Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved Issues

The following issues have been fixed in version 6.2.1. For inquires about a particular bug, please contact Customer Service & Support.

AntiVirus

Bug ID

Description

528743

Copy/paste of IPv4 policy does not work once AV profile is applied.

557259

FortiGates using AV-Profile proxy mode with servercomfort options enabled sending same request twice to the server.

Data Leak Prevention

Bug ID

Description

540903

Missed filename in the office365_Attachment. Download DLP log while it is blocked\Allowed.

547437

WAD crash due to scheduler error occurs when oversized file is bypassing the DLP sensor.

548396

DLP archiving intermittently blocks a file when it should be log only.

DNS Filter

Bug ID

Description

505474

DNS events are not included in the security event list.

525068

No need to resolve safe search FQDN if not used.

Endpoint Control

Bug ID

Description

521645

Traffic blocked after enabling Compliance on SSL VPN interface.

554765

Revert IPv6 src-spoof for GTP.

Explicit Proxy

Bug ID

Description

545724

FortiGate cannot upload file to FortiSandbox when AV profile added in only Proxy-policy.

548415

User cannot pass authentication after timeout if using IP-based authentication.

Firewall

Bug ID

Description

474239

Some DCE-RPC mapped connections are intermittently blocked by policy 0.

521913

Session timers don’t update for VLAN traffic over VWP.

524599

Sessions TTL expire timer is not reset when traffic goes through if traffic is offloaded in a TP VDOM.

537349

VIP with central NAT does not hide real IP.

539530

Firewall-session-dirty check-new is blocking traffic and causing session spike.

543469

Cannot create VIP6 range over 31 bits.

546953

DNS Filter column and Profile Group column is missing on policy list.

551747

Not able to configure VIP from GUI with port forwarding for the same TCP and UDP port.

555992

Changes to per-IP shaper settings not reflected in offloaded sessions.

560617

FortiGate logging is not stable: failed-log and log-in-queue.

FortiView

Bug ID

Description

538873

Traffic shaper info missing under Shaper column in FortiView.

539981

Unable to see Source DNS Name in FortiView.

GUI

Bug ID

Description

504770

Introduce an enable/disable button in the GUI to toggle central SNAT table.

532309

Custom device page keep loading and cannot create device group.

537550

HTTPSD uses high CPU when accessing GUI network interfaces.

545074

Unable to login into FortiGate GUI with Yubikey. CLI works as expected.

546254

Forward traffic log cannot be shown on Windows Edge browser.

547393

GUI still shows fortianalyzer-cloud connection status error even after FortiGate connects to fortianalyzer-cloud.

547458

Cannot access VOIP profile list and only the default profile editor is shown.

547808

Security rating event logs cannot be shown in split-vdom FortiGate GUI.

548091

Cannot configure network interface IP addresses from GUI for FG-5001D and FG-5001E.

552329

NP6 sessions dropped after any change in GUI.

HA

Bug ID

Description

501200

Requirement for disabling IPsec SA and IKE SA in FGSP cluster-sync solution.

519266

FGT-HA does not fail over when pingserver is down the second time.

538512

ha-direct option for OCSP.

543724

After restoring configuration, FortiGate added unexpected parameters that are not set.

545371

Being Dual Master in specific situation if two pingsvr is set.

546714

GARP is output even though GARP setting is disabled.

547367

Cannot synchronize slave from scratch in v6.0.4 with 500 VDOMs, duplicate global profiles.

547700

HA out of sync after upgraded in multi-VDOM environment.

548695

FortiGate master not sending all system events.

549969

After upgrade to special build 5.6.7 b3638, cluster is out of sync when a new guest user is created.

549991

fgLinkMonitorState is not accurate.

553231

Moving VDOM between virtual clusters causes cluster to go out of sync.

556057

FGSP cluster members showing out of sync with four members.

ICAP

Bug ID

Description

541423

After any configuration change is applied to FortiGate device, the Symantec ICAP server rejects connections due to too many connections.

551488

FortiGate not sending blocked content page received from the ICAP server to the client.

Intrusion Prevention

Bug ID

Description

528860

IPS archive PCAP periodically cannot capture.

546399

FortiOS runs to conserve mode because IPS engine is taking a lot of memory (memory leak in heap).

548649

IPS custom signature is not detected after FortiGate is rebooted or upgraded.

548908

SSL mirroring does not work on VLAN interface with NTURBO enabled.

552168

IPS archive PCAP usage cannot clear by deleting IPS log and actual PCAP files.

