Proxy policy destination address set to none allows all traffic.

Traffic is blocked by NGFW policy when SDN connector firewall address is configured in policy.

Challenge ACK is being dropped.

IPS user quarantine ban event is marking the sessions as dirty.

Load balancing is not allowed with a flow-based policy, even if the server type is configured as IP or TCP.

Applying a traffic shaping profile and outbound bandwidth above 200000 blocks the traffic.

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

The event log sometimes contains duplicated lines when downloaded from the GUI.

When sending UDP packets, hasync code uses the wrong buffer size, which may overwrite beyond the buffer to other corrupted memory.

The HA secondary cannot synchronize a new virtual switch configuration from the primary.

Long lasting sessions are expired on HA secondary device with a 10G interface.

When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory.

Sessions timeout after traffic failover goes back and forth on a transparent FGSP cluster.

When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.

Secondary device is unable to connect to FortiCloud with secondary IP as the source IP.

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group |memory> after HA hbdev configuration changes.

Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of intf_vd_changed events and recheck the MAC every time, which blocks hatalk from sending heartbeat packets for a long time and the peer loses it.

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

diagnose sys ha reset-uptime on the secondary devices triggers a failover on a cluster with more than two members.

API key (token) on the secondary device is not synchronized to the primary when standalone-config-sync is enabled.

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

Flow-based AV scanning does not send specific extension files to FortiSandbox.

IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading.

ESP errors are logged with incorrect SPI value.

Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector.

iked crashed when clients from the same peer connect to two different dynamic server configurations that are using RADIUS authentication.

FortiGate keeps initiating DHCP SA rekey after lifetime expires.

Signature authentication IKE negotiation gets stuck and tunnel is not set up. This issue appears after a reboot, and can become unstuck by running get vpn ike gateway.

Log upload through user proxy is randomly terminated.

FortiCloud connection might get disconnected when FortiCloud logging restarts because the keep alive counter is not reset properly.

Cannot perform disk scan after enabling disk raid.

Logs are missing on FortiGate Cloud from a certain point.

System might generate garbage administrator log events upon session timeout.

Syslogd is using the wrong source IP when configured with interface-select-method auto.

Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds.

WAD crashes due to RCX having a null value.

WAD SSL crash due to wrong cipher options chosen.

Reusing the buffer region causes frequent WAD crashes.

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination.

WAD crashes with transparent web proxy when connecting to a forward server.

WAD IPS crashes because task is scheduled after closing.

When using certificate inspection in a firewall policy, the WAD daemon might crash when clients try to connect to a web proxy server through the FortiGate in transparent mode or through a web proxy forward server.

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

WAD crash on wad_hash_map_del.

Traffic is stuck if HTTP POST does not have an end of boundary.

Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app.

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

Make SNMP get BGP peer state timely once BGP neighbor enters or exits established state.

BGP prefix lifetime resets every 60 seconds when scanning BGP RIB.

OSPF is stuck in loading state when there is a large amount of OSPF interfaces.

The OSPF neighborship cannot be established; get MD5 authentication error when the wrong MD5 key is deleted after modifying the key.

hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel.

SD-WAN rules not working for FortiAnalyzer settings because the interface-select-method is implemented on a remote device FortiAnalyzer/FDS but not added to FortiView/log viewing API.

For DSL interface, adding static route with set dynamic-gateway enable does not add route to routing table.

FortiCloud activation does not honor the set interface-select-method command under config system fortiguard.

TCP session drops between virtual wire pair with auto-asic-offload enabled in policy.

Improve the help text for distance to indicate that 255 means unreachable.

ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector.

Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.

When DNS domain is configured, requests with NTLM of hostname only bookmark could not get response from server.

SSL VPN firewall policy creation via CLI does not require setting user identity.

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

WALLIX personal bookmark issue in SSL VPN portal.

FortiClient iOS 6.4.5. has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

FortiToken Cloud user not working when in a user group.

SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode.

If there are multiple VDOMs and the management VDOM is not the root, when SAML is configured on the non-root VDOM, the SAML button may not display correctly after a policy refresh.

SSL VPN daemon may crash when connection releases.

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

Due to a change on samld side that increases the length of the SAML attribute name to 256, SSL VPN could not correctly parse the username from the SAML response when the username attribute has a long name.

SSL VPN web portal does not show thumbnails of videos for an internal JS-based web server.

Internal webpage with JavaScript is not loading in SSL VPN web mode.

Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode.

There are no kernel routing updates when the session is re-initialized at the DSLAM side. DSL creates a default route to 240.0.0.1 after changing any configuration on the DSL interface.

Updating fails on low-end models because of disk space shortage (/data).

TCP traffic disruption when traffic shaper takes effect with NP offloading enabled.

When upgrading FG-100D, several processes randomly go into D state, which generates cluster and service issues.

LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models.

Transceiver is not detected/fails to read module EEPROM. Affected models: FG-80E, FG-100E, FG-140E, and FG-100EF.

FTLF8536P4BCV shows This transceiver is not certified by Fortinet, corrupt part number and serial number after HA cluster sync.

FortiDDNS is unable to update the renewed public IP address to FortiGuard server in some error conditions.

HA synchronization packets are hashed to a single queue when sync-packet-balance is enabled.

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

FortiManager CLI script for 2FA FortiToken mobile push does not trigger activation code email.

Install preview does not show all changes performed on the FortiGate.

DSL creates a default route to 240.0.0.1 after changing any configuration on a DSL interface.

Change WWAN interface default netmask to /32 and default distance to 1.

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

Bulk changes through the CLI are very slow with 24000 existing policies.

Update built-in modem firmware that comes with the device in order for the SIM to be correctly identified and make LTE link work properly.

After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0.

WWAN interface on FG-40F- 3G4G eventually goes offline until a reboot or configuration change occurs.

When an <entry name> is on the same line as config <setting> <setting> <entry name>, it is not handled properly to send to FortiManager.

If an updated FFDB package is found, crash may happen at init_ffdb_map if it is called when ffdb_map or ffdb_app is already in the process of being parsed, especially in HA.

Support gtp-enhance-mode (GTP-U) on FG-3815D.

DHCP client is unable to clean old LTE IP addresses on VLAN and FortiExtender WAN interfaces running in DHCP mode.

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

FG-1500D reboots suddenly after COMLog reported kernel panic and voipd is tainted.

There was a memory leak in the administrator login debug that caused the getty daemon to be killed.

LLDP transmission fails if there are nested software switches.

Command fail when running execute private-encryption-key <xxx>.

The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in.

A softirq happened in an unprotected session read lock and caused a self-deadlock.

FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev.

In VWP with set wildcard-vlan enable, for some special cases the SKB headlen is not long enough for handling. It may cause a protective crash when doing skb_pull.

NTurbo does not work with EMAC VLAN interface.

SFP28 port flapping when the speed is set to 10G.

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

SA is freed while its timer is still pending, which leads to a kernel crash.

FG-600E copper speed LED does not work.

FortiGate sends CSR configuration without double quote (") to FortiManager.

No response when using FortiToken Mobile push because the source IP cannot be set.

Two-factor authentication can be bypassed with some configurations.

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

RADIUS accounting port is occasionally missing.

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

Web filter warning message does not contain certification chain.

Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category.

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:

• CVE-2019-16151

FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:

• CVE-2021-26110

FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:

• CVE-2021-32600

FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:

• CVE-2021-24018

FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:

• CVE-2021-36169