Known issues
The following issues have been identified in version 6.2.3. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.
Anti Virus
Bug ID |
Description |
---|---|
563250 |
Shared memory does not empty out properly under /tmp. |
Data Leak Prevention
Bug ID |
Description |
---|---|
591178 | WAD fails to determine the correct file name when downloading a file from Nextcloud. |
DNS Filter
Bug ID |
Description |
---|---|
582374 |
License shows expiry date of 0000-00-00 .
|
Explicit Proxy
Bug ID |
Description |
---|---|
540091 |
Cannot access explicit FTP proxy via VIP. |
594580 |
FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message. |
594598 |
Enabling proxy policies (+400) increases memory by 30% and up to 80% total. |
603707 |
The specified port configurations of |
605209 |
LDAP ignores |
Firewall
Bug ID |
Description |
---|---|
593103 |
When a policy denies traffic for a VIP and |
595044 |
Get new CLI signal 11 crash log when performing |
595790 |
Hit Count column does not work for security policy with multiple VDOMs. |
598559 |
ISDB matches all objects and chooses the best one based on their weight values and the firewall policy. |
599253 |
GUI traffic shaper Bandwidth Utilization should use KBps units. |
600644 |
IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies. |
601331 |
Virtual load-balance VIP and intermittent HTTP health check failures. |
604886 |
Session stuck in proto_state=61 only when flow-based AV is enabled in the policy. |
606834 |
Adding more than one dynamic FSSO firewall address results in GUI and CLI error. |
FortiView
Bug ID |
Description |
---|---|
592309 |
On FortiGate with double loop FortiSwitches, FortiView physical topology page cannot load; get Failed to get FortiView data error message. |
635309 |
FortiGate returns error 500 when trying to view Compromised Hosts, but FortiAnalyzer has a valid IoC license. |
GUI
Bug ID |
Description |
---|---|
354464 |
AntiVirus profile in GUI should not override quarantine archive value. |
514632 |
Inconsistent |
529094 |
Anti-Spam Black White List Entry in GUI permits action Mark as Reject in GUI when it should not. |
535099 |
GUI should add support for new MAC address filter in SSID dialog page. |
541042 |
Log viewer forward traffic cannot support double negate filter (client side issue). |
557786 |
GUI response is very slow when accessing Monitor > IPsec Monitor (api/v2/monitor/vpn/ipsec is taking a long time). |
564849 |
HA warning message remains after primary unit takes back control. |
565309 |
Application groups improvements. |
579711 | Cannot run Security Rating due to disk issue (diagnose security-rating clean fails). |
584314 |
NGFW mode should have a link to show all applications in the list. |
584915 |
OK button missing on all pages (policy, interface, system settings) on Android mobile. |
584939 |
VPN event logs shows incorrectly when adding two action filters and if the filter action filter contains "-". |
585055 |
High CPU utilization by httpsd daemon if there are too many API connections. |
585924 |
Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages. |
589709 |
Status icon in Tunnel column on IPsec Tunnels page should be removed. |
593899 |
Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error. |
598725 |
Login page shows random characters when system language is not English. |
599245 |
Nessus vulnerability scan tool reported more medium level vulnerabilities for 6.2.3 compared with the 6.2.2 result. |
599284 |
|
599401 |
FortiGuard quota category details displays No matching entries found for local category. |
600120 |
Reduce the number of core used by httpsd for low-end platforms. |
601568 |
Interface status is not displayed on faceplate when viewing from the System > HA page. |
601653 |
When deleting an AV profile in the GUI, there is no confirmation message prompt. |
602637 |
Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3. |
607972 |
FortiGate enters conserve mode when accessing Amazon AWS ISDB object. |
601653 |
When deleting an AV profile in the GUI, there is no confirmation message prompt. |
606074 |
Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3. |
606428 |
GUI does not allow multiple IPsec tunnels with the same destination IP bound to the same interface but sourced from a different IP. |
610181 |
FG-OPC-ONDEMAND (FGVMPG license) shows FortiCare is not supported even though the license was registered in FortiCare. |
611436 |
FortiGate displays a hacked webpage after selecting an IPS log. |
615462 |
GUI takes 10-15 seconds to load Device Inventory, IPv4 Policy, and Interfaces pages. |
617364 |
GUI does not list AliCoud SDN address filter. |
620854 |
FG-101F GUI should not add speed to virtual switch member port. |
638752 |
FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface. |
HA
Bug ID |
Description |
---|---|
588908 |
FG-3400E |
598937 |
Local user creation causes HA to be out of sync for several minutes. |
601550 |
Application |
602266 |
The configuration of the SD-WAN interface gateway IP should not sync. |
602406 |
In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the secondary unit. |
613714 |
HA failover takes over one minute when monitored aggregate interface goes down on primary unit. |
621621 |
Ether-type HA cannot be changed. |
Intrusion Prevention
Bug ID |
Description |
---|---|
565747 |
IPS engine 5.00027 has signal 11 crash. |
586544 |
IPS intelligent mode not working when reflect sessions are created on different physical interfaces. |
587668 |
IPS engine 5.00035 has signal 11 crash. |
590087 |
When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit. |
608501 |
IPS forwards attacks that are previously identified as dropped. |
IPsec VPN
Bug ID |
Description |
---|---|
516029 |
Remove the IPsec global lock. |
589096 |
In IPsec after HA failover, performance regression and IKESAs is lost. |
590633 |
Packet loss observed after ADVPN shortcut is created. |
592361 |
Cannot pass traffic over ADVPN if: |
594962 |
IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a non-FortiGate in a remote peer gateway. |
595810 |
Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection. |
597748 |
L2TP/IPsec VPN disconnects frequently. |
603090 |
The OCVPN log file was not closed or properly trimmed due to the incorrect state_refcnt. The OCVPN log file stayed open, grew extremely large, and was never trimmed. |
604334 |
L2TP disconnection when transferring large files. |
607212 |
IKEv2 DPD is not triggered if network overlay network ID was mismatched when first configured. |
609033 |
After two HA failovers, one VPN interface member of SD-WAN cannot forward packets. |
611148 |
L2TP/IPsec does not send framed IP address in RADIUS accounting updates. |
612319 |
MTU calculation of shared dynamic phase 1 interface is too low compared to its phase 2 MTU and makes fragmentation high. |
615360 |
OCVPN secondary hub cannot register. |
622506 |
L2TP over IPsec tunnel established, but traffic cannot pass because wrong interface gets in route lookup. |
Log & Report
Bug ID |
Description |
---|---|
593557 |
Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address. |
602459 |
GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion. |
605174 |
Incorrect |
606533 |
User observes |
608565 |
FortiGate sends incorrect long session logs to FortiGate Cloud. |
623471 |
FortiGate did not change the time after daylight savings time. |
Proxy
Bug ID |
Description |
---|---|
582475 |
WAD is crashing with signal 6 in |
610466 |
Multiple WAD crash on FG-500D after upgrading from 6.2.3 ( |
629504 |
SSH status in SSL profile changes to |
REST API
Bug ID |
Description |
---|---|
584631 | REST API admin with token unable to configure HA setting (via login session works). |
599516 |
When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access. |
Routing
Bug ID |
Description |
---|---|
537354 |
BFD/BGP dropping when |
580207 |
Policy route does not apply to local-out traffic. |
593951 |
Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based. |
597733 |
IPv6 ECMP routes cannot be synchronized correctly to HA secondary unit. |
599884 |
Traffic not following SD-WAN rules when one of the interfaces is VLAN. |
600332 |
SD-WAN GUI page bandwidth shows 0 issues when there is traffic running. |
600830 |
SD-WAN health check reports have packet loss if response time is longer than the check interval. |
600995 |
Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2. |
604390 |
FortiOS 6.2.3 by default drops reply packets received from a different interface (unlike 6.2.2). |
Security Fabric
Bug ID |
Description |
---|---|
599474 |
FortiGate SDN connector not seeing all available tag name-value pairs. |
604670 |
Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system's |
SSL VPN
Bug ID |
Description |
---|---|
505986 | On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication. |
558685 |
Two-factor authentication with FortiToken easily bypassed when using LDAP authentication. |
563022 |
SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy. |
594416 |
Accessing FortiGate GUI through SSL VPN web mode causes Network > Interfaces page to return an error. |
595627 |
Cannot access some specific sites through SSL VPN web mode. |
598659 |
SSL VPN daemon crash. |
599668 |
In SSL VPN web mode, page keeps loading after user authenticates into internal application. |
599671 |
In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section. |
599960 |
RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed. |
600103 |
Sslvpnd crashes when trying to query a DNS host name without a period (.). |
602645 |
SSL VPN synology NAS web bookmark log in page does not work after upgrading to 6.2.3. |
603957 |
SSL VPN LDAPS authentication does not work in multiple user group configurations after upgrading the firewall to 6.0.7. |
605699 |
Internal HRIS website dropdown list box not loading in SSL VPN web mode. |
613111 |
Traffic cannot pass through FortiGate in SSL VPN web mode if the user is a PKI peer. |
616879 |
Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer. |
624197 |
SSL VPN web mode does not completely load the redirected corporate SSO page when accessing an internal resource. |
Switch Controller
Bug ID |
Description |
---|---|
517663 |
For a managed FortiSwitch already running the latest GA image, Upgrade Available tag shows unexpectedly. |
588584 |
GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM. |
605864 |
If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting. |
607707 |
Unable to push configuration changes from FortiGate to FortiSwitch. |
608231 |
LLDP policy did not download completely to the managed FortiSwitch 108Es. |
613323 |
FortiSwitch trunk configuration sync issue after FortiGate failover. |
System
Bug ID |
Description |
---|---|
464340 |
EHP drops for units with no NP service module. |
527459 |
SDN address filter unable to handle space character. |
576337 |
SNMP polling stopped when FortiManager API script executed onto FortiGate. |
578031 |
FortiManager Cloud cannot be removed once the FortiGate has trouble on contract. |
582498 |
Traffic cannot be offloaded to both NTurbo and NP6 when DoS policy is applied on ingress/egress interface in a policy with IPS. |
589079 |
QSFP interface goes down when the |
589723 |
Wrong source IP is bound for |
590021 |
Enabling |
592570 |
VLAN switch does not work on FG-100E. |
592827 |
FortiGate is not sending DHCP request after receiving offer. |
594018 |
Update daemon is locked to one resolved update server. |
594865 |
|
595338 |
Unable to execute |
595467 |
Invalid multicast policy created after transparent VDOM restored. |
598527 |
ISDB may cause crashes after downgrading FortiGate firmware. |
600032 |
SNMP does not provide routing table for non-management VDOM. |
602523 |
DDNS |
602548 |
Some of the clients are not getting their IP through DHCP intermittently. |
603194 |
NP multicast session remains after the kernel session is deleted. |
603551 |
DHCPv6 relay does not work on FG-2200E. |
604550 |
Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0. |
604699 |
Header line that is not freed might cause system to enter conserve mode in a transparent mode deployment. |
607015 |
More than usual NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens quite often on some global NTP servers. |
607452 |
Automatically logged out of CLI when trying to configure STP due to /bin/newcli crash. |
610900 |
Low throughput on FG-2201E for traffic with ECN flag enabled. |
610903 |
SMC NTP functions are enabled on some of the models that do not support the feature. |
610976 |
Get kernel panic when creating VLAN on GENEVE interface. |
612113 |
xcvrd attaches shared memory multiple times causing huge memory consumption. |
617453 |
fgfmsd crash due to REST agent. |
621771 |
FortiGate cannot be accessed by ping/telnet/ssh/capwap in transparent VDOM. |
626785 |
FG-101F should support the same WTP size (128) as FG-100F. |
627409 |
Cannot create hardware switch on FG-100F. |
Upgrade
Bug ID |
Description |
---|---|
649948 |
Upon upgrading to FortiOS 6.2.3 or 6.2.4, IKE/IPsec SAs are not synced to the primary when HA |
User & Device
Bug ID |
Description |
---|---|
573317 |
SSO admin with a user name over 35 characters cannot log in after the first login. |
591461 |
FortiGate does not send user IP to TACACS server during authentication. |
592047 |
GUI RADIUS test fails with |
596844 |
Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device identification. |
593361 |
No source IP option available for OCSP certificate checking. |
594863 |
UPN extraction does not work for particular PKI. |
605206 |
FortiClient server certificate in FSSO CA uses weak public key strength of 1024 bits and certificate expiring in May 2020. |
605404 |
FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy with thousands of address objects. |
605437 |
FortiOS does not understand CMPv2 |
605950 |
RDP sessions are terminated (disconnect) unexpectedly. |
VM
Bug ID |
Description |
---|---|
575346 |
|
587180 |
FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host. |
587757 |
FG-VM image unable to be deployed on AWS with additional HDD(st1) disk type. |
596742 |
Azure SDN connector replicates configuration from primary unit to secondary unit during configuration restore. |
597003 |
Unable to bypass self-signed certificates on Chrome in macOS Catalina. |
598419 |
Static routes are not in sync on FortiGate Azure. |
599430 |
FG-VM-AZURE fails to boot up due to |
600975 |
Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing NETVSC offering and vPCI offering at the same time. |
601357 |
FortiGate VM Azure in HA has unsuccessful failover. |
601528 |
License validation failure log message missing when using FortiManager to validate a VM. |
603426 |
AWS-PAYG in HA setup can lose its VM license after rebooting with certain setup. |
603599 |
VIP in autoscale on GCP not syncing to other nodes. |
605435 |
API call to associate elastic IP is triggered only when the unit becomes the primary device. |
605511 |
FG-VM-GCP reboots a couple of times due to kernel panic. |
606527 |
GUI and CLI interface dropdown lists are inconsistent. |
608881 |
IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup. |
609283 |
IP pools are synchronized in FortiGate Azure HA. |
612611 |
Very hard to download image for FG-AWSONDEMAND from FDS. |
613730 |
Unable to update routing table for a resource group in a different subscription with FortiGate Azure SDN. |
622031 |
azd keeps crashing if Azure VM contains more than 15 tags. |
Web Filter
Bug ID |
Description |
---|---|
593203 |
Cannot enter a name for a web rating override and save—error message appears when entering the name. |
WiFi Controller
Bug ID |
Description |
---|---|
563630 |
Kernel panic observed on FWF-60E. |
599690 |
Unable to perform COA with device MAC address for 802.1x wireless connection when |
601012 |
When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country code. |
615219 |
FortiGate cannot create WTP entry for FortiAP in transparent mode. |