553262

TCP connections through IPsec (bound to loopback) do not work when IPS offload is enabled to NTurbo.

556538

Enabling IPS on IPv4 policy impacting HTTPS traffic over the site to site VPN using PPOE for internal servers.

IPsec VPN

Bug ID

Description

474870

Source MAC address is not updated for offloaded IPsec sessions.

481201

The OCVPN feature is delayed about one day after registering on FortiCare.

518681

npu-offload enabled and failover occurred on the checkpoint firewall (upstream firewall) the tunnel is up but traffic is not passing.

534444

Unable to delete IPsec VPN tunnel phase-1 interface config even though we do not have any reference.

542169

Dialup IPsec "net-device" should continue to default to "disable" in 6.2.

545871

IPsec tunnel can't establish if OCVPN members with different Fortinet_CA and Fortinet_factory cert.

546212

Multiple ADVPN shortcuts should be allowed between two spokes.

546459

IKE route overlap should be allowed across two distinct dialup phase1 with 'net-device disable'.

547062

After VDOM config restore, routes are active for IPsec tunnels that are not active.

547293

OSPF point-to-multipoint re-convergence with dailup IPsec.

548032

IKEv2 tunnel does not establish to Google VPN Gateway because of Identification Payload mismatch.

Log & Report

Bug ID

Description

545322

Send interface information to FortiAnalyzer using miglogd.

551031

FortiGate lost logs to FortiAnalyzer when route is changed and without physical interface down.

Proxy

Bug ID

Description

513470

WAD crashes on wad_http_client_notify_scan_result.isra.XXX.

522827

Add GUI support for unsupported-ssl option in SSL inspection profile.

542189

AV profile in proxy mode, with inspect-all enabled, causes timeout when accessing some sites.

544517

WAD process crashing and affecting HTTP/HTTPS traffic.

546360

When applying proxy address in transparent proxy policy, FortiGate blocks traffic and reports SSL_ERROR_SYSCALL.

549295

WAD crash causes high CPU usage.

549660

WAD crashes with signal 11.

549787

Unable to fetch the Root and Intermediate Certificate.

550895

FG-1500D goes into kernel conserve mode. WAD process consuming high memory.

REST API

Bug ID

Description

541246

Segmentation Fault when generating VPN certificate via REST API.

Routing

Bug ID

Description

503686

Application PDMD crashes.

528145

BGP Configuration gets applied to the wrong VDOM if user switches VDOM selection in between operations (slow GUI).

529512

SSL VPN user gets disconnected when load-balance-mode is measured-volume-based in SD-WAN.

535055

When adding more than seven VPN tunnels to SD-WAN, PPOE default routes disappear.

537054

IPsec interface Internet service router can't work normally.

540682

SD-WAN sends traffic to interfaces with volume-ratio set to 0.

546198

SD-WAN performance SLA via GRE-Tunnel fails to set options or connect ping6 socket for monitor.

549958

Kernel panic due to deletion of ECMp session.

550342

Since upgrade to 6.2, getting RADVD IPv6 router advertisement logs, although IPv6 is not configured on receiving interface.

551492

BGP neighbors are lost on configuration change (large configuration file).

552350

BFD peers down, not seen (over BGP up).

554077

OSPF MD5 authentication issues after upgrade to 6.2.0.

558689

Traffic dropped by anti-replay in ECMP with IPS.

558690

Session timer left at half-open value once established in an ECMP with IPS context.

559146

When a route is evaluated with multiple match conditions including route tag in a route map, route tag is evaluated.

559149

Wrong protocol and sport shown for SD-WAN and regular policy routes.

561097

SD-WAN rule corrupted upon reboot after ISDB update.

Security Fabric

Bug ID

Description

525572

Security Fabric topology page always shows FortiGate HA slave has incompatible firmware version.

547509

Fail to configure Security Fabric if only enable FortiAnalyzer cloud logging not FortiAnalyzer logging in GUI.

547659

Access denied error when reviewing security recommendations from physical topology in VDOM mode.

557821

IP threat feed won't work.

SSL VPN

Bug ID

Description

489110

SSL VPN web-mode fails to access Angular 5 application.

509333

SSL VPN to Nextcloud doesn't open.

513572

FortiGate not sending Framed-IP-Address attribute for SSL VPN tunnel in RADIUS accounting packet.

515158

SSL VPN web portal login FGT6.0.3 B0191 admin gets blank page.

522571

LAG interface not available for SSL VPN listening interface.

