Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 6.2.3. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

563250

Shared memory does not empty out properly under /tmp.

Data Leak Prevention

Bug ID

Description

591178 WAD fails to determine the correct file name when downloading a file from Nextcloud.

DNS Filter

Bug ID

Description

582374

License shows expiry date of 0000-00-00.

Explicit Proxy

Bug ID

Description

540091

Cannot access explicit FTP proxy via VIP.

594580

FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message.

594598

Enabling proxy policies (+400) increases memory by 30% and up to 80% total.

603707

The specified port configurations of https-incoming-port for config web-proxy explicit disappeared after rebooting.

605209

LDAP ignores source-ip with web proxy Kerberos authentication.

Firewall

Bug ID

Description

593103

When a policy denies traffic for a VIP and send-deny-packet is enabled, ICMP unreachable message references the mapped address, not the external.

595044

Get new CLI signal 11 crash log when performing execute internet-service refresh.

595790

Hit Count column does not work for security policy with multiple VDOMs.

598559

ISDB matches all objects and chooses the best one based on their weight values and the firewall policy.

599253

GUI traffic shaper Bandwidth Utilization should use KBps units.

600644

IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies.

601331

Virtual load-balance VIP and intermittent HTTP health check failures.

604886

Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.

606834

Adding more than one dynamic FSSO firewall address results in GUI and CLI error.

FortiView

Bug ID

Description

592309

On FortiGate with double loop FortiSwitches, FortiView physical topology page cannot load; get Failed to get FortiView data error message.

635309

FortiGate returns error 500 when trying to view Compromised Hosts, but FortiAnalyzer has a valid IoC license.

GUI

Bug ID

Description

354464

AntiVirus profile in GUI should not override quarantine archive value.

514632

Inconsistent Refcnt value in GUI when using ports in HA session-sync-dev.

529094

Anti-Spam Black White List Entry in GUI permits action Mark as Reject in GUI when it should not.

535099

GUI should add support for new MAC address filter in SSID dialog page.

541042

Log viewer forward traffic cannot support double negate filter (client side issue).

557786

GUI response is very slow when accessing Monitor > IPsec Monitor (api/v2/monitor/vpn/ipsec is taking a long time).

564849

HA warning message remains after primary unit takes back control.

565309

Application groups improvements.

579711 Cannot run Security Rating due to disk issue (diagnose security-rating clean fails).

584314

NGFW mode should have a link to show all applications in the list.

584915

OK button missing on all pages (policy, interface, system settings) on Android mobile.

584939

VPN event logs shows incorrectly when adding two action filters and if the filter action filter contains "-".

585055

High CPU utilization by httpsd daemon if there are too many API connections.

585924

Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages.

589709

Status icon in Tunnel column on IPsec Tunnels page should be removed.

593899

Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error.

598725

Login page shows random characters when system language is not English.

599245

Nessus vulnerability scan tool reported more medium level vulnerabilities for 6.2.3 compared with the 6.2.2 result.

599284

pyfcgid crashed with signal 11 (Segmentation fault) received.

599401

FortiGuard quota category details displays No matching entries found for local category.

600120

Reduce the number of core used by httpsd for low-end platforms.

601568

Interface status is not displayed on faceplate when viewing from the System > HA page.

601653

When deleting an AV profile in the GUI, there is no confirmation message prompt.

602637

Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3.

607972

FortiGate enters conserve mode when accessing Amazon AWS ISDB object.

601653

When deleting an AV profile in the GUI, there is no confirmation message prompt.

606074

Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3.

606428

GUI does not allow multiple IPsec tunnels with the same destination IP bound to the same interface but sourced from a different IP.

610181

FG-OPC-ONDEMAND (FGVMPG license) shows FortiCare is not supported even though the license was registered in FortiCare.

611436

FortiGate displays a hacked webpage after selecting an IPS log.

615462

GUI takes 10-15 seconds to load Device Inventory, IPv4 Policy, and Interfaces pages.

617364

GUI does not list AliCoud SDN address filter.

620854

FG-101F GUI should not add speed to virtual switch member port.

HA

Bug ID

Description

588908

FG-3400E hasync reports the "Network is unreachable".

598937

Local user creation causes HA to be out of sync for several minutes.

601550

Application hasync crashes several times.

602266

The configuration of the SD-WAN interface gateway IP should not sync.

602406

In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the secondary unit.

613714

HA failover takes over one minute when monitored aggregate interface goes down on primary unit.

621621

Ether-type HA cannot be changed.

Intrusion Prevention

Bug ID

Description

565747

IPS engine 5.00027 has signal 11 crash.

586544

IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668

IPS engine 5.00035 has signal 11 crash.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

608501

IPS forwards attacks that are previously identified as dropped.

IPsec VPN

Bug ID

Description

516029

Remove the IPsec global lock.

589096

In IPsec after HA failover, performance regression and IKESAs is lost.

590633

Packet loss observed after ADVPN shortcut is created.

592361

Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.

594962

IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a non-FortiGate in a remote peer gateway.

595810

Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection.

597748

L2TP/IPsec VPN disconnects frequently.

603090

The OCVPN log file was not closed or properly trimmed due to the incorrect state_refcnt. The OCVPN log file stayed open, grew extremely large, and was never trimmed.

604334

L2TP disconnection when transferring large files.

607212

IKEv2 DPD is not triggered if network overlay network ID was mismatched when first configured.

609033

After two HA failovers, one VPN interface member of SD-WAN cannot forward packets.

611148

L2TP/IPsec does not send framed IP address in RADIUS accounting updates.

612319

MTU calculation of shared dynamic phase 1 interface is too low compared to its phase 2 MTU and makes fragmentation high.

615360

OCVPN secondary hub cannot register.

622506

L2TP over IPsec tunnel established, but traffic cannot pass because wrong interface gets in route lookup.

Log & Report

Bug ID

Description

593557

Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address.

602459

GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion.

605174

Incorrect sentdelta/rcvddelta in statistic traffic logs.

606533

User observes FGT internal error while trying to log in from the web UI.

608565

FortiGate sends incorrect long session logs to FortiGate Cloud.

623471

FortiGate did not change the time after daylight savings time.

Proxy

Bug ID

Description

582475

WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

588661

Customer had issue accessing the HTTPS website after enabling the proxy web filter.

610466

Multiple WAD crash on FG-500D after upgrading from 6.2.3 (wad_url_filter_user_cat_load_entry.constprop.7).

629504

SSH status in SSL profile changes to deep-inspection from disable after upgrading.

REST API

Bug ID

Description

584631 REST API admin with token unable to configure HA setting (via login session works).

599516

When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

580207

Policy route does not apply to local-out traffic.

593951

Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based.

597733

IPv6 ECMP routes cannot be synchronized correctly to HA secondary unit.

599884

Traffic not following SD-WAN rules when one of the interfaces is VLAN.

600332

SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.

600830

SD-WAN health check reports have packet loss if response time is longer than the check interval.

600995

Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2.

604390

FortiOS 6.2.3 by default drops reply packets received from a different interface (unlike 6.2.2).

Security Fabric

Bug ID

Description

599474

FortiGate SDN connector not seeing all available tag name-value pairs.

604670

Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system's timezone configuration.

SSL VPN

Bug ID

Description

505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.

558685

Two-factor authentication with FortiToken easily bypassed when using LDAP authentication.

563022

SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy.

594416

Accessing FortiGate GUI through SSL VPN web mode causes Network > Interfaces page to return an error.

595627

Cannot access some specific sites through SSL VPN web mode.

598659

SSL VPN daemon crash.

599668

In SSL VPN web mode, page keeps loading after user authenticates into internal application.

599671

In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.

599960

RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed.

600103

Sslvpnd crashes when trying to query a DNS host name without a period (.).

602645

SSL VPN synology NAS web bookmark log in page does not work after upgrading to 6.2.3.

603957

SSL VPN LDAPS authentication does not work in multiple user group configurations after upgrading the firewall to 6.0.7.

605699

Internal HRIS website dropdown list box not loading in SSL VPN web mode.

613111

Traffic cannot pass through FortiGate in SSL VPN web mode if the user is a PKI peer.

616879

Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer.

624197

SSL VPN web mode does not completely load the redirected corporate SSO page when accessing an internal resource.

Switch Controller

Bug ID

Description

517663

For a managed FortiSwitch already running the latest GA image, Upgrade Available tag shows unexpectedly.

588584

GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.

605864

If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting.

607707

Unable to push configuration changes from FortiGate to FortiSwitch.

608231

LLDP policy did not download completely to the managed FortiSwitch 108Es.

613323

FortiSwitch trunk configuration sync issue after FortiGate failover.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

527459

SDN address filter unable to handle space character.

576337

SNMP polling stopped when FortiManager API script executed onto FortiGate.

578031

FortiManager Cloud cannot be removed once the FortiGate has trouble on contract.

582498

Traffic cannot be offloaded to both NTurbo and NP6 when DoS policy is applied on ingress/egress interface in a policy with IPS.

589079

QSFP interface goes down when the get system interface transceiver command is interrupted.

589723

Wrong source IP is bound for config system fortiguard.

590021

Enabling auto-asic-offload results in keeping action=deny in traffic log with an accept entry.

592570

VLAN switch does not work on FG-100E.

592827

FortiGate is not sending DHCP request after receiving offer.

594018

Update daemon is locked to one resolved update server.

594865

diagnose internet-service match does not return the IP value of the IP reputation database object.

595338

Unable to execute ping6 when configuring execute ping6-options tos, except for default.

595467

Invalid multicast policy created after transparent VDOM restored.

598527

ISDB may cause crashes after downgrading FortiGate firmware.

600032

SNMP does not provide routing table for non-management VDOM.

602523

DDNS monitor-interface uses the monitored interface if DDNS services other than FortiGuard DDNS are used.

602548

Some of the clients are not getting their IP through DHCP intermittently.

603194

NP multicast session remains after the kernel session is deleted.

603551

DHCPv6 relay does not work on FG-2200E.

604550

Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0.

604699

Header line that is not freed might cause system to enter conserve mode in a transparent mode deployment.

607015

More than usual NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens quite often on some global NTP servers.

607452

Automatically logged out of CLI when trying to configure STP due to /bin/newcli crash.

610900

Low throughput on FG-2201E for traffic with ECN flag enabled.

610903

SMC NTP functions are enabled on some of the models that do not support the feature.

612113

xcvrd attaches shared memory multiple times causing huge memory consumption.

621771

FortiGate cannot be accessed by ping/telnet/ssh/capwap in transparent VDOM.

626785

FG-101F should support the same WTP size (128) as FG-100F.

627409

Cannot create hardware switch on FG-100F.

Upgrade

Bug ID

Description

618809

Boot up may fail when downgrading from FOS 6.4.0 to 6.2.3.

649948

Upon upgrading to FortiOS 6.2.3 or 6.2.4, IKE/IPsec SAs are not synced to the primary when HA uninterruptible-upgrade is enabled. As a result, IPsec traffic from a client may be detected as having an invalid SPI until the client starts a new negotiation.

User & Device

Bug ID

Description

573317

SSO admin with a user name over 35 characters cannot log in after the first login.

591461

FortiGate does not send user IP to TACACS server during authentication.

592047

GUI RADIUS test fails with vdom-dns configuration.

596844

Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device identification.

593361

No source IP option available for OCSP certificate checking.

594863

UPN extraction does not work for particular PKI.

605206

FortiClient server certificate in FSSO CA uses weak public key strength of 1024 bits and certificate expiring in May 2020.

605404

FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy with thousands of address objects.

605437

FortiOS does not understand CMPv2 grantedWithMods response.

605950

RDP sessions are terminated (disconnect) unexpectedly.

VM

Bug ID

Description

575346

gui-wanopt cache missing under system settings after upgrading a FortiGate VM with two disks.

587180

FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.

587757

FG-VM image unable to be deployed on AWS with additional HDD(st1) disk type.

596742

Azure SDN connector replicates configuration from primary unit to secondary unit during configuration restore.

597003

Unable to bypass self-signed certificates on Chrome in macOS Catalina.

598419

Static routes are not in sync on FortiGate Azure.

599430

FG-VM-AZURE fails to boot up due to rtnl_lock deadlock.

600975

Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing NETVSC offering and vPCI offering at the same time.

601357

FortiGate VM Azure in HA has unsuccessful failover.

601528

License validation failure log message missing when using FortiManager to validate a VM.

603426

AWS-PAYG in HA setup can lose its VM license after rebooting with certain setup.

603599

VIP in autoscale on GCP not syncing to other nodes.

605435

API call to associate elastic IP is triggered only when the unit becomes the primary device.

605511

FG-VM-GCP reboots a couple of times due to kernel panic.

606527

GUI and CLI interface dropdown lists are inconsistent.

608881

IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

609283

IP pools are synchronized in FortiGate Azure HA.

612611

Very hard to download image for FG-AWSONDEMAND from FDS.

613730

Unable to update routing table for a resource group in a different subscription with FortiGate Azure SDN.

622031

azd keeps crashing if Azure VM contains more than 15 tags.

Web Filter

Bug ID

Description

593203

Cannot enter a name for a web rating override and save—error message appears when entering the name.

WiFi Controller

Bug ID

Description

563630

Kernel panic observed on FWF-60E.

599690

Unable to perform COA with device MAC address for 802.1x wireless connection when use-management-vdom is enabled.

601012

When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country code.

615219

FortiGate cannot create WTP entry for FortiAP in transparent mode.

Known issues

The following issues have been identified in version 6.2.3. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

563250

Shared memory does not empty out properly under /tmp.

Data Leak Prevention

Bug ID

Description

591178 WAD fails to determine the correct file name when downloading a file from Nextcloud.

DNS Filter

Bug ID

Description

582374

License shows expiry date of 0000-00-00.

Explicit Proxy

Bug ID

Description

540091

Cannot access explicit FTP proxy via VIP.

594580

FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message.

594598

Enabling proxy policies (+400) increases memory by 30% and up to 80% total.

603707

The specified port configurations of https-incoming-port for config web-proxy explicit disappeared after rebooting.

605209

LDAP ignores source-ip with web proxy Kerberos authentication.

Firewall

Bug ID

Description

593103

When a policy denies traffic for a VIP and send-deny-packet is enabled, ICMP unreachable message references the mapped address, not the external.

595044

Get new CLI signal 11 crash log when performing execute internet-service refresh.

595790

Hit Count column does not work for security policy with multiple VDOMs.

598559

ISDB matches all objects and chooses the best one based on their weight values and the firewall policy.

599253

GUI traffic shaper Bandwidth Utilization should use KBps units.

600644

IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies.

601331

Virtual load-balance VIP and intermittent HTTP health check failures.

604886

Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.

606834

Adding more than one dynamic FSSO firewall address results in GUI and CLI error.

FortiView

Bug ID

Description

592309

On FortiGate with double loop FortiSwitches, FortiView physical topology page cannot load; get Failed to get FortiView data error message.

635309

FortiGate returns error 500 when trying to view Compromised Hosts, but FortiAnalyzer has a valid IoC license.

GUI

Bug ID

Description

354464

AntiVirus profile in GUI should not override quarantine archive value.

514632

Inconsistent Refcnt value in GUI when using ports in HA session-sync-dev.

529094

Anti-Spam Black White List Entry in GUI permits action Mark as Reject in GUI when it should not.

535099

GUI should add support for new MAC address filter in SSID dialog page.

541042

Log viewer forward traffic cannot support double negate filter (client side issue).

557786

GUI response is very slow when accessing Monitor > IPsec Monitor (api/v2/monitor/vpn/ipsec is taking a long time).

564849

HA warning message remains after primary unit takes back control.

565309

Application groups improvements.

579711 Cannot run Security Rating due to disk issue (diagnose security-rating clean fails).

584314

NGFW mode should have a link to show all applications in the list.

584915

OK button missing on all pages (policy, interface, system settings) on Android mobile.

584939

VPN event logs shows incorrectly when adding two action filters and if the filter action filter contains "-".

585055

High CPU utilization by httpsd daemon if there are too many API connections.

585924

Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages.

589709

Status icon in Tunnel column on IPsec Tunnels page should be removed.

593899

Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error.

598725

Login page shows random characters when system language is not English.

599245

Nessus vulnerability scan tool reported more medium level vulnerabilities for 6.2.3 compared with the 6.2.2 result.

599284

pyfcgid crashed with signal 11 (Segmentation fault) received.

599401

FortiGuard quota category details displays No matching entries found for local category.

600120

Reduce the number of core used by httpsd for low-end platforms.

601568

Interface status is not displayed on faceplate when viewing from the System > HA page.

601653

When deleting an AV profile in the GUI, there is no confirmation message prompt.

602637

Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3.

607972

FortiGate enters conserve mode when accessing Amazon AWS ISDB object.

601653

When deleting an AV profile in the GUI, there is no confirmation message prompt.

606074

Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3.

606428

GUI does not allow multiple IPsec tunnels with the same destination IP bound to the same interface but sourced from a different IP.

610181

FG-OPC-ONDEMAND (FGVMPG license) shows FortiCare is not supported even though the license was registered in FortiCare.

611436

FortiGate displays a hacked webpage after selecting an IPS log.

615462

GUI takes 10-15 seconds to load Device Inventory, IPv4 Policy, and Interfaces pages.

617364

GUI does not list AliCoud SDN address filter.

620854

FG-101F GUI should not add speed to virtual switch member port.

HA

Bug ID

Description

588908

FG-3400E hasync reports the "Network is unreachable".

598937

Local user creation causes HA to be out of sync for several minutes.

601550

Application hasync crashes several times.

602266

The configuration of the SD-WAN interface gateway IP should not sync.

602406

In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the secondary unit.

613714

HA failover takes over one minute when monitored aggregate interface goes down on primary unit.

621621

Ether-type HA cannot be changed.

Intrusion Prevention

Bug ID

Description

565747

IPS engine 5.00027 has signal 11 crash.

586544

IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668

IPS engine 5.00035 has signal 11 crash.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

608501

IPS forwards attacks that are previously identified as dropped.

IPsec VPN

Bug ID

Description

516029

Remove the IPsec global lock.

589096

In IPsec after HA failover, performance regression and IKESAs is lost.

590633

Packet loss observed after ADVPN shortcut is created.

592361

Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.

594962

IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a non-FortiGate in a remote peer gateway.

595810

Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection.

597748

L2TP/IPsec VPN disconnects frequently.

603090

The OCVPN log file was not closed or properly trimmed due to the incorrect state_refcnt. The OCVPN log file stayed open, grew extremely large, and was never trimmed.

604334

L2TP disconnection when transferring large files.

607212

IKEv2 DPD is not triggered if network overlay network ID was mismatched when first configured.

609033

After two HA failovers, one VPN interface member of SD-WAN cannot forward packets.

611148

L2TP/IPsec does not send framed IP address in RADIUS accounting updates.

612319

MTU calculation of shared dynamic phase 1 interface is too low compared to its phase 2 MTU and makes fragmentation high.

615360

OCVPN secondary hub cannot register.

622506

L2TP over IPsec tunnel established, but traffic cannot pass because wrong interface gets in route lookup.

Log & Report

Bug ID

Description

593557

Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address.

602459

GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion.

605174

Incorrect sentdelta/rcvddelta in statistic traffic logs.

606533

User observes FGT internal error while trying to log in from the web UI.

608565

FortiGate sends incorrect long session logs to FortiGate Cloud.

623471

FortiGate did not change the time after daylight savings time.

Proxy

Bug ID

Description

582475

WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

588661

Customer had issue accessing the HTTPS website after enabling the proxy web filter.

610466

Multiple WAD crash on FG-500D after upgrading from 6.2.3 (wad_url_filter_user_cat_load_entry.constprop.7).

629504

SSH status in SSL profile changes to deep-inspection from disable after upgrading.

REST API

Bug ID

Description

584631 REST API admin with token unable to configure HA setting (via login session works).

599516

When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

580207

Policy route does not apply to local-out traffic.

593951

Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based.

597733

IPv6 ECMP routes cannot be synchronized correctly to HA secondary unit.

599884

Traffic not following SD-WAN rules when one of the interfaces is VLAN.

600332

SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.

600830

SD-WAN health check reports have packet loss if response time is longer than the check interval.

600995

Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2.

604390

FortiOS 6.2.3 by default drops reply packets received from a different interface (unlike 6.2.2).

Security Fabric

Bug ID

Description

599474

FortiGate SDN connector not seeing all available tag name-value pairs.

604670

Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system's timezone configuration.

SSL VPN

Bug ID

Description

505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.

558685

Two-factor authentication with FortiToken easily bypassed when using LDAP authentication.

563022

SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy.

594416

Accessing FortiGate GUI through SSL VPN web mode causes Network > Interfaces page to return an error.

595627

Cannot access some specific sites through SSL VPN web mode.

598659

SSL VPN daemon crash.

599668

In SSL VPN web mode, page keeps loading after user authenticates into internal application.

599671

In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.

599960

RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed.

600103

Sslvpnd crashes when trying to query a DNS host name without a period (.).

602645

SSL VPN synology NAS web bookmark log in page does not work after upgrading to 6.2.3.

603957

SSL VPN LDAPS authentication does not work in multiple user group configurations after upgrading the firewall to 6.0.7.

605699

Internal HRIS website dropdown list box not loading in SSL VPN web mode.

613111

Traffic cannot pass through FortiGate in SSL VPN web mode if the user is a PKI peer.

616879

Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer.

624197

SSL VPN web mode does not completely load the redirected corporate SSO page when accessing an internal resource.

Switch Controller

Bug ID

Description

517663

For a managed FortiSwitch already running the latest GA image, Upgrade Available tag shows unexpectedly.

588584

GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.

605864

If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting.

607707

Unable to push configuration changes from FortiGate to FortiSwitch.

608231

LLDP policy did not download completely to the managed FortiSwitch 108Es.

613323

FortiSwitch trunk configuration sync issue after FortiGate failover.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

527459

SDN address filter unable to handle space character.

576337

SNMP polling stopped when FortiManager API script executed onto FortiGate.

578031

FortiManager Cloud cannot be removed once the FortiGate has trouble on contract.

582498

Traffic cannot be offloaded to both NTurbo and NP6 when DoS policy is applied on ingress/egress interface in a policy with IPS.

589079

QSFP interface goes down when the get system interface transceiver command is interrupted.

589723

Wrong source IP is bound for config system fortiguard.

590021

Enabling auto-asic-offload results in keeping action=deny in traffic log with an accept entry.

592570

VLAN switch does not work on FG-100E.

592827

FortiGate is not sending DHCP request after receiving offer.

594018

Update daemon is locked to one resolved update server.

594865

diagnose internet-service match does not return the IP value of the IP reputation database object.

595338

Unable to execute ping6 when configuring execute ping6-options tos, except for default.

595467

Invalid multicast policy created after transparent VDOM restored.

598527

ISDB may cause crashes after downgrading FortiGate firmware.

600032

SNMP does not provide routing table for non-management VDOM.

602523

DDNS monitor-interface uses the monitored interface if DDNS services other than FortiGuard DDNS are used.

602548

Some of the clients are not getting their IP through DHCP intermittently.

603194

NP multicast session remains after the kernel session is deleted.

603551

DHCPv6 relay does not work on FG-2200E.

604550

Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0.

604699

Header line that is not freed might cause system to enter conserve mode in a transparent mode deployment.

607015

More than usual NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens quite often on some global NTP servers.

607452

Automatically logged out of CLI when trying to configure STP due to /bin/newcli crash.

610900

Low throughput on FG-2201E for traffic with ECN flag enabled.

610903

SMC NTP functions are enabled on some of the models that do not support the feature.

612113

xcvrd attaches shared memory multiple times causing huge memory consumption.

621771

FortiGate cannot be accessed by ping/telnet/ssh/capwap in transparent VDOM.

626785

FG-101F should support the same WTP size (128) as FG-100F.

627409

Cannot create hardware switch on FG-100F.

Upgrade

Bug ID

Description

618809

Boot up may fail when downgrading from FOS 6.4.0 to 6.2.3.

649948

Upon upgrading to FortiOS 6.2.3 or 6.2.4, IKE/IPsec SAs are not synced to the primary when HA uninterruptible-upgrade is enabled. As a result, IPsec traffic from a client may be detected as having an invalid SPI until the client starts a new negotiation.

User & Device

Bug ID

Description

573317

SSO admin with a user name over 35 characters cannot log in after the first login.

591461

FortiGate does not send user IP to TACACS server during authentication.

592047

GUI RADIUS test fails with vdom-dns configuration.

596844

Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device identification.

593361

No source IP option available for OCSP certificate checking.

594863

UPN extraction does not work for particular PKI.

605206

FortiClient server certificate in FSSO CA uses weak public key strength of 1024 bits and certificate expiring in May 2020.

605404

FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy with thousands of address objects.

605437

FortiOS does not understand CMPv2 grantedWithMods response.

605950

RDP sessions are terminated (disconnect) unexpectedly.

VM

Bug ID

Description

575346

gui-wanopt cache missing under system settings after upgrading a FortiGate VM with two disks.

587180

FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.

587757

FG-VM image unable to be deployed on AWS with additional HDD(st1) disk type.

596742

Azure SDN connector replicates configuration from primary unit to secondary unit during configuration restore.

597003

Unable to bypass self-signed certificates on Chrome in macOS Catalina.

598419

Static routes are not in sync on FortiGate Azure.

599430

FG-VM-AZURE fails to boot up due to rtnl_lock deadlock.

600975

Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing NETVSC offering and vPCI offering at the same time.

601357

FortiGate VM Azure in HA has unsuccessful failover.

601528

License validation failure log message missing when using FortiManager to validate a VM.

603426

AWS-PAYG in HA setup can lose its VM license after rebooting with certain setup.

603599

VIP in autoscale on GCP not syncing to other nodes.

605435

API call to associate elastic IP is triggered only when the unit becomes the primary device.

605511

FG-VM-GCP reboots a couple of times due to kernel panic.

606527

GUI and CLI interface dropdown lists are inconsistent.

608881

IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

609283

IP pools are synchronized in FortiGate Azure HA.

612611

Very hard to download image for FG-AWSONDEMAND from FDS.

613730

Unable to update routing table for a resource group in a different subscription with FortiGate Azure SDN.

622031

azd keeps crashing if Azure VM contains more than 15 tags.

Web Filter

Bug ID

Description

593203

Cannot enter a name for a web rating override and save—error message appears when entering the name.

WiFi Controller

Bug ID

Description

563630

Kernel panic observed on FWF-60E.

599690

Unable to perform COA with device MAC address for 802.1x wireless connection when use-management-vdom is enabled.

601012

When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country code.

615219

FortiGate cannot create WTP entry for FortiAP in transparent mode.