Fortinet white logo
Fortinet white logo

Known issues

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 7.0.5 Build 0057. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 7.0.5 release notes also apply to FortiGate-6000 and 7000 FortiOS 7.0.5 Build 0057.

Bug ID

Description

724543 Interface bandwidth dashboard widgets show incorrect outbound bandwidth usage.
782978 When setting up a FortiGate-6000 or 7000 FGCP HA cluster, one of the FortiGates in the cluster may be running an older firmware version. During cluster formation, the newer firmware version is installed on FortiGate running the older firmware version. After the firmware is downloaded and before the FortiGate restarts, the console may display incorrect error messages. Even when these error messages appear the FortiGate should start up normally, running the newer firmware version, and should be able to join the cluster.
785815 An FPM may display an incorrect checksum message on the console while restarting. The FPM will continue to operate normally after fully starting.

803082

Policy statistics data that appear on the GUI firewall policy pages and in FortiView may be incorrect.

803536 A FortiGate-6000 or 7000 may not correctly synchronize routes after various failover scenarios. For example, after a FortiGate-6000 selects a new primary FPC, the routes on the FPC that was the primary FPC should have their protocol changed, but this change may not always occur.
811782 UDP-encapsulated ESP (UESP) sessions that use the normal IKE port (port 4500) are load balanced by the DP or NP7 processor in the same way as normal IPSec traffic. You can use the ipsec-tunnel-slot option when creating a phase 1 configuration to control how UESP tunnels are load balanced. However, if UESP sessions use a custom IKE port, the DP or NP7 processor does not handle them as IPsec packets. Instead , they are load balanced by the DP or NP7 processor in the same way as any other traffic. If required, you can adjust load balance settings or add a flow rule for UESP sessions using a custom IKE port.
813569 Operating a FortiGate-6000 or 7000 as an SSL VPN client is not supported.
820988 When configuring an SNMP community, the source-ip option is not supported for the FortiGate-6000 and 7000. When the source-ip option is configured, SNMP can't send traps for this community.

827937 815874 822410

Multiple issues with Zero Trust Network Access (ZTNA) features. FortiOS 7.0.5 for FortiGate-6000 and 7000 does not support ZTNA.

824205 If an FPM completes starting up when no FIMs are running or all FIMs are in the process of starting up, there is a chance that the FPM will not be synchronized once the primary FIM has restarted.
830454 Changing the FPC or FPM that an IPsec tunnel is using can cause traffic in the tunnel to be blocked. The problem is a timing issue, so sometimes traffic will be unaffected when making this configuration change and other times it may be blocked.
832353 After factory resetting an FPM, if the configuration synchronized to it contains EMAC VLAN interfaces, the MAC addresses of the EMAC VLAN interfaces on the FPM may be different from the MAC addresses of the same EMAC VLAN interfaces on the primary FIM. The configuration synchronization checksum for the FPM is the same as for the other FPMs and FIMs, even though the EMAC VLAN interfaces have different MAC addresses.
833488 A CMDB issue can result in the fcnacd process adding a VDOM during stress testing.

878934

Some relatively large routing configurations may cause the fctrlproxyd process to periodically use excessive amounts of CPU time (up to 99%), usually as a result of routing configuration changes.

Restarting the fctrlproxyd process is not recommended because this will not resolve the high CPU usage problem and can cause interface flapping.

1093412

On the FortiGate 6000 and 7000 platforms, the encryption option of the config system standalone-cluster command does not encrypt session synchronization traffic. Enabling this option has no effect.

Known issues

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 7.0.5 Build 0057. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 7.0.5 release notes also apply to FortiGate-6000 and 7000 FortiOS 7.0.5 Build 0057.

Bug ID

Description

724543 Interface bandwidth dashboard widgets show incorrect outbound bandwidth usage.
782978 When setting up a FortiGate-6000 or 7000 FGCP HA cluster, one of the FortiGates in the cluster may be running an older firmware version. During cluster formation, the newer firmware version is installed on FortiGate running the older firmware version. After the firmware is downloaded and before the FortiGate restarts, the console may display incorrect error messages. Even when these error messages appear the FortiGate should start up normally, running the newer firmware version, and should be able to join the cluster.
785815 An FPM may display an incorrect checksum message on the console while restarting. The FPM will continue to operate normally after fully starting.

803082

Policy statistics data that appear on the GUI firewall policy pages and in FortiView may be incorrect.

803536 A FortiGate-6000 or 7000 may not correctly synchronize routes after various failover scenarios. For example, after a FortiGate-6000 selects a new primary FPC, the routes on the FPC that was the primary FPC should have their protocol changed, but this change may not always occur.
811782 UDP-encapsulated ESP (UESP) sessions that use the normal IKE port (port 4500) are load balanced by the DP or NP7 processor in the same way as normal IPSec traffic. You can use the ipsec-tunnel-slot option when creating a phase 1 configuration to control how UESP tunnels are load balanced. However, if UESP sessions use a custom IKE port, the DP or NP7 processor does not handle them as IPsec packets. Instead , they are load balanced by the DP or NP7 processor in the same way as any other traffic. If required, you can adjust load balance settings or add a flow rule for UESP sessions using a custom IKE port.
813569 Operating a FortiGate-6000 or 7000 as an SSL VPN client is not supported.
820988 When configuring an SNMP community, the source-ip option is not supported for the FortiGate-6000 and 7000. When the source-ip option is configured, SNMP can't send traps for this community.

827937 815874 822410

Multiple issues with Zero Trust Network Access (ZTNA) features. FortiOS 7.0.5 for FortiGate-6000 and 7000 does not support ZTNA.

824205 If an FPM completes starting up when no FIMs are running or all FIMs are in the process of starting up, there is a chance that the FPM will not be synchronized once the primary FIM has restarted.
830454 Changing the FPC or FPM that an IPsec tunnel is using can cause traffic in the tunnel to be blocked. The problem is a timing issue, so sometimes traffic will be unaffected when making this configuration change and other times it may be blocked.
832353 After factory resetting an FPM, if the configuration synchronized to it contains EMAC VLAN interfaces, the MAC addresses of the EMAC VLAN interfaces on the FPM may be different from the MAC addresses of the same EMAC VLAN interfaces on the primary FIM. The configuration synchronization checksum for the FPM is the same as for the other FPMs and FIMs, even though the EMAC VLAN interfaces have different MAC addresses.
833488 A CMDB issue can result in the fcnacd process adding a VDOM during stress testing.

878934

Some relatively large routing configurations may cause the fctrlproxyd process to periodically use excessive amounts of CPU time (up to 99%), usually as a result of routing configuration changes.

Restarting the fctrlproxyd process is not recommended because this will not resolve the high CPU usage problem and can cause interface flapping.

1093412

On the FortiGate 6000 and 7000 platforms, the encryption option of the config system standalone-cluster command does not encrypt session synchronization traffic. Enabling this option has no effect.