Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.0.12 FortiOS Release Notes
6.0.12
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Resolved Issues

Resolved Issues

The following issues have been fixed in version 6.0.12. For inquires about a particular bug, please contact Customer Service & Support.

Antivirus

Bug ID

Description

582368

URL threat detection version shows a large negative number after FortiGate reboots.

Firewall

Bug ID

Description

520558

Should not do passive port NAT for FTP session helper.

643446

Fragmented UDP traffic is silently dropped when fragments have different ECN values.

683604

When changing a policy and creating a firewall sniffer concurrently, there is traffic that is unrelated to the policy that is being changed and matching the implicit deny policy. Some IPv4 firewall policies were missing after the change.

FortiView

Bug ID

Description

650447

Negative value displayed in the Bytes column on the FortiView > VPN page.

GUI

Bug ID

Description

467495

A message stating that all source interfaces have no members is erroneously displayed for the explicit proxy policy list when a user enables a policy immediately after pasting or inserting it into the list.

587673

The Interface Pair View option is always unavailable for the Proxy Policy list.

662434

Aggregated interfaces that are also in a zone are not displayed correctly in the GUI. They are displayed correctly in the Zone section of Network > Interfaces, but not in the Aggregate section.

HA

Bug ID

Description

507013, 525522

HA configuration checksum mismatch between debug zone and checksum.

530215

Application hasync may crash several times due to accessing memory out of bound when processing hastat data.

540600

The HA hello-holddown value is divided by 10 in the hatalk daemon, which makes the hello-holddown time 10 times less than the configuration.

584551

hatalk keeps exchanging heartbeat packet incorrectly with FortiManager.

601550

Application hasync may crash several times due to accessing memory out of bound when processing hastat data.

621583

HA status is not displayed in the GUI when HB cables reconnect.

637711

CSR on cluster primary is generating out-of-sync alerts on secondary and tertiary devices.

643958

Inconsistent data from FFDB caused several confsyncd crashes.

651674

Long sessions lost on new primary after HA failover.

654341

The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM.

Intrusion Prevention

Bug ID

Description

668631

IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates.

691395

Signature false positives causing outage after IPS database update.

IPsec VPN

Bug ID

Description

610203

When an offloaded IPsec SA uses NP6 reserved space, it gets stuck and packets on the tunnel start to drop.

Log & Report

Bug ID

Description

513959

Memory usage in event log does not match the number in get system performance status.

551031

FortiGate lost logs to FortiAnalyzer when route was changed and without physical interface being down.

555161

Application miglogd crashes when numerous DLP logs are generated, where DLP archive files use up system inodes.

634947

rlogd signal 11 crashes.

643099

logid=0000000020 is generated even with set logtraffic disable in the policy.

Proxy

Bug ID

Description

501299

WAD sometimes does not spawn any workers when configuring FG-101E after a factory reset.

578850

Application WAD crash several times due to signal alarm.

603195

Multiple WAD crashes with signal 11.

615391

Reusing the buffer region caused frequent WAD crashes.

617099

WAD crashes every few minutes.

620453

Application WAD crash several times due to signal alarm.

621787

On some smaller models, WAD watchdog times out when there is a lot of SSL traffic.

653099

Wildcard URL filter in proxy mode with ? and * not always handled properly.

Routing

Bug ID

Description

576930

Time stamps are missing in routing debugs.

593887

High CPU usage from link monitor daemon.

641022

Kernel does not remove duplicate routes generated by SD-WAN health checks when hostname IP changes.

Security Fabric

Bug ID

Description

609182

Security Fabric Settings page sometimes cannot load FortiSandbox URL threat detection version despite FortiSandbox being connected.

SSL VPN

Bug ID

Description

548599

SSL VPN crashes on parsing some special URLs.

551695

Office365 applications through SSL VPN bookmarks.

573727

Cannot establish an SSL VPN connection using FortiClient for Mac OS when os-check is enabled and the action is allow.

573853

TX packet drops on SSL root interface.

580377

Unable to access https://outlook.office365.com as bookmark in SSL VPN web mode.

591613

https://outlook.office365.com cannot be accessed in SSLVPN web portal.

596273

sslvpnd worker process crashes, causing a zombie tunnel session.

608453

Internal website is not accessible from SSL VPN due to some Sage X3 JS files with errors.

610995

Error in SSL VPN web mode when accessing internal website, https://st***.st*.ca/.

617170

https://outlook.office365.com cannot be accessed in SSLVPN web portal.

622068

Adding FQDN routing address in split tunnel configuration injects single route in client for multiple A records.

633114

Cannot access internal website pl***.fr using SSL VPN web mode.

633684

Host check causing Mac users to be unable to connect to SSL VPN.

644506

Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password.

646429

Update Telnet idle timeout setting.

648192

Improve DTLS tunnel performance by allowing multiple packets to be read from the kernel driver, and redistribute the UDP packets to several worker processes in the kernel.

648433

Internal website loading issue in SSL VPN web portal for ca***.fr.

