Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved Issues

The following issues have been fixed in version 6.0.9. For inquires about a particular bug, please contact Customer Service & Support.

Data Leak Prevention

Bug ID

Description

591178

WAD fails to determine the correct file name when downloading a file from Nextcloud.

DNS Filter

Bug ID

Description

561297

DNS filtering does not perform well on the zone transfer when a large DNS zone's AXFR response consists of one or more messages.

563441

7K DNS filter breaking DNS zone transfer.

Explicit Proxy

Bug ID

Description

578098

Unwanted traffic log generated for firewall policy with web filter profile as MonitorAll.

594598

Enabling proxy policies (+400) increases memory by 30% and up to 80% total.

Firewall

Bug ID

Description

535303

Address page takes more than 15 seconds to load with certain configurations.

FortiView

Bug ID

Description

542154

Custom admin is unable to load FortiView when VDOMs or FortiCloud logging are enabled.

556178

FortiView > Sources historical view sometimes cannot retrieve data from FortiCloud.

603344

Sources and Destinations realtime pages cannot load due to [object Object] JavaScript error.

GUI

Bug ID

Description

486230

GUI on FG-3800D with 5.6.3 is very slow for configurations with numerous policies.

493704

While accessing the FortiGate page, PC browser memory usage keeps spiking and finally PC hangs.

543260

When modifying the g-default web filter, access denied error message appears.

545443

GUI is slow in FG-300D, FG-500D, FG-600D, FG-1000D, and FG-1200D with a high number of firewall policies.

546580

Should not be able to unset user or user group on an SSL VPN policy when inline editing the source column in the policy list.

556397

IP pools in SSL VPN settings are overwritten when SSL VPN settings are modified in the GUI.

559866

When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via the management tunnel.

575592

IP pool and tunnel mode settings in config vpn ssl web portal are overwritten when SSL VPN settings are modified in the GUI.

593624

GUI behavior is different with local user using super admin profile and TACACS user using super admin profile.

605493

Admin cannot log in to FortiGate GUI.

HA

Bug ID

Description

523582

ha-mgmt gateway IP gets synced from the master to slave after restoring configurations.

530215

application hasync returns "*** signal 11 (Segmentation fault) received ***".

557277

FGSP configured with standalone-config-sync will sync the FortiAnalyzer source IP configuration to the slave.

560107

Cluster upgrade from 5.6.7 build 1653 to SB 5.6.8 build 3667 takes longer than normal.

576638

HA cluster GUI change does not send logs to the slave immediately.

585348

default-gateway injected by dynamic-gateway on PPP interface deleted by other interface down.

Intrusion Prevention

Bug ID

Description

567923

Receiving IPS engine application crash messages.

601944

IPS engine 4.045 (FG-2000E with FOS 6.0.6) signal 14 crash occurred.

IPsec VPN

Bug ID

Description

550333

In an ADVPN spoke with one interface connecting to two hubs, the shortcut created on receiver side matches to the wrong phase 1.

575477

IKED memory leak.

589096

In IPsec after HA failover, performance regression and IKESAs are lost.

Log & Report

Bug ID

Description

493886

reportd is sometimes stuck at 99% CPU usage.

527991

Add CLI setting to configure timeout value when connecting to FortiGate Cloud. Enable async_log retrieval from FortiGate Cloud.

565505

miglogd high CPU utilization.

586038

FortiOS 6.0.6 reports too long VPN tunnel durations in local report.

596278

sentdelta and rcvddelta showing 0 if syslog format is set to CSV.

596398

sentdelta and rcvddelta log fields appears as 0 in syslog CEF format.

599860

When logtraffic is set to all, existing sessions cannot change the egress interfaces when the routing table is updated with a new outgoing interface.

Proxy

Bug ID

Description

525328

External resource does not support no content length.

566859

In WAD conserve mode 5.6.8, max_blocks value is high on some workers.

573028

WAD crash causing traffic interruption.

579400

High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.

REST API

Bug ID

Description

587470

REST API to support revision flag.

Routing

Bug ID

Description

581488

BGP Confederation router sending incorrect AS to neighbor group routers.

584394

VRRP on LAG cannot forward packet after vrrp-virtual-mac is enabled.

587198

After failover/recovery of link, E2 route with non-zero forward address recurses to itself as a next hope.

592599

FortiGate sends malformed OSPFv3 LSAReq/LSAck packets on interfaces with MTU = 9k.