527476

Update from web mode fails for SharePoint page using MS NLB.

539207

Unable to get to http://spiceworks.int.efwnow.com:9750/tickets/v2#open_tickets via SSL VPN bookmark.

539719

Signal 11 (segmentation fault) on application sslvpnd.

540059

Graylog web application is not working through SSL VPN HTTPS.

540328

SSL VPN web mode accessing internal server getting ERR_EMPTY_RESPONSE in browsers.

542480

Internal server script stuck at loading when page accessed over SSL VPN web portal.

542706

With groups and its users in different SSL VPN policies and accessing resources via web, only user based policies are processed.

543091

RDP through SSL VPN web mode will disconnects if copying long text.

545440

The command user-bookmark should not be a prerequisite command for allow-user-access as it also affects Quick Connections.

545810

Subpages on internal websites are not working via SSL VPN web mode.

546161

TX packet drops on ssl.root interface.

546187

SSL VPN login auth times out if primary RADIUS server becomes unavailable.

546280

Internal web site (confluence.1wa.local) not loading all elements with SSL VPN web mode (internally it works fine).

546748

Cannot log in to internal server through SSL VPN web mode.

547069

Customer application is displayed wrong through SSL VPN bookmark.

548321

SSL VPN doesn not open QNAP shared folder link.

549588

No Error: Permission denied prompt when using the wrong username/password login SSL VPN web with special replacement login page.

549654

Citrix bookmarks should be disabled in SSL VPN portal.

549924

Local resource web interface not loading through SSL VPN web mode.

551535

http 302 redirection is not parsed by SSL VPN proxy (web mode / bookmark).

551923

SSL VPN crashing constantly.

552018

Web mode gets JavaScript errors when accessing internal web site.

553540

Empty RADIUS accounting info supplied for SSL VPN users via account-interim-interval.

554378

SSL VPN bookmark sending back to portal home after correct login inside backend application.

554740

Fails to load web pages in SSL VPN web portal.

555983

Internal web portal replies with HTTP 404 Not Found when accessed via SSL VPN web portal bookmark.

556326

SSL VPN web mode JavaScript error accessing internal resources.

559790

SSL VPN web-mode not performing proxy properly on internal websites.

559932

Customer unable to load website through web-mode SSL VPN.

Switch Controller

Bug ID

Description

548145

Configuring FortiLink from GUI does not work on platforms that do not support hardware switch.

549770

FortiSwitch export-to commands do not sync, causing HA sync problem.

555366

VLAN tagging issue to trunk having space in names.

System

Bug ID

Description

493128

bcm.user always takes nearly 70% CPU after running Nturbo over IPsec script.

527868

SLBC FortiOS should prevent change of default management VDOM.

529932

Primary DNS server is not queried even after 30 seconds.

533214

After executing shutdown, FGT90E keeps responding to ICMP requests.

534757

Device 80D reboots every 2-3 days with a kernel panic error.

537571

IPS/AV not forwarding return traffic back to clients.

537989

Kernel static route randomly lost.

540634

Status of a port member of a redundant interface changes if an alias is set.

540905

SNMP trap: FortiGate does not generate fgTrapAvOversizeBlock and fgTrapAvOversizePass.

541527

Changing the order of VDOM in system admin when connected with TACACS+ wildcard admin is not propagated to other blades.

542441

SNMP monitoring of the implicit deny policy not possible.

542482

NTurbo is causing TX_XPX_QFULL.

544828

FortiGate 301E consumes high memory even when there's no traffic.

545717

USB Modem Huawei E173u-2 not working on FortiGate 60E device.

546169

DHCPD is using more memory on the slave unit than the active unit.

546746

Cannot lease DHCP address over IPsec for dialup-forticlient users.

547625

Physical interface, part of aggregate interface, disabled with CLI not going down after reboot.

547720

FortiGate does not support DH 1024 bits as SSH server.

547869

LACP member ports exhibit odd behavior regarding admin up and down.

548076

FortiGateCloud cannot restore configuration on FortiGate.

548315

Execute ping does not provide accurate time values.

548443

DHCP enabled interface occasionally fails to perform discovery.

548553

VDOM restore has config loss when interfaces have subnet overlap.

549922

Cannot add description to security zones.

550797

Misleading CLI help left over.

551374

DNSProxy causes the device to go to conserve mode.

551696

Status of a port member of a aggregated interface changes if a member's alias/description is set.

552908

Restoring VDOM configuration removes interfaces from zones.