656557

The map on the http://www.op***.org website could not be shown in SSL VPN web mode.

662042

The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.

664121

SCM VPN disconnects when performing an SVN checkout.

665879

When sslvpn processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML.

670803

Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode.

System

Bug ID

Description

508085

The address object is still created even if the user sets an invalid address.

540354

WAD high CPU usage on FortiGate models not supporting SSH proxy in FOS 5.6. After upgrade to FOS 6.0, the SSL SSH profile certificate-inspection has its SSH status incorrectly set to deep inspection.

571720

Using DHCP to acquire addresses for mode-config with certificates fails to send DHCP request.

585841

Console prints out unregister_netdevice error on UOM setup.

587521

In VIP server load-balancing, persistence http-cookie is not refreshed after the timer.

598464

Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.

605723

FG-600E stops sending out packets on its SPF and copper port on NP6.

623775

newcli daemon crash due to FTM user token activation email processing.

627629

DHCP client sent invalid DHCPREQUEST format during INIT state.

628642

Issue when packets from the same session are forwarded to each LACP member when NPx offloading is enabled.

631296

Forward or local bi-directional traffic from NPU inter-VDOM links through separate VDOMs is subject to high latency.

633827

Errors during fuzzy tests on FG-1500D.

634929

NP6 SSE drops after a couple of hours in a stability test.

642005

FortiGate does not send service-account-id to FortiManager via fgfm tunnel when FortiCloud is activated directly on the FortiGate.

649729

HA sync packets are hashed to a single queue while sync-packet-balance is enabled.

660709

The sflowd process has high CPU usage when application control is enabled.

666030

Empty firewall objects after pushing several policy deletes.

User & Device

Bug ID

Description

604844

The user group auth-concurrent setting is not working as expected.

637577

Inconsistent fnbamd LDAP group match result.

675539

FSSO collector status is down, despite that it is reported as connected by authd in a multi-VDOM environment.

VM

Bug ID

Description

656701

FG-VMX service manager enters conserve mode; cmdbsvr has high memory utilization.

Web Filter

Bug ID

Description

553593

diagnose debug urlfilter test-url <URL> returns URL test cache miss even though the test URL is in the web filter rating cache.

WiFi Controller

Bug ID

Description

608717

Packet loss over CAPWAP tunneled SSID.

618456

High cw_acd usage upon polling a large number of wireless clients with REST API.

680503

The current Fortinet_Wifi certificate will expire on 2021-02-11.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

606237

FortiOS 6.0.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-6648
Previous
Next

Resolved Issues

The following issues have been fixed in version 6.0.12. For inquires about a particular bug, please contact Customer Service & Support.

Antivirus

Bug ID

Description

582368

URL threat detection version shows a large negative number after FortiGate reboots.

Firewall

Bug ID

Description

520558

Should not do passive port NAT for FTP session helper.

643446

Fragmented UDP traffic is silently dropped when fragments have different ECN values.

683604

When changing a policy and creating a firewall sniffer concurrently, there is traffic that is unrelated to the policy that is being changed and matching the implicit deny policy. Some IPv4 firewall policies were missing after the change.

FortiView

Bug ID

Description

650447

Negative value displayed in the Bytes column on the FortiView > VPN page.

GUI

Bug ID

Description

467495

A message stating that all source interfaces have no members is erroneously displayed for the explicit proxy policy list when a user enables a policy immediately after pasting or inserting it into the list.

587673

The Interface Pair View option is always unavailable for the Proxy Policy list.

662434

Aggregated interfaces that are also in a zone are not displayed correctly in the GUI. They are displayed correctly in the Zone section of Network > Interfaces, but not in the Aggregate section.

HA

Bug ID

Description

507013, 525522

HA configuration checksum mismatch between debug zone and checksum.

530215

Application hasync may crash several times due to accessing memory out of bound when processing hastat data.

540600

The HA hello-holddown value is divided by 10 in the hatalk daemon, which makes the hello-holddown time 10 times less than the configuration.

584551

hatalk keeps exchanging heartbeat packet incorrectly with FortiManager.

601550

Application hasync may crash several times due to accessing memory out of bound when processing hastat data.

621583

HA status is not displayed in the GUI when HB cables reconnect.

637711

CSR on cluster primary is generating out-of-sync alerts on secondary and tertiary devices.

643958

Inconsistent data from FFDB caused several confsyncd crashes.

651674

Long sessions lost on new primary after HA failover.

654341

The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM.

Intrusion Prevention

Bug ID

Description

668631

IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates.

691395

Signature false positives causing outage after IPS database update.

IPsec VPN

Bug ID

Description

610203

When an offloaded IPsec SA uses NP6 reserved space, it gets stuck and packets on the tunnel start to drop.

Log & Report

Bug ID

Description

513959

Memory usage in event log does not match the number in get system performance status.

551031

FortiGate lost logs to FortiAnalyzer when route was changed and without physical interface being down.