595937

PPPoE interface bandwidth is mistakenly calculated as 0 in SD-WAN.

598665

BGP route is in routing table but not in FIB (kernel routing table).

Security Fabric

Bug ID

Description

583107

The Access Layer Quarantine action is not propagated to the downstream device in Security Fabric > Automation.

587758

Invalid CIDR format shows as valid by the Security Fabric threat feed.

588262

IP address Threat Feed Fabric connector not working.

SSL VPN

Bug ID

Description

546280

Internal website (confluence.1wa.local) not loading all elements with SSL VPN web mode (it works fine internally).

559785

FortiMail login page with SSL VPN portal not displaying correctly.

561585

SSL VPN does not show correctly in the Windows Admin Center application.

571005

NextCloud through SSL VPN behaving strangely.

580182

The EOASIS website is not displayed properly using SSL VPN web mode.

586032

Unable to download report from an internal server via SSL VPN web mode connection.

599668

In SSL VPN web mode, page keeps loading after user authenticates into internal application.

599671

In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.

Switch Controller

Bug ID

Description

592111

FortiSwitch shows offline CAPWAP response packet getting dropped/failed after upgrading from 6.2.2.

System

Bug ID

Description

527599

Internal prioritization of OSPF/BGP/BFD packets in conjunction with HPE feature to ensure these routing packets are handled in time. It affected all NP6 platforms.

527942

diagnose firewall proute list should not print vwl_mbr_seq if it is not generated by the VWL service rule.

545449

IPinIP traffic over another IPinIP is dropped in NP6-Lite when offloading is enabled.

547712

HPE does not protect against DDoS attacks like flood on IKE and BGP destination ports.

548443

DHCP-enabled interfaces occasionally fail to perform discovery.

561234

FG-800D shows wrong HA, ALARM LED status.

573090

Making a change to a policy using inline editing is very slow with large table sizes.

576337

SNMP polling stopped when FortiManager API script executed onto FortiGate.

578531

The FortiCloud daemon (forticldd) resolves mgrctrl1.fortinet.com to the wrong IP address.

580883

DNS servers acquired via PPPoE in non-management VDOMs are used for DHCP DNS server option 6.

582498

Traffic cannot be offloaded to both NTurbo and NP6 when DoS policy is applied on ingress/egress interface in a policy with IPS.

582520

Enabling offloading drops fragmented packets.

586034

Enabling ECN dramatically decreases TCP throughput on FG-3400E.

586301

GUI cannot show default Fortinet logo for replacement messages.

588202

FortiGate returns an invalid configuration when FortiManager retrieves the configuration.

589079

QSFP interface goes down when the get system interface transceiver command is interrupted.

589234

Local system DNS setting instead of DNS setting acquired from upstream DHCP server was assigned to client under management VDOM.

592699

Console outputs master change information after entering forticontroller mode and config-error-log.

594577

Out of order packets for an offloaded multicast stream.

598357

Low throughput on subinterfaces VLAN because IP packets are marked with ECN = CE flag.

603194

NP multicast session remains after the kernel session is deleted.

User & Device

Bug ID

Description

547657

Guest portal RADIUS authentication failure due to FortiAuthenticator trying to resolve third-party websites as access points.

549662

RADIUS MSCHAP-v2 authentication fails against Windows NPS with non-ASCII characters in user password.

587519

fnbamd has high CPU usage and user is unable to authenticate.

592241

Gmail POP3 authentication fails with certificate error since version 6.0.5.

VM

Bug ID

Description

577653

vMotion tasks cause connections to be dropped as sessions related to vMotion VMs do not appear on the destination VMX.

591563

Azure autoscale not syncing after upgrading to 6.2.2.

592611

HA not fully failing over when using OCI.

VoIP

Bug ID

Description

580588

SDP information fields are not being natted in multipart media encapsulation traffic.

582271

Add support for Cisco IP Phone keepalive packet.

WiFi Controller

Bug ID

Description

580169

Captive portal (disclaimer) redirect not working on Android phones.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

491701

FortiOS 6.0.9 is no longer vulnerable to the following CVE Reference:

  • CVE-2018-9195

Please read the section under Upgrade Information > FortiGuard protocol and port number.

565708

FortiOS 6.0.9 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-6696

569310

FortiOS 6.0.9 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-15703

576941

FortiOS 6.0.9 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-15703

Resolved Issues

The following issues have been fixed in version 6.0.9. For inquires about a particular bug, please contact Customer Service & Support.