552935

FortiGate admin access does not offer SSH-RSA when EC Certificate is used for GUI admin-server-cert.

554099

Can't poll SNMP v3 statistics for BGP when ha-direct is enabled under SNMP user.

555994

Kernel/system memory leak.

Upgrade

Bug ID

Description

546874

Increase firewall.address tablesize for 80-90 series.

548256

Upgrading to v6.2 from v6.0.x causes CIFS/SMB configurations in AV profile to be lost.

548813

Upgrading or downgrading the firmware image using FortiGuard as the source, and as initiated from the System > Firmware page, fails during download of the firmware image. The page still can be used to view the upgrade path, but as a workaround, you will need to manually download the firmware image from Fortinet's Support site, and then initiate an upgrade or downgrade from the same page under the Upload Firmware section.

User & Device

Bug ID

Description

504375

Guest User Print Template doesn't insert the images.

518129

FSSO failover is not graceful.

533838

WAD re-signs valid web sites with Untrusted CA certificate.

534678

auth-https-port (1003) for captive portal authentication cannot disable TLS1.1 support.

535488

IP addresses of discovered devices in the device inventory menu are not showing after FortiGate reboots.

538000

FSSO(polling) user names with special character are not showing up in FortiGate.

538218

Mobile Token authentication fails in vCluster on physical slave.

538666

FortiToken assignment on vCluster VDOM master on physical slave causes configuration mismatch and physical master overwrites.

539185

Modifying Login Challenge Page to include RADIUS attributes.

543503

RSSO user automatically gets added to a wrong user group.

546600

Cannot set certificate under config certificate local.

548460

set device-identification disable is reverted to default after VDOM restore.

549662

RADIUS MSCHAPv2 authentication fails on Windows NPS with non-ASCII characters in password.

550512

RSSO - wireless roaming causing undesirable removal of RSSO sessions.

554642

LDAP - search-type recursive does not retrieve nested membership through user's primary group.

554646

FSSO fabric connector needs to be renamed and needs to show connection status again.

VM

Bug ID

Description

537788

TCP re-transmission due to VMXNET3 RX ring buffer exhaustion.

540641

FortiGate-VM deployed in OpenStack without bootstrapping doesn't have empty password.

542794

Session size overflow on VMX causing timeout and error on NSX vMotion task.

545533

FGT VMX: Default MTU of 65521 results in packet drops.

548366

Azure SDN fabric connector is showing status down.

548453

Ondemand platforms show error with FortiCare/FortinetOne login.

548531

FGT-AWS HA failover and SDN using IAM role do not work due to AWS IAM role token length being +increased.

550977

AliCloud: Native FortiGate HA A-P failover does not complete in Shanghai and Hangzhou.

559051

Azure waagent process consumes high memory.

VoIP

Bug ID

Description

544877

H323/H245 helper abnormal in openLogicalChannel.

Web Filter

Bug ID

Description

435951

Traffic keeps going through the DENY NGFW policy configured with URL category.

544342

When encryption is set to yes, file-type incorrectly shows all file types when only zip files are supported.

547772

Web filter FGD category is not detected by sniffer policy for HTTPS traffic.

WiFi Controller

Bug ID

Description

491390

FWF-60E crashes intermittently with no console access at the time.

509442

Suggest to input at least 12 characters when configuring pre-shared key for WPA/WPA2-Personal SSID.

516454

FortiGate doesn't send IPv6 router-advertisement towards one AP if the same SSID is being broadcast on two different APs.

526035

Standby FortiGate reporting rogue AP on wire.

537968

Region -N DFS support required for FAP-U422EV.

539916

TCP SYN+ACK is not forwarded under specific conditions.

548101

CAPWAP tunnel does not get established on secondary IP address unless we enable CAPWAP access on primary IP address.

556451

Use firewall schedule (recurring, onetime, and group) to configure schedules for DARRP, disabling background rogue-AP scan, SSID, and FortiAP LED state.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Vulnerability

FortiOS 6.2.1 is no longer vulnerable to the issue described in the following link - https://fortiguard.com/psirt/FG-IR-19-144.

Bug ID

CVE references

503568

FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2018-13367

532730

FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-6693

539962

FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-5591

548154

FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-3855
  • CVE-2019-3856
  • CVE-2019-3857
  • CVE-2019-3858
  • CVE-2019-3859
  • CVE-2019-3860
  • CVE-2019-3861
  • CVE-2019-3862
  • CVE-2019-3863

555805

FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-5593

Resolved Issues

The following issues have been fixed in version 6.2.1. For inquires about a particular bug, please contact Customer Service & Support.