555161

Application miglogd crashes when numerous DLP logs are generated, where DLP archive files use up system inodes.

634947

rlogd signal 11 crashes.

643099

logid=0000000020 is generated even with set logtraffic disable in the policy.

Proxy

Bug ID

Description

501299

WAD sometimes does not spawn any workers when configuring FG-101E after a factory reset.

578850

Application WAD crash several times due to signal alarm.

603195

Multiple WAD crashes with signal 11.

615391

Reusing the buffer region caused frequent WAD crashes.

617099

WAD crashes every few minutes.

620453

Application WAD crash several times due to signal alarm.

621787

On some smaller models, WAD watchdog times out when there is a lot of SSL traffic.

653099

Wildcard URL filter in proxy mode with ? and * not always handled properly.

Routing

Bug ID

Description

576930

Time stamps are missing in routing debugs.

593887

High CPU usage from link monitor daemon.

641022

Kernel does not remove duplicate routes generated by SD-WAN health checks when hostname IP changes.

Security Fabric

Bug ID

Description

609182

Security Fabric Settings page sometimes cannot load FortiSandbox URL threat detection version despite FortiSandbox being connected.

SSL VPN

Bug ID

Description

548599

SSL VPN crashes on parsing some special URLs.

551695

Office365 applications through SSL VPN bookmarks.

573727

Cannot establish an SSL VPN connection using FortiClient for Mac OS when os-check is enabled and the action is allow.

573853

TX packet drops on SSL root interface.

580377

Unable to access https://outlook.office365.com as bookmark in SSL VPN web mode.

591613

https://outlook.office365.com cannot be accessed in SSLVPN web portal.

596273

sslvpnd worker process crashes, causing a zombie tunnel session.

608453

Internal website is not accessible from SSL VPN due to some Sage X3 JS files with errors.

610995

Error in SSL VPN web mode when accessing internal website, https://st***.st*.ca/.

617170

https://outlook.office365.com cannot be accessed in SSLVPN web portal.

622068

Adding FQDN routing address in split tunnel configuration injects single route in client for multiple A records.

633114

Cannot access internal website pl***.fr using SSL VPN web mode.

633684

Host check causing Mac users to be unable to connect to SSL VPN.

644506

Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password.

646429

Update Telnet idle timeout setting.

648192

Improve DTLS tunnel performance by allowing multiple packets to be read from the kernel driver, and redistribute the UDP packets to several worker processes in the kernel.

648433

Internal website loading issue in SSL VPN web portal for ca***.fr.

656557

The map on the http://www.op***.org website could not be shown in SSL VPN web mode.

662042

The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.

664121

SCM VPN disconnects when performing an SVN checkout.

665879

When sslvpn processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML.

670803

Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode.

System

Bug ID

Description

508085

The address object is still created even if the user sets an invalid address.

540354

WAD high CPU usage on FortiGate models not supporting SSH proxy in FOS 5.6. After upgrade to FOS 6.0, the SSL SSH profile certificate-inspection has its SSH status incorrectly set to deep inspection.

571720

Using DHCP to acquire addresses for mode-config with certificates fails to send DHCP request.

585841

Console prints out unregister_netdevice error on UOM setup.

587521

In VIP server load-balancing, persistence http-cookie is not refreshed after the timer.

598464

Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.

605723

FG-600E stops sending out packets on its SPF and copper port on NP6.

623775

newcli daemon crash due to FTM user token activation email processing.

627629

DHCP client sent invalid DHCPREQUEST format during INIT state.

628642

Issue when packets from the same session are forwarded to each LACP member when NPx offloading is enabled.

631296

Forward or local bi-directional traffic from NPU inter-VDOM links through separate VDOMs is subject to high latency.

633827

Errors during fuzzy tests on FG-1500D.

634929

NP6 SSE drops after a couple of hours in a stability test.

642005

FortiGate does not send service-account-id to FortiManager via fgfm tunnel when FortiCloud is activated directly on the FortiGate.

649729

HA sync packets are hashed to a single queue while sync-packet-balance is enabled.

660709

The sflowd process has high CPU usage when application control is enabled.

666030

Empty firewall objects after pushing several policy deletes.

User & Device

Bug ID

Description

604844

The user group auth-concurrent setting is not working as expected.

637577

Inconsistent fnbamd LDAP group match result.

675539

FSSO collector status is down, despite that it is reported as connected by authd in a multi-VDOM environment.

VM

Bug ID

Description

656701

FG-VMX service manager enters conserve mode; cmdbsvr has high memory utilization.

Web Filter

Bug ID

Description

553593

diagnose debug urlfilter test-url <URL> returns URL test cache miss even though the test URL is in the web filter rating cache.

WiFi Controller

Bug ID

Description

608717

Packet loss over CAPWAP tunneled SSID.

618456

High cw_acd usage upon polling a large number of wireless clients with REST API.

680503

The current Fortinet_Wifi certificate will expire on 2021-02-11.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

606237

FortiOS 6.0.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-6648
Previous
Next