

585437 Resolved some issues with link monitoring that could sometimes lead to incorrect link monitoring information appearing on some FPCs or FPMs.

594258

FortiSwitch management over FortiLink now works as expected on a FortiGate-7000 system when FIM2 is the primary FIM.

612483 Management connections to FortiManager, FortiAnalyzer, and FortiGuard from a FortiGate-6000 or 7000 traffic interface now works as expected.

674435

Web filtering quotas now work as expected.

677002

Resolved an issue that prevented FGSP configuration changes from being synchronized to all FPCs or FPMs.

693325

The slbc-mgmt-intf option is set to 1-mgmt1 by default and this setting is now visible from the default configuration.

695060 Changing FGSP settings using the config system standalone-cluster command no longer requires restarting the FortiGate-6000 or 7000 for the configuration changes to be synchronized to all FPCs or FPMs.
695189 Resolved an issue that caused the output of the diagnose test application fctrlproxyd 1 to contain MAC addresses that incorrectly appear as 00:00:00:00:00:00.

696715

Resolved an issue that caused the diagnose sys link-monitor stat command to displ;ay error messages.

697423

FortiGate-7000F cross-FIM LAGs now work as expected.

700337

Design changes implemented for FGSP to improve performance if the configuration includes more than three cluster sync entries.

704635

All supported transceiver types are now displayed correctly on the FortiGate-7000F GUI.

705958

Dialup server IPsec VPN tunnels are now successfully synchronized to all FPCs or FPMs when mode-cfg is enabled.

714538

The telnetd process now runs on FortiGate-7000F FIMs and the execute load-balance slot manage command works as expected when run from a FortiGate-7000F FIM CLI.

737087

Resolved an issue that could sometimes cause FortiGate-7000F NP7 load balancers to drop IPv6 FTP packets passing through a VLAN interface.

738266

The status of IPv6 links is now correctly synchronized to all FPCs and FPMs.

739043 Added the slot ID field to SSL log messages sent to FortiAnalyzer.
739627 Resolved an issue that prevented traffic log messages from being recorded for proxy sessions. Because of this the output of the diagnose wad stats policy list command is incorrect. As well, the wrong session count information was displayed on the firewall policy GUI.
740196 The get system {session | session6} status command now displays information for the FortiGate-6000 management board and all FPCs or for the FortiGate-7000 FIMs and FPMs.

744344

FortiGate-6000 and 7000 mirroring SSL inspected traffic (also called SSL port mirroring) now works as expected.

744596 Resolved an issue that could prevent RADIUS users from having to re-authenticate after the RADIUS server session timeout.
744636 Resolved an issue that could prevent FortiGate-6000 or 7000 FGCP clusters from synchronizing files received from FortiGuard after the cluster has been operating for 497 days.
746201 Resolved an issue that prevented dial-up IPsec VPN routes from being synchronized after a primary FPC or FPM failover.
747177 Resolved an FortiGate-7121F-related issue that caused latency with IPv6 active or passive FTP sessions.
747523 747335

The FortiGate-7121F can now successfully reassemble fragmented packets if ip-ressembly is enabled using the following command:

config system npu

config ip-reassembly

set status enable

end

747814 Removing an FPM from a FortiGate-7121F no longer causes synchronization issues.
748021 Resolved an issue that prevented FortiGate-7121F NP7 ESP sessions from expiring on time.

748258

The output of the get transceiver info command no longer includes error messages.

749074 Firewall sessions for firewall uses that authenticate using RADIUS are deleted when the firewall authentication idle time is reached and the FortiGate is configured to ignore RADIUS session timeouts set by the RADIUS server. Before this bug was fixed, RADIUS user sessions would never time out if the FortiGate was configured to ignore RADIUS session timeouts.
749357 Resolved a memory leak that caused high memory usage on the primary FPC or FPM.

753586

Management traffic can now be sent over an inter-VDOM link. For example, you can connect from the mgmt-vdom to FortiGuard by creating an inter-VDOM link between mgmt-vdom and a VDOM connected to the internet. You can also use inter-VDOM links to connect from mgmt-vdom to a FortiManager.

755579

You can now successfully use the FortiManager Connect to CLI via SSH device manager option to connect to the FortiGate-6000 or 7000 CLI.

755833

Resolved a timing issue that could cause an FPM to stop starting up and display a waiting for data heartbeat message after using the system management module to cycle the power of both FIMs.

757521

Resolved an issue that could result in the output of the get sys interface transceiver command missing the serial numbers of some supported transceivers.

757780 768778

The primary FPC or FPM GUI firewall policy GUI pages now display the correct firewall policy usage data (for example, active sessions, hit counts, and so on).

758217 The global command get ipsec tunnel list now lists status information for IPsec tunnels from all VDOMs.
758445 Increase the FortiGate-7000F boot partition size. This change allows the FortiGate-7000F to support larger more complex configurations that include more VDOMs and firewall policies. Because of this change, the process of upgrading a FortiGate-7000F system to 6.4.8 Build 1823 will take longer than normal and during this time the FortiGate-7000F will not be able to process traffic.
758714 Resolved an issue that would sometimes cause the FortiGate-7121F to unexpectedly select a new primary FPM.

758785

The following commands now work as expected when input from the management board or the primary FIM:

get vpn ssl monitor

diagnose vpn ssl list

diagnose vpn ssl mux

diagnose vpn ssl statistics

760263

When an FPC or FPM is disabled, its entry is now removed from the Security Fabric tree.

760778 746476

All CLI command output, GUI pages, log messages, and SNMP queries and traps use the terminology "primary" and "secondary" in place of "master" and "slave". This change does not currently apply to config CLI options. The command execute load-balance slot set-master-worker has been changed to execute load-balance slot set-primary-worker.

761052 Resolved an issue that prevented management traffic from being sent from an IPsec VPN interface.

763074

Resolved an issue that could cause two interfaces to be incorrectly assigned the same SNMP index.

767175 Resolved an issue that prevented switching a VDOM between transparent and NAT mode if all licensed VDOMs have been created.
767666 Resolved an issue that caused traffic to be dropped after adding an EMAC-VLAN interface

769865

Information formerly displayed by Management plane and data plane dashboard widgets is not displayed by the Configuration Sync Monitor.

770280 753798 746008 FortiGate-6000s or 7000s in a virtual clustering configuration can now correctly resolve domain names.
771677 Resolved an issue with displaying firewall policy statistics on the FortiGate-6000 management board GUI.
772287 Local-in and local-out traffic now works as expected for FPCs or FPMs on a FortiGate 6000 or 7000 that is operating as the primary FortiGate for virtual cluster 2.
772294 Resolved an issue with IPv4 BFD packet handling that blocked finding OSPF and BGP neighbors.
772414 Resolved an issue that sometimes prevented sending log messages from FPCs or FPMs.
778296 Resolved an issue that could block passthrough or local-in traffic for a newly-created VDOM. The issue did not affect local-out traffic.

Common vulnerabilities and exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

752134

FortiOS 6.4.8 for FortiGate-6000 and 7000 series is no longer vulnerable to the following PSIRT incident number:

  • CVE-2021-42757