AntiVirus

Bug ID

Description

528743

Copy/paste of IPv4 policy does not work once AV profile is applied.

557259

FortiGates using AV-Profile proxy mode with servercomfort options enabled sending same request twice to the server.

Data Leak Prevention

Bug ID

Description

540903

Missed filename in the office365_Attachment. Download DLP log while it is blocked\Allowed.

547437

WAD crash due to scheduler error occurs when oversized file is bypassing the DLP sensor.

548396

DLP archiving intermittently blocks a file when it should be log only.

DNS Filter

Bug ID

Description

505474

DNS events are not included in the security event list.

525068

No need to resolve safe search FQDN if not used.

Endpoint Control

Bug ID

Description

521645

Traffic blocked after enabling Compliance on SSL VPN interface.

554765

Revert IPv6 src-spoof for GTP.

Explicit Proxy

Bug ID

Description

545724

FortiGate cannot upload file to FortiSandbox when AV profile added in only Proxy-policy.

548415

User cannot pass authentication after timeout if using IP-based authentication.

Firewall

Bug ID

Description

474239

Some DCE-RPC mapped connections are intermittently blocked by policy 0.

521913

Session timers don’t update for VLAN traffic over VWP.

524599

Sessions TTL expire timer is not reset when traffic goes through if traffic is offloaded in a TP VDOM.

537349

VIP with central NAT does not hide real IP.

539530

Firewall-session-dirty check-new is blocking traffic and causing session spike.

543469

Cannot create VIP6 range over 31 bits.

546953

DNS Filter column and Profile Group column is missing on policy list.

551747

Not able to configure VIP from GUI with port forwarding for the same TCP and UDP port.

555992

Changes to per-IP shaper settings not reflected in offloaded sessions.

560617

FortiGate logging is not stable: failed-log and log-in-queue.

FortiView

Bug ID

Description

538873

Traffic shaper info missing under Shaper column in FortiView.

539981

Unable to see Source DNS Name in FortiView.

GUI

Bug ID

Description

504770

Introduce an enable/disable button in the GUI to toggle central SNAT table.

532309

Custom device page keep loading and cannot create device group.

537550

HTTPSD uses high CPU when accessing GUI network interfaces.

545074

Unable to login into FortiGate GUI with Yubikey. CLI works as expected.

546254

Forward traffic log cannot be shown on Windows Edge browser.

547393

GUI still shows fortianalyzer-cloud connection status error even after FortiGate connects to fortianalyzer-cloud.

547458

Cannot access VOIP profile list and only the default profile editor is shown.

547808

Security rating event logs cannot be shown in split-vdom FortiGate GUI.

548091

Cannot configure network interface IP addresses from GUI for FG-5001D and FG-5001E.

552329

NP6 sessions dropped after any change in GUI.

HA

Bug ID

Description

501200

Requirement for disabling IPsec SA and IKE SA in FGSP cluster-sync solution.

519266

FGT-HA does not fail over when pingserver is down the second time.

538512

ha-direct option for OCSP.

543724

After restoring configuration, FortiGate added unexpected parameters that are not set.

545371

Being Dual Master in specific situation if two pingsvr is set.

546714

GARP is output even though GARP setting is disabled.

547367

Cannot synchronize slave from scratch in v6.0.4 with 500 VDOMs, duplicate global profiles.

547700

HA out of sync after upgraded in multi-VDOM environment.

548695

FortiGate master not sending all system events.

549969

After upgrade to special build 5.6.7 b3638, cluster is out of sync when a new guest user is created.

549991

fgLinkMonitorState is not accurate.

553231

Moving VDOM between virtual clusters causes cluster to go out of sync.

556057

FGSP cluster members showing out of sync with four members.

ICAP

Bug ID

Description

541423

After any configuration change is applied to FortiGate device, the Symantec ICAP server rejects connections due to too many connections.

551488

FortiGate not sending blocked content page received from the ICAP server to the client.

Intrusion Prevention

Bug ID

Description

528860

IPS archive PCAP periodically cannot capture.

546399

FortiOS runs to conserve mode because IPS engine is taking a lot of memory (memory leak in heap).

548649

IPS custom signature is not detected after FortiGate is rebooted or upgraded.

548908

SSL mirroring does not work on VLAN interface with NTURBO enabled.

552168

IPS archive PCAP usage cannot clear by deleting IPS log and actual PCAP files.

553262

TCP connections through IPsec (bound to loopback) do not work when IPS offload is enabled to NTurbo.

556538

Enabling IPS on IPv4 policy impacting HTTPS traffic over the site to site VPN using PPOE for internal servers.

IPsec VPN

Bug ID

Description

474870

Source MAC address is not updated for offloaded IPsec sessions.

481201

The OCVPN feature is delayed about one day after registering on FortiCare.

518681

npu-offload enabled and failover occurred on the checkpoint firewall (upstream firewall) the tunnel is up but traffic is not passing.

534444

Unable to delete IPsec VPN tunnel phase-1 interface config even though we do not have any reference.

542169

Dialup IPsec "net-device" should continue to default to "disable" in 6.2.

545871

IPsec tunnel can't establish if OCVPN members with different Fortinet_CA and Fortinet_factory cert.

546212

Multiple ADVPN shortcuts should be allowed between two spokes.

546459

IKE route overlap should be allowed across two distinct dialup phase1 with 'net-device disable'.

547062

After VDOM config restore, routes are active for IPsec tunnels that are not active.

547293

OSPF point-to-multipoint re-convergence with dailup IPsec.

548032

IKEv2 tunnel does not establish to Google VPN Gateway because of Identification Payload mismatch.

Log & Report

Bug ID

Description

545322

Send interface information to FortiAnalyzer using miglogd.

551031

FortiGate lost logs to FortiAnalyzer when route is changed and without physical interface down.

Proxy

Bug ID

Description

513470

WAD crashes on wad_http_client_notify_scan_result.isra.XXX.

522827

Add GUI support for unsupported-ssl option in SSL inspection profile.

542189

AV profile in proxy mode, with inspect-all enabled, causes timeout when accessing some sites.

544517

WAD process crashing and affecting HTTP/HTTPS traffic.

546360

When applying proxy address in transparent proxy policy, FortiGate blocks traffic and reports SSL_ERROR_SYSCALL.

549295

WAD crash causes high CPU usage.

549660

WAD crashes with signal 11.

549787

Unable to fetch the Root and Intermediate Certificate.

550895

FG-1500D goes into kernel conserve mode. WAD process consuming high memory.

REST API

Bug ID

Description

541246

Segmentation Fault when generating VPN certificate via REST API.

Routing

Bug ID

Description

503686

Application PDMD crashes.

528145

BGP Configuration gets applied to the wrong VDOM if user switches VDOM selection in between operations (slow GUI).

529512

SSL VPN user gets disconnected when load-balance-mode is measured-volume-based in SD-WAN.

535055

When adding more than seven VPN tunnels to SD-WAN, PPOE default routes disappear.

537054

IPsec interface Internet service router can't work normally.

540682

SD-WAN sends traffic to interfaces with volume-ratio set to 0.

546198

SD-WAN performance SLA via GRE-Tunnel fails to set options or connect ping6 socket for monitor.

549958

Kernel panic due to deletion of ECMp session.

550342

Since upgrade to 6.2, getting RADVD IPv6 router advertisement logs, although IPv6 is not configured on receiving interface.

551492

BGP neighbors are lost on configuration change (large configuration file).

552350

BFD peers down, not seen (over BGP up).

554077

OSPF MD5 authentication issues after upgrade to 6.2.0.

558689

Traffic dropped by anti-replay in ECMP with IPS.

558690

Session timer left at half-open value once established in an ECMP with IPS context.

559146

When a route is evaluated with multiple match conditions including route tag in a route map, route tag is evaluated.

559149

Wrong protocol and sport shown for SD-WAN and regular policy routes.

561097

SD-WAN rule corrupted upon reboot after ISDB update.

Security Fabric

Bug ID

Description

525572

Security Fabric topology page always shows FortiGate HA slave has incompatible firmware version.

547509

Fail to configure Security Fabric if only enable FortiAnalyzer cloud logging not FortiAnalyzer logging in GUI.

547659

Access denied error when reviewing security recommendations from physical topology in VDOM mode.

557821

IP threat feed won't work.

SSL VPN

Bug ID

Description

489110

SSL VPN web-mode fails to access Angular 5 application.

509333

SSL VPN to Nextcloud doesn't open.

513572

FortiGate not sending Framed-IP-Address attribute for SSL VPN tunnel in RADIUS accounting packet.

515158

SSL VPN web portal login FGT6.0.3 B0191 admin gets blank page.

522571

LAG interface not available for SSL VPN listening interface.