Data Leak Prevention

Bug ID

Description

591178

WAD fails to determine the correct file name when downloading a file from Nextcloud.

DNS Filter

Bug ID

Description

561297

DNS filtering does not perform well on the zone transfer when a large DNS zone's AXFR response consists of one or more messages.

563441

7K DNS filter breaking DNS zone transfer.

Explicit Proxy

Bug ID

Description

578098

Unwanted traffic log generated for firewall policy with web filter profile as MonitorAll.

594598

Enabling proxy policies (+400) increases memory by 30% and up to 80% total.

Firewall

Bug ID

Description

535303

Address page takes more than 15 seconds to load with certain configurations.

FortiView

Bug ID

Description

542154

Custom admin is unable to load FortiView when VDOMs or FortiCloud logging are enabled.

556178

FortiView > Sources historical view sometimes cannot retrieve data from FortiCloud.

603344

Sources and Destinations realtime pages cannot load due to [object Object] JavaScript error.

GUI

Bug ID

Description

486230

GUI on FG-3800D with 5.6.3 is very slow for configurations with numerous policies.

493704

While accessing the FortiGate page, PC browser memory usage keeps spiking and finally PC hangs.

543260

When modifying the g-default web filter, access denied error message appears.

545443

GUI is slow in FG-300D, FG-500D, FG-600D, FG-1000D, and FG-1200D with a high number of firewall policies.

546580

Should not be able to unset user or user group on an SSL VPN policy when inline editing the source column in the policy list.

556397

IP pools in SSL VPN settings are overwritten when SSL VPN settings are modified in the GUI.

559866

When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via the management tunnel.

575592

IP pool and tunnel mode settings in config vpn ssl web portal are overwritten when SSL VPN settings are modified in the GUI.

593624

GUI behavior is different with local user using super admin profile and TACACS user using super admin profile.

605493

Admin cannot log in to FortiGate GUI.

HA

Bug ID

Description

523582

ha-mgmt gateway IP gets synced from the master to slave after restoring configurations.

530215

application hasync returns "*** signal 11 (Segmentation fault) received ***".

557277

FGSP configured with standalone-config-sync will sync the FortiAnalyzer source IP configuration to the slave.

560107

Cluster upgrade from 5.6.7 build 1653 to SB 5.6.8 build 3667 takes longer than normal.

576638

HA cluster GUI change does not send logs to the slave immediately.

585348

default-gateway injected by dynamic-gateway on PPP interface deleted by other interface down.

Intrusion Prevention

Bug ID

Description

567923

Receiving IPS engine application crash messages.

601944

IPS engine 4.045 (FG-2000E with FOS 6.0.6) signal 14 crash occurred.

IPsec VPN

Bug ID

Description

550333

In an ADVPN spoke with one interface connecting to two hubs, the shortcut created on receiver side matches to the wrong phase 1.

575477

IKED memory leak.

589096

In IPsec after HA failover, performance regression and IKESAs are lost.

Log & Report

Bug ID

Description

493886

reportd is sometimes stuck at 99% CPU usage.

527991

Add CLI setting to configure timeout value when connecting to FortiGate Cloud. Enable async_log retrieval from FortiGate Cloud.

565505

miglogd high CPU utilization.

586038

FortiOS 6.0.6 reports too long VPN tunnel durations in local report.

596278

sentdelta and rcvddelta showing 0 if syslog format is set to CSV.

596398

sentdelta and rcvddelta log fields appears as 0 in syslog CEF format.

599860

When logtraffic is set to all, existing sessions cannot change the egress interfaces when the routing table is updated with a new outgoing interface.

Proxy

Bug ID

Description

525328

External resource does not support no content length.

566859

In WAD conserve mode 5.6.8, max_blocks value is high on some workers.

573028

WAD crash causing traffic interruption.

579400

High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.

REST API

Bug ID

Description

587470

REST API to support revision flag.

Routing

Bug ID

Description

581488

BGP Confederation router sending incorrect AS to neighbor group routers.

584394

VRRP on LAG cannot forward packet after vrrp-virtual-mac is enabled.

587198

After failover/recovery of link, E2 route with non-zero forward address recurses to itself as a next hope.

592599

FortiGate sends malformed OSPFv3 LSAReq/LSAck packets on interfaces with MTU = 9k.

