Resolved issues
The following issues have been fixed in version 6.2.10. To inquire about a particular bug, please contact Customer Service & Support.
Anti Virus
Bug ID |
Description |
---|---|
665173 |
Crash logs are sometimes truncated/incomplete. |
DNS Filter
Bug ID |
Description |
---|---|
682060 |
DNS proxy is holding 60% memory caused by retransmitted DNS messages sent from DNS clients, which causes the FortiGate to enter conserve mode. |
Explicit Proxy
Bug ID |
Description |
---|---|
654455 |
Proxy policy destination address set to none allows all traffic. |
681969 |
FSSO explicit proxy authentication appears as basic instead of FSSO. |
Firewall
Bug ID |
Description |
---|---|
561170 |
Traffic is blocked by NGFW policy when SDN connector firewall address is configured in policy. |
644225 |
Challenge ACK is being dropped. |
716317 |
IPS user quarantine ban event is marking the sessions as dirty. |
719925 |
Load balancing is not allowed with a flow-based policy, even if the server type is configured as IP or TCP. |
730803 |
Applying a traffic shaping profile and outbound bandwidth above 200000 blocks the traffic. |
743160 |
SYN-ACK is dropped when application control with |
GUI
Bug ID |
Description |
---|---|
610572 |
Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time. |
674592 |
When |
720613 |
The event log sometimes contains duplicated lines when downloaded from the GUI. |
722832 |
When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser. |
HA
Bug ID |
Description |
---|---|
634465 |
When sending UDP packets, |
659837 |
The HA secondary cannot synchronize a new virtual switch configuration from the primary. |
662978 |
Long lasting sessions are expired on HA secondary device with a 10G interface. |
669301 |
When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory. |
693178 |
Sessions timeout after traffic failover goes back and forth on a transparent FGSP cluster. |
695067 |
When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation. |
709518 |
Secondary device is unable to connect to FortiCloud with secondary IP as the source IP. |
710236 |
Heartbeat interfaces do not get updated under |
715939 |
Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of |
722284 |
When there is a large number of VLAN interfaces (around 600), the FortiGate reports |
723130 |
|
744826 |
API key (token) on the secondary device is not synchronized to the primary when |
746008 |
DNS may not resolve correctly in a virtual cluster environment. It also impacts the FortiGate 6000F and 7000E/F series where DNS may not resolve on the correct blades (FPC/FPM). |
Intrusion Prevention
Bug ID |
Description |
---|---|
680501 |
Destination interfaces are set to unknown for previous ADVPN shortcuts sessions. |
689259 |
Flow-based AV scanning does not send specific extension files to FortiSandbox. |
693800 |
IPS memory spike on 6.2.7 running version: 5.00229. |
IPsec VPN
Bug ID |
Description |
---|---|
578879, 676728 |
IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading. |
699834 |
ESP errors are logged with incorrect SPI value. |
714400 |
Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector. |
715651 |
iked crashed when clients from the same peer connect to two different dynamic server configurations that are using RADIUS authentication. |
717082 |
FortiGate keeps initiating DHCP SA rekey after lifetime expires. |
720024 |
Signature authentication IKE negotiation gets stuck and tunnel is not set up. This issue appears after a reboot, and can become unstuck by running |
752947 |
The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate. |
Log & Report
Bug ID |
Description |
---|---|
703738 |
Log upload through user proxy is randomly terminated. |
704998 |
FortiCloud connection might get disconnected when FortiCloud logging restarts because the keep alive counter is not reset properly. |
713014 |
Cannot perform disk scan after enabling disk raid. |
718140 |
Logs are missing on FortiGate Cloud from a certain point. |
722315 |
System might generate garbage administrator log events upon session timeout. |
724827 |
Syslogd is using the wrong source IP when configured with |
745310 |
Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck. |
Proxy
Bug ID |
Description |
---|---|
520176 |
Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds. |
568905 |
WAD crashes due to RCX having a null value. |
582464 |
WAD SSL crash due to wrong cipher options chosen. |
586281 |
WAD memory corruption. |
615391 |
Reusing the buffer region causes frequent WAD crashes. |
663088 |
Application control in Azure fails to detect and block SSH traffic with proxy inspection. |
670339 |
Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination. |
675343 |
WAD crashes with transparent web proxy when connecting to a forward server. |
691468 |
WAD IPS crashes because task is scheduled after closing. |
717157 |
When using certificate inspection in a firewall policy, the WAD daemon might crash when clients try to connect to a web proxy server through the FortiGate in transparent mode or through a web proxy forward server. |
719681 |
Flow control failure occurred while transferring large files when |
726999 |
WAD crash on |
727349 |
Traffic is stuck if HTTP POST does not have an end of boundary. |
733760 |
Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app. |
735893 |
After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected. |
744756 |
Web proxy forward server group could not recover sometimes if the FQDN is not resolved. |
REST API
Bug ID |
Description |
---|---|
663441 | REST API unable to change status of interface when VDOMs are enabled. |
Routing
Bug ID |
Description |
---|---|
611708 |
Make SNMP get BGP peer state timely once BGP neighbor enters or exits established state. |
655447 |
BGP prefix lifetime resets every 60 seconds when scanning BGP RIB. |
661270 |
OSPF is stuck in loading state when there is a large amount of OSPF interfaces. |
662655 |
The OSPF neighborship cannot be established; get MD5 authentication error when the wrong MD5 key is deleted after modifying the key. |
693396 |
hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel. |
693496 |
SD-WAN rules not working for FortiAnalyzer settings because the |
693988 |
For DSL interface, adding static route with |
697658 |
FortiCloud activation does not honor the |
723726 |
TCP session drops between virtual wire pair with |
725322 |
Improve the help text for |
748733 |
Remote IP route shows |
Security Fabric
Bug ID |
Description |
---|---|
635183 |
ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector. |
666242 |
Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported. |
735717 |
vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp. |
SSL VPN
Bug ID |
Description |
---|---|
646295 |
When DNS domain is configured, requests with NTLM of hostname only bookmark could not get response from server. |
677057 |
SSL VPN firewall policy creation via CLI does not require setting user identity. |
677548 |
In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server. |
677668 |
sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP. |
695404 |
WALLIX personal bookmark issue in SSL VPN portal. |
695763 |
FortiClient iOS 6.4.5. has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient. |
697637 |
FortiToken Cloud user not working when in a user group. |
706646 |
SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode. |
711516 |
If there are multiple VDOMs and the management VDOM is not the root, when SAML is configured on the non-root VDOM, the SAML button may not display correctly after a policy refresh. |
714604 |
SSL VPN daemon may crash when connection releases. |
715928 |
SSL VPN signal 11 crashes at |
716622 |
Due to a change on samld side that increases the length of the SAML attribute name to 256, SSL VPN could not correctly parse the username from the SAML response when the username attribute has a long name. |
718170 |
SSL VPN web portal does not show thumbnails of videos for an internal JS-based web server. |
726576 |
Internal webpage with JavaScript is not loading in SSL VPN web mode. |
731278 |
Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode. |
745499 |
In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak. |
Switch Controller
Bug ID |
Description |
---|---|
689403 |
Unable to add FSW-448E using serial number on FortiGate. |
System
Bug ID |
Description |
---|---|
514239 |
There are no kernel routing updates when the session is re-initialized at the DSLAM side. DSL creates a default route to 240.0.0.1 after changing any configuration on the DSL interface. |
539059 |
Updating fails on low-end models because of disk space shortage (/data). |
627236 |
TCP traffic disruption when traffic shaper takes effect with NP offloading enabled. |
627645 |
When upgrading FG-100D, several processes randomly go into D state, which generates cluster and service issues. |
636999 |
LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models. |
639089 |
Transceiver is not detected/fails to read module EEPROM. Affected models: FG-80E, FG-100E, FG-140E, and FG-100EF. |
641708 |
FTLF8536P4BCV shows |
648014, 661784 |
FortiDDNS is unable to update the renewed public IP address to FortiGuard server in some error conditions. |
649729 |
HA synchronization packets are hashed to a single queue when |
651626 |
A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value. |
675418 |
FortiManager CLI script for 2FA FortiToken mobile push does not trigger activation code email. |
681791 |
Install preview does not show all changes performed on the FortiGate. |
682227 |
DSL creates a default route to 240.0.0.1 after changing any configuration on a DSL interface. |
683387, 711698 |
Change WWAN interface default netmask to /32 and default distance to 1. |
687398 |
Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices. |
687519 |
Bulk changes through the CLI are very slow with 24000 existing policies. |
688009 |
Update built-in modem firmware that comes with the device in order for the SIM to be correctly identified and make LTE link work properly. |
689317, 698927 |
After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0. |
691729 |
WWAN interface on FG-40F- 3G4G eventually goes offline until a reboot or configuration change occurs. |
692490 |
When an |
692943 |
If an updated FFDB package is found, crash may happen at |
696556 |
Support |
697146 |
DHCP client is unable to clean old LTE IP addresses on VLAN and FortiExtender WAN interfaces running in DHCP mode. |
699902 |
SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration. |
702135 |
cmdbsvr memory leak due to unreleased memory allocated by OpenSSL. |
702932 |
FG-1500D reboots suddenly after COMLog reported kernel panic and voipd is tainted. |
702966 |
There was a memory leak in the administrator login debug that caused the getty daemon to be killed. |
704981 |
LLDP transmission fails if there are nested software switches. |
713324 |
Command fail when running |
713835 |
The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in. |
714256 |
A softirq happened in an unprotected session read lock and caused a self-deadlock. |
714805 |
FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the |
715647 |
In VWP with |
715978 |
NTurbo does not work with EMAC VLAN interface. |
716341 |
SFP28 port flapping when the speed is set to 10G. |
721733 |
IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag. |
722273 |
SA is freed while its timer is still pending, which leads to a kernel crash. |
725264 |
FG-600E copper speed LED does not work. |
740649 |
FortiGate sends CSR configuration without double quote ( |
753602 |
FG-40F has a newcli signal 11 crash. |
Upgrade
Bug ID |
Description |
---|---|
716912 |
SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0. |
User & Device
Bug ID |
Description |
---|---|
625107 |
No response when using FortiToken Mobile push because the source IP cannot be set. |
688989 |
Two-factor authentication can be bypassed with some configurations. |
701356 |
When a GUI administrator certificate, |
710212 |
RADIUS accounting port is occasionally missing. |
725056 |
FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...). |
750551 |
DST_Root_CA_X3 certificate is expired. |
VM
Bug ID |
Description |
---|---|
739376 |
vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp. |
Web Filter
Bug ID |
Description |
---|---|
672994 |
Web filter warning message does not contain certification chain. |
717619 |
Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category. |
739349 |
Web filter local rating configuration check might strip the URL, and the URL filter daemon does not start when |
WiFi Controller
Bug ID |
Description |
---|---|
676689 |
RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection. |
709871 |
After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0. |
739793 |
VM license file generated by FortiCare lacks new line at the end and causes cw_acd process to constantly restart. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID |
CVE references |
---|---|
600586 |
FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:
|
681628 |
FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:
|
686912 |
FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:
|
710161 |
FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:
|
726300 |
FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:
|
752134 |
FortiOS 6.2.10 is no longer vulnerable to the following CVE Reference:
|