527476

Update from web mode fails for SharePoint page using MS NLB.

539207

Unable to get to http://spiceworks.int.efwnow.com:9750/tickets/v2#open_tickets via SSL VPN bookmark.

539719

Signal 11 (segmentation fault) on application sslvpnd.

540059

Graylog web application is not working through SSL VPN HTTPS.

540328

SSL VPN web mode accessing internal server getting ERR_EMPTY_RESPONSE in browsers.

542480

Internal server script stuck at loading when page accessed over SSL VPN web portal.

542706

With groups and its users in different SSL VPN policies and accessing resources via web, only user based policies are processed.

543091

RDP through SSL VPN web mode will disconnects if copying long text.

545440

The command user-bookmark should not be a prerequisite command for allow-user-access as it also affects Quick Connections.

545810

Subpages on internal websites are not working via SSL VPN web mode.

546161

TX packet drops on ssl.root interface.

546187

SSL VPN login auth times out if primary RADIUS server becomes unavailable.

546280

Internal web site (confluence.1wa.local) not loading all elements with SSL VPN web mode (internally it works fine).

546748

Cannot log in to internal server through SSL VPN web mode.

547069

Customer application is displayed wrong through SSL VPN bookmark.

548321

SSL VPN doesn not open QNAP shared folder link.

549588

No Error: Permission denied prompt when using the wrong username/password login SSL VPN web with special replacement login page.

549654

Citrix bookmarks should be disabled in SSL VPN portal.

549924

Local resource web interface not loading through SSL VPN web mode.

551535

http 302 redirection is not parsed by SSL VPN proxy (web mode / bookmark).

551923

SSL VPN crashing constantly.

552018

Web mode gets JavaScript errors when accessing internal web site.

553540

Empty RADIUS accounting info supplied for SSL VPN users via account-interim-interval.

554378

SSL VPN bookmark sending back to portal home after correct login inside backend application.

554740

Fails to load web pages in SSL VPN web portal.

555983

Internal web portal replies with HTTP 404 Not Found when accessed via SSL VPN web portal bookmark.

556326

SSL VPN web mode JavaScript error accessing internal resources.

559790

SSL VPN web-mode not performing proxy properly on internal websites.

559932

Customer unable to load website through web-mode SSL VPN.

Switch Controller

Bug ID

Description

548145

Configuring FortiLink from GUI does not work on platforms that do not support hardware switch.

549770

FortiSwitch export-to commands do not sync, causing HA sync problem.

555366

VLAN tagging issue to trunk having space in names.

System

Bug ID

Description

493128

bcm.user always takes nearly 70% CPU after running Nturbo over IPsec script.

527868

SLBC FortiOS should prevent change of default management VDOM.

529932

Primary DNS server is not queried even after 30 seconds.

533214

After executing shutdown, FGT90E keeps responding to ICMP requests.

534757

Device 80D reboots every 2-3 days with a kernel panic error.

537571

IPS/AV not forwarding return traffic back to clients.

537989

Kernel static route randomly lost.

540634

Status of a port member of a redundant interface changes if an alias is set.

540905

SNMP trap: FortiGate does not generate fgTrapAvOversizeBlock and fgTrapAvOversizePass.

541527

Changing the order of VDOM in system admin when connected with TACACS+ wildcard admin is not propagated to other blades.

542441

SNMP monitoring of the implicit deny policy not possible.

542482

NTurbo is causing TX_XPX_QFULL.

544828

FortiGate 301E consumes high memory even when there's no traffic.

545717

USB Modem Huawei E173u-2 not working on FortiGate 60E device.

546169

DHCPD is using more memory on the slave unit than the active unit.

546746

Cannot lease DHCP address over IPsec for dialup-forticlient users.

547625

Physical interface, part of aggregate interface, disabled with CLI not going down after reboot.

547720

FortiGate does not support DH 1024 bits as SSH server.

547869

LACP member ports exhibit odd behavior regarding admin up and down.

548076

FortiGateCloud cannot restore configuration on FortiGate.

548315

Execute ping does not provide accurate time values.

548443

DHCP enabled interface occasionally fails to perform discovery.

548553

VDOM restore has config loss when interfaces have subnet overlap.

549922

Cannot add description to security zones.

550797

Misleading CLI help left over.

551374

DNSProxy causes the device to go to conserve mode.

551696

Status of a port member of a aggregated interface changes if a member's alias/description is set.

552908

Restoring VDOM configuration removes interfaces from zones.

552935

FortiGate admin access does not offer SSH-RSA when EC Certificate is used for GUI admin-server-cert.

554099

Can't poll SNMP v3 statistics for BGP when ha-direct is enabled under SNMP user.

555994

Kernel/system memory leak.

Upgrade

Bug ID

Description

546874

Increase firewall.address tablesize for 80-90 series.

548256

Upgrading to v6.2 from v6.0.x causes CIFS/SMB configurations in AV profile to be lost.

548813

Upgrading or downgrading the firmware image using FortiGuard as the source, and as initiated from the System > Firmware page, fails during download of the firmware image. The page still can be used to view the upgrade path, but as a workaround, you will need to manually download the firmware image from Fortinet's Support site, and then initiate an upgrade or downgrade from the same page under the Upload Firmware section.

User & Device

Bug ID

Description

504375

Guest User Print Template doesn't insert the images.

518129

FSSO failover is not graceful.

533838

WAD re-signs valid web sites with Untrusted CA certificate.

534678

auth-https-port (1003) for captive portal authentication cannot disable TLS1.1 support.

535488

IP addresses of discovered devices in the device inventory menu are not showing after FortiGate reboots.

538000

FSSO(polling) user names with special character are not showing up in FortiGate.

538218

Mobile Token authentication fails in vCluster on physical slave.

538666

FortiToken assignment on vCluster VDOM master on physical slave causes configuration mismatch and physical master overwrites.

539185

Modifying Login Challenge Page to include RADIUS attributes.

543503

RSSO user automatically gets added to a wrong user group.

546600

Cannot set certificate under config certificate local.

548460

set device-identification disable is reverted to default after VDOM restore.

549662

RADIUS MSCHAPv2 authentication fails on Windows NPS with non-ASCII characters in password.

550512

RSSO - wireless roaming causing undesirable removal of RSSO sessions.

554642

LDAP - search-type recursive does not retrieve nested membership through user's primary group.

554646

FSSO fabric connector needs to be renamed and needs to show connection status again.

VM

Bug ID

Description

537788

TCP re-transmission due to VMXNET3 RX ring buffer exhaustion.

540641

FortiGate-VM deployed in OpenStack without bootstrapping doesn't have empty password.

542794

Session size overflow on VMX causing timeout and error on NSX vMotion task.

545533

FGT VMX: Default MTU of 65521 results in packet drops.

548366

Azure SDN fabric connector is showing status down.

548453

Ondemand platforms show error with FortiCare/FortinetOne login.

548531

FGT-AWS HA failover and SDN using IAM role do not work due to AWS IAM role token length being +increased.

550977

AliCloud: Native FortiGate HA A-P failover does not complete in Shanghai and Hangzhou.

559051

Azure waagent process consumes high memory.

VoIP

Bug ID

Description

544877

H323/H245 helper abnormal in openLogicalChannel.

Web Filter

Bug ID

Description

435951

Traffic keeps going through the DENY NGFW policy configured with URL category.

544342

When encryption is set to yes, file-type incorrectly shows all file types when only zip files are supported.

547772

Web filter FGD category is not detected by sniffer policy for HTTPS traffic.

WiFi Controller

Bug ID

Description

491390

FWF-60E crashes intermittently with no console access at the time.

509442

Suggest to input at least 12 characters when configuring pre-shared key for WPA/WPA2-Personal SSID.

516454

FortiGate doesn't send IPv6 router-advertisement towards one AP if the same SSID is being broadcast on two different APs.

526035

Standby FortiGate reporting rogue AP on wire.

537968

Region -N DFS support required for FAP-U422EV.

539916

TCP SYN+ACK is not forwarded under specific conditions.

548101

CAPWAP tunnel does not get established on secondary IP address unless we enable CAPWAP access on primary IP address.

556451

Use firewall schedule (recurring, onetime, and group) to configure schedules for DARRP, disabling background rogue-AP scan, SSID, and FortiAP LED state.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Vulnerability

FortiOS 6.2.1 is no longer vulnerable to the issue described in the following link - https://fortiguard.com/psirt/FG-IR-19-144.

Bug ID

CVE references

503568

FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2018-13367

532730

FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-6693

539962

FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-5591

548154

FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-3855
  • CVE-2019-3856
  • CVE-2019-3857
  • CVE-2019-3858
  • CVE-2019-3859
  • CVE-2019-3860
  • CVE-2019-3861
  • CVE-2019-3862
  • CVE-2019-3863

555805

FortiOS 6.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-5593