595937

PPPoE interface bandwidth is mistakenly calculated as 0 in SD-WAN.

598665

BGP route is in routing table but not in FIB (kernel routing table).

Security Fabric

Bug ID

Description

583107

The Access Layer Quarantine action is not propagated to the downstream device in Security Fabric > Automation.

587758

Invalid CIDR format shows as valid by the Security Fabric threat feed.

588262

IP address Threat Feed Fabric connector not working.

SSL VPN

Bug ID

Description

546280

Internal website (confluence.1wa.local) not loading all elements with SSL VPN web mode (it works fine internally).

559785

FortiMail login page with SSL VPN portal not displaying correctly.

561585

SSL VPN does not show correctly in the Windows Admin Center application.

571005

NextCloud through SSL VPN behaving strangely.

580182

The EOASIS website is not displayed properly using SSL VPN web mode.

586032

Unable to download report from an internal server via SSL VPN web mode connection.

599668

In SSL VPN web mode, page keeps loading after user authenticates into internal application.

599671

In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.

Switch Controller

Bug ID

Description

592111

FortiSwitch shows offline CAPWAP response packet getting dropped/failed after upgrading from 6.2.2.

System

Bug ID

Description

527599

Internal prioritization of OSPF/BGP/BFD packets in conjunction with HPE feature to ensure these routing packets are handled in time. It affected all NP6 platforms.

527942

diagnose firewall proute list should not print vwl_mbr_seq if it is not generated by the VWL service rule.

545449

IPinIP traffic over another IPinIP is dropped in NP6-Lite when offloading is enabled.

547712

HPE does not protect against DDoS attacks like flood on IKE and BGP destination ports.

548443

DHCP-enabled interfaces occasionally fail to perform discovery.

561234

FG-800D shows wrong HA, ALARM LED status.

573090

Making a change to a policy using inline editing is very slow with large table sizes.

576337

SNMP polling stopped when FortiManager API script executed onto FortiGate.

578531

The FortiCloud daemon (forticldd) resolves mgrctrl1.fortinet.com to the wrong IP address.

580883

DNS servers acquired via PPPoE in non-management VDOMs are used for DHCP DNS server option 6.

582498

Traffic cannot be offloaded to both NTurbo and NP6 when DoS policy is applied on ingress/egress interface in a policy with IPS.

582520

Enabling offloading drops fragmented packets.

586034

Enabling ECN dramatically decreases TCP throughput on FG-3400E.

586301

GUI cannot show default Fortinet logo for replacement messages.

588202

FortiGate returns an invalid configuration when FortiManager retrieves the configuration.

589079

QSFP interface goes down when the get system interface transceiver command is interrupted.

589234

Local system DNS setting instead of DNS setting acquired from upstream DHCP server was assigned to client under management VDOM.

592699

Console outputs master change information after entering forticontroller mode and config-error-log.

594577

Out of order packets for an offloaded multicast stream.

598357

Low throughput on subinterfaces VLAN because IP packets are marked with ECN = CE flag.

603194

NP multicast session remains after the kernel session is deleted.

User & Device

Bug ID

Description

547657

Guest portal RADIUS authentication failure due to FortiAuthenticator trying to resolve third-party websites as access points.

549662

RADIUS MSCHAP-v2 authentication fails against Windows NPS with non-ASCII characters in user password.

587519

fnbamd has high CPU usage and user is unable to authenticate.

592241

Gmail POP3 authentication fails with certificate error since version 6.0.5.

VM

Bug ID

Description

577653

vMotion tasks cause connections to be dropped as sessions related to vMotion VMs do not appear on the destination VMX.

591563

Azure autoscale not syncing after upgrading to 6.2.2.

592611

HA not fully failing over when using OCI.

VoIP

Bug ID

Description

580588

SDP information fields are not being natted in multipart media encapsulation traffic.

582271

Add support for Cisco IP Phone keepalive packet.

WiFi Controller

Bug ID

Description

580169

Captive portal (disclaimer) redirect not working on Android phones.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

491701

FortiOS 6.0.9 is no longer vulnerable to the following CVE Reference:

  • CVE-2018-9195

Please read the section under Upgrade Information > FortiGuard protocol and port number.

565708

FortiOS 6.0.9 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-6696

569310

FortiOS 6.0.9 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-15703

576941

FortiOS 6.0.9 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-15703