Downloading a file with FTP client in EPSV mode will hang.

DNS filtering does not perform well on the zone transfer when a large DNS zone's AXFR response consists of one or more messages.

7K DNS filter breaking DNS zone transfer.

DNS translation is not working when request is checked against the local FortiGate.

DNS filter explicit block all (wildcard FQDN) not working in 6.2 firmware.

In domain threat feed, some URLs cannot be fetched due to SSL error.

Unable to change DNS filter profile category action after upgrading from 6.0.5 to 6.2.0.

FortiGate does not generate traffic logs for SOCKS proxy.

WAD cannot learn policy if multiple policies use the same FQDN address.

FSSO-based NTLM sessions from explicit proxy do not respect timeout duration and type.

urfilter process does not started when adding a category as dstaddr in a proxy policy with the deny action.

Editing a policy in the GUI changes the FSSO setting to disable.

FortiGate sends type-3 code-1 IP unreachable for VIP.

Policy push from FortiManager failed due to abandoned ISDB entry.

NGFW default block page partially loads.

Adding too many address objects to a local-in policy causes all blocking to fail.

Should not be allowed to rename VIP or address with the same name as an existing VIP group or address group object.

Samsung OEM internet browser cannot connect to FortiGate VS/VIP.

GUI does not show byte information for aggregate and VLAN interface.

Should hide Override internal DNS option if vdom-dns is set to disable.

When VDOM is enabled, the interface faceplate should only show data for interfaces managed by the admin.

Add a tooltip for IPS Rate Based Signatures.

There is no uptime information in the HA Status widget for the secondary unit's GUI.

A message stating that all source interfaces have no members is erroneously displayed for the explicit proxy policy list when a user enables a policy immediately after pasting or inserting it into the list.

Options 150, 15, and 51 for the DHCP server should not be shown after removing them and having no related configuration in the backend.

Interface filter gets incorrect result (EMAC VLAN, VLAN ID, etc.) when entries are collapsed.

SD-WAN member number is not correct in Interfaces page.

Compliance events GUI page does not load when redirected from the advanced compliance page.

GUI shows wrong relationship between VLAN and physical interface after adding them to a zone.

Editing system interface in the GUI causes explicit-web-proxy to become disabled.

Get "Fail to retrieve info" for default VDOM link on Network > Interfaces page.

Not possible to select value for DN field in LDAP GUI browser.

Hardware Switch row is shown indicating a number of interfaces but without any interfaces below.

Cannot disable CORS setting on GUI.

GUI navigation menu notification should match with issue in the dialog box.

OK button greyed out when editing an interface that has DHCP option 224 in the list with FortiClient-On-Net Status enabled.

Get "Internal Server Error" when editing an aggregate link that has a name with a space in it.

Suggest GUI Interfaces list includes SIT tunnels.

Cannot change MAC address setting when configuring a reserved DHCP client.

LACP aggregate interface flaps when adding/removing a member interface (first position in member list).

"Failed to retrieve info" message appears for ha-mgmt-interface in Network > Interfaces.

Hovering mouse over FortiExtender virtual interface shows incorrect information.

GUI does not display the status for VLAN and loopback in the Network > Interfaces > Status column.

In Log & Report, filtering for blank values (None) always shows no results.

Virtual IPs page should not show port range dialog box when the protocol is ICMP.

Admin with netgrp privilege unable to get interface page and got pyfcgid crash (signal 11 (Segmentation fault)).

Scripts pushed from FortiCloud do not show up in System > Advanced Settings when FortiCloud remote access is used.

The tooltip for VLAN interfaces displays as "Failed to retrieve info".

Network mask of a VPN interface is changed to 255.255.255.255 without an actual configuration change.

When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via the management tunnel.

Change/remove FortiCloud standalone reference.

Warning messages for third-party transceivers were removed in 6.2.1 to prevent excessive RMA or support tickets. In 6.2.2, warnings were re-added for third-party transceivers.

New interface pair consolidated policy added via CLI is not displayed on GUI policy page.

Application Name field shows vuln_id for custom signature, not its application name in logs.

Cannot save DHCP Relay configuration when the Relay IP address list is separated by a comma.

SSL VPN Settings page shows undefined error.

FortiGate without disk email alert settings page should remove Disk usage exceeds option.

Signature name should be shown when VDOM admin has WAF read/write permission only.

Empty firmware version in managed FortiSwitch from FortiGate GUI.

Connected routes in the routing monitor are showing up with 1969/12/31 18:59:59 for Up Since times.

Email filter page keeps loading and cannot create a new profile when the VDOM admin only has emailfilter permission.

Filtering service availability check always fails once anycast is enabled and override server is set.

Internal server error while trying to create a new interface.

Issue with application and filter overrides.

Add Selected button does not show up under FSSO Fabric Connector with custom admin profile.

GUI does not have the option to disable the interface when creating a VLAN interface.

When the link status is up, the aggregate interface status icon is incorrectly displayed in red.

No matching IPS signatures are found when Severity or Target filter is applied.

Enable/disable Disarm and Reconstruction in the GUI only affects the SMTP protocol in AV profiles.

When logged in as administrator with web filter read/write only privilege, the Web Rating Overrides GUI page cannot load.

The Interface Pair View option is always unavailable for the Proxy Policy list.

Wrong warning message, All source interface(s) has no members, appears in Proxy Policy page.

If the Endpoint Control feature is disabled, the exempt options for captive portal are not shown in the GUI.

WAN Opt. Monitor displays Total Savings as negative integers during file transfers.

Option to reset statistics from Monitor > WAN Opt. Monitor in GUI does not clear the counters.

Web filter profile warning message when logged in with read/write admin on VDOM environment.

VIPs dialog page should be able to create VIP with the same extip/extport but different source IP address.

DHCP offset option 2 has to be removed before changing the address range for the DHCP server in the GUI.

Interface hierarchy is not respected in the GUI when a LAG interface belongs to SD-WAN and its VLANs belong to a zone.

Secondary unit fails to send and receive HA heartbeat when configuring cfg-revert setting on FG-2500E.

In HA, management-ip that is set on a hardware switch interface does not respond to ping after executing reboot.

HA failing config sync on VM01 with error (secondary and primary unit have different hdisk status) when primary unit is pre-configured.

HA secondary unit sending out GARP packets in 16-20 seconds after HA monitored interface failed.

default-gateway injected by dynamic-gateway on PPP interface deleted by other interface down.

exe backup disk alllogs ftp command causes FortiGate to enter conserve mode.

Moving VDOM via GUI between virtual clusters causes cluster to go out of sync and VDOM state work/standby does not change.

HA secondary unit unable to get checksum from primary unit. HA sync in Z state.

Signal 14 alarm crashes were observed on DFA rebuild.

IPS engine 5.030 signal 14 alarm clock crash at nturbo_on_event.

OCVPN cannot register—status "Undefined".

IKEv2 with EAP peer ID authentication validation does not work.

ADVPN connections from the hub disconnects one-by-one and IKE gets stuck.

Action field in traffic log cannot record security policy action—it shows the consolidated policy action.

No traffic log after reducing miglogd child to 1.

FortiOS 6.0.6 reports too long VPN tunnel durations in local report.

FortiGate sends change notice for global REST APIs once a minute.

Log viewer application control cannot show any logs (page is stuck loading).

Log filter can return empty result when there are too many logs, but the filter result is small.

IPS logs set srcintf(role)/dstinf(role) reversely at the time of IPS signature reverse pattern.

When refreshing logs in GUI, some log_se processes are running extremely long and consuming CPU.

Miglogd still uses the daylight savings time after the daylight savings end.

sentdelta and rcvddelta showing 0 if syslog format is set to CSV.

sentdelta and rcvddelta log fields appears as 0 in syslog CEF format.

External resource does not support no content length.

WAD crash with signal 11.

WAD crash causing traffic interruption.

High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.

Policy in proxy-based mode with AV and WAF profile denies access to Nginx with enabled gzip compression.

WAD reads ftp over-limit multi-line response incorrectly.

WAD crash for wad_ssl_port_on_ocsp_notify.

In case of TLS 1.3 with certificate inspection and a certificate with an empty CN name, WAD workers would locate a random size for CN name and then cause unexpected high memory usage in WAD workers.

Potential memory leak that will be triggered by certificate inspection CIC connection in WAD.

WAD crash due to user learned from proxy not purged from the kernel when user is deleted from proxy or zone with empty interface member.

Slow download speed in proxy-based mode compared to flow-based mode.

WAD memory leak detected on cert_hash in wad_ssl_cert.

OSPF translated type 5 LSA not flushed according to RFC-3101.

SD-WAN health-check keep records useless logs under some circumstances.

FortiOS 6.2.1 introduces asymmetric return path on the hub in SD-WAN after the link change due to SLA on the spoke.

ISDB ID is changed after restoring the configuration under the situation where the FortiGate has a previous ISDB version.

SD-WAN option of set gateway enable/set default enable override available on connected routes.

In transparent mode with asymmetric routing, packet in the reply direction does not use asymmetric route.

There is no indication in proute if the SD-WAN service is default or not.

IPv6 route cannot be inactive after link-monitor is down when link-monitor are set with ipv4 and ipv6.

After failover/recovery of link, E2 route with non-zero forward address recurses to itself as a next hope.

Routing monitor policy view cannot show source and destination data for SD-WAN route and wildcard destination.

SD-WAN rules route-tag still used in service rule but not in diagnose sys virtual-wan-link route-tag-list.

Link monitor with tunnel as srcintf cannot recover after remote server down/up.

FortiGate sends malformed OSPFv3 LSAReq/LSAck packets on interfaces with MTU = 9k.

OSPF NSSA with multiple ASBRs losing valid external OSPF routes in upstream neighbors as different ASBRs are power cycled.

Routing table is not always updated when BGP gets an update with changed next hop.

Unable to create the IPsec VPN directly in Network > SD-WAN.

FGCP dynamic objects are not populated in the secondary unit.

Security Fabric widget keeps loading when FortiSwitches are in a loop, or the FortiSwitch is in MCLAG mode.

Invalid CIDR format shows as valid by the Security Fabric threat feed.

Threat Feeds show the URL is invalid if there is a special character in the URL.

ACI SDN connector dynamic address cannot be resolved.

In some special cases, SSL VPN main state machine reads function pointer is empty that will cause SSL VPN daemon crash.

Cannot fully load a website through SSL VPN bookmark.

When accessing ACT application through SSL VPN web mode, the embedded calendar request gets wrong response and redirects to login page.

SSL VPN web mode not displaying custom web application's JavaScript parts.

FSSO groups set in rule with SSL VPN interface.

Fails to load bookmark site over SSL VPN portal.

Unable to access https://outlook.office365.com as bookmark in SSL VPN web mode.

Support HSTS include SubDomains and preload option under SSL VPN settings.

When the SSL VPN portal theme is set to red, the style is lost in the SSL VPN portal.

A VPN SSL bookmark failed to load the Proxmox GUI interface.

Unable to download report from an internal server via SSL VPN web mode connection.

The policy "script-src 'self'" will block the SSL VPN proxy URL.

SAML login is not stable for SSL VPN, it requires restarting sslvpnd to enable the function.

SSL handshake failure with Server Architect in web mode.

There is no OS support for the latest macOS Catalina version (10.15) when using SSL VPN tunnel mode.

SSL VPN web portal bookmarks cannot resolve hostname.

SSO does not correctly URL-encode POST-ed credentials.

href rewrite has some issues with the customer's JS file.

https://outlook.office365.com cannot be accessed in SSLVPN web portal.

After sslvpn proxy, some Kurim JS files run with an error.

sslvpnd crashed on FortiGate.

SSL VPN bookmark does not load Google Maps on internal server.

Cannot access HTTPS bookmark, get a blank page.

SSL VPN logs out after some users click through the remote application.

Screen shot feature is not working though SSL VPN portal.

Cannot access https://cdