Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved issues

The following issues have been fixed in version 6.2.11. For inquires about a particular bug, please contact Customer Service & Support.

Explicit Proxy

Bug ID

Description

765761

Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP.

Firewall

Bug ID

Description

629529

Local-in policy session will not update after policy changes.

738584

Firewall is using the wrong NAT IP address to send out traffic after removing the VIP and its associated policy.

770668

The packet dropped counter is not incremented for per-ip-shaper with max-concurrent-session as the only criterion and offload disabled on the firewall policy.

GUI

Bug ID

Description

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

749451

On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of diagnose sys sdwan intf-sla-log exceed 232-1.

HA

Bug ID

Description

627968

Local-in policy with ha-mgmt-intf-only enabled is not installed properly.

640327

Duplicate logs are created by both primary and secondary devices for IPsec VPN.

779512

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

Intrusion Prevention

Bug ID

Description

682071

IPS signatures not working with VIP in proxy mode.

698247

Flow mode web filter ovrd crashes and socket leaks in IPS daemon.

715360

Each time an AV database update occurs (scheduled or manually triggered), the IPS engine restarts on the SLBC secondary blade.

755859

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

775696

Each time an AV database update occurs (scheduled or manual), the IPS engine restarts on the SLBC secondary blade. This stops UTM analysis for sessions affected by that blade.

IPsec VPN

Bug ID

Description

715671

Traffic is failing on dialup VPN IKEv2 with EAP authentication.

726326, 745331

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

Log & Report

Bug ID

Description

764478

Logs are missing on FortiGate Cloud from the FortiGate.

Proxy

Bug ID

Description

603874

WAD may encounter memory corruption issue if the resources allocated by FTS are not cleaned up properly.

692444

WAD memory leak is caused by missing a close event. The WAD receives a close event from TCP when the SSL port is blocked by the up application layer. If the SSL port input buffer does not have any data, then the close event will get ignored even if the application layer turns off blocking and the SSL port will leak.

693441

WAD crashes at wad_client_cert_req_act_get when SSL layer configuration is cleaned up after policy matching.

729237

WAD crash occurs that is related to virtual server traffic.

Security Fabric

Bug ID

Description

686420

Dynamic address resolution is lost when SDN connector sends sync.callback command to the FortiGate.

690812

FortiGate firewall dynamic address resolution lost when SDN connector updates its cache.

SSL VPN

Bug ID

Description

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

737894

If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.

771162

Unable to access SSL VPN bookmark in web mode.

Switch Controller

Bug ID

Description

740661

FortiGate loses FortiSwitch management access due to excessive configuration pushes.

System

Bug ID

Description

627054

HTTPSD signal 6 crash in cases of long application lists that are greater or equal to the maximum size of 16.

642958

FG-80E terminates the firewall session abruptly when the end-users download large files.

651626

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

662239

FGR-60F-3G4G hardware switch span does not work.

671116

Lack of null pointer check in NP6XLite driver may lead to kernel panic. Affected models: FG-40F, FG-60F, and FG-101F.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

682681

DSL line takes a long time to synchronize.

703219, 708446

Kernel panic on FG-101F due to lack of null pointer check on NP6XLite driver.

712321

Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D.

749613

Unable to save configuration changes, and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

749835

Traffic logs reports ICMP destination as unreachable for received traffic

750171

Legitimate traffic is unable to go through with NP6 synproxy enabled.

751523

When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.

754951

Static ARP entry was removed while using DHCP relay.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

765452

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

778474

dhcpd is not processing discover messages if they contain a 0 length option, such as 80 (rapid commit). The warning, length 0 overflows input buffer, is displayed.

Upgrade

Bug ID

Description

685705

After upgrading to 6.2.6, get errors No such file or directory and No space left on device on FWF-50 and FWF-51E.

User & Device

Bug ID

Description

604906

FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2.

757883

FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.

VM

Bug ID

Description

759300

gcpd has signal 11 crash at gcpd_mime_part_end.

Web Filter

Bug ID

Description

806920

Incomplete TCP handshake with NP offloading enabled on policies with wireless interfaces.

WiFi Controller

Bug ID

Description

720497

MAC authentication bypass is not working for some clients.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

689909

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-22306

695018

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-22306

707951

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-41032

744267

FortiOS 6.2.11 is no longer vulnerable to the following CVE References:

  • CVE-2021-3711
  • CVE-2021-3712

749471

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-42755

763982

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43081

764221

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43206

765177

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-22299

787111

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43072

792067

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-0778

797229

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-27491

Resolved issues

The following issues have been fixed in version 6.2.11. For inquires about a particular bug, please contact Customer Service & Support.

Explicit Proxy

Bug ID

Description

765761

Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP.

Firewall

Bug ID

Description

629529

Local-in policy session will not update after policy changes.

738584

Firewall is using the wrong NAT IP address to send out traffic after removing the VIP and its associated policy.

770668

The packet dropped counter is not incremented for per-ip-shaper with max-concurrent-session as the only criterion and offload disabled on the firewall policy.

GUI

Bug ID

Description

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

749451

On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of diagnose sys sdwan intf-sla-log exceed 232-1.

HA

Bug ID

Description

627968

Local-in policy with ha-mgmt-intf-only enabled is not installed properly.

640327

Duplicate logs are created by both primary and secondary devices for IPsec VPN.

779512

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

Intrusion Prevention

Bug ID

Description

682071

IPS signatures not working with VIP in proxy mode.

698247

Flow mode web filter ovrd crashes and socket leaks in IPS daemon.

715360

Each time an AV database update occurs (scheduled or manually triggered), the IPS engine restarts on the SLBC secondary blade.

755859

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

775696

Each time an AV database update occurs (scheduled or manual), the IPS engine restarts on the SLBC secondary blade. This stops UTM analysis for sessions affected by that blade.

IPsec VPN

Bug ID

Description

715671

Traffic is failing on dialup VPN IKEv2 with EAP authentication.

726326, 745331

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

Log & Report

Bug ID

Description

764478

Logs are missing on FortiGate Cloud from the FortiGate.

Proxy

Bug ID

Description

603874

WAD may encounter memory corruption issue if the resources allocated by FTS are not cleaned up properly.

692444

WAD memory leak is caused by missing a close event. The WAD receives a close event from TCP when the SSL port is blocked by the up application layer. If the SSL port input buffer does not have any data, then the close event will get ignored even if the application layer turns off blocking and the SSL port will leak.

693441

WAD crashes at wad_client_cert_req_act_get when SSL layer configuration is cleaned up after policy matching.

729237

WAD crash occurs that is related to virtual server traffic.

Security Fabric

Bug ID

Description

686420

Dynamic address resolution is lost when SDN connector sends sync.callback command to the FortiGate.

690812

FortiGate firewall dynamic address resolution lost when SDN connector updates its cache.

SSL VPN

Bug ID

Description

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

737894

If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.

771162

Unable to access SSL VPN bookmark in web mode.

Switch Controller

Bug ID

Description

740661

FortiGate loses FortiSwitch management access due to excessive configuration pushes.

System

Bug ID

Description

627054

HTTPSD signal 6 crash in cases of long application lists that are greater or equal to the maximum size of 16.

642958

FG-80E terminates the firewall session abruptly when the end-users download large files.

651626

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

662239

FGR-60F-3G4G hardware switch span does not work.

671116

Lack of null pointer check in NP6XLite driver may lead to kernel panic. Affected models: FG-40F, FG-60F, and FG-101F.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

682681

DSL line takes a long time to synchronize.

703219, 708446

Kernel panic on FG-101F due to lack of null pointer check on NP6XLite driver.

712321

Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D.

749613

Unable to save configuration changes, and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

749835

Traffic logs reports ICMP destination as unreachable for received traffic

750171

Legitimate traffic is unable to go through with NP6 synproxy enabled.

751523

When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.

754951

Static ARP entry was removed while using DHCP relay.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

765452

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

778474

dhcpd is not processing discover messages if they contain a 0 length option, such as 80 (rapid commit). The warning, length 0 overflows input buffer, is displayed.

Upgrade

Bug ID

Description

685705

After upgrading to 6.2.6, get errors No such file or directory and No space left on device on FWF-50 and FWF-51E.

User & Device

Bug ID

Description

604906

FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2.

757883

FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.

VM

Bug ID

Description

759300

gcpd has signal 11 crash at gcpd_mime_part_end.

Web Filter

Bug ID

Description

806920

Incomplete TCP handshake with NP offloading enabled on policies with wireless interfaces.

WiFi Controller

Bug ID

Description

720497

MAC authentication bypass is not working for some clients.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

689909

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-22306

695018

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-22306

707951

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-41032

744267

FortiOS 6.2.11 is no longer vulnerable to the following CVE References:

  • CVE-2021-3711
  • CVE-2021-3712

749471

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-42755

763982

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43081

764221

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43206

765177

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-22299

787111

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43072

792067

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-0778

797229

FortiOS 6.2.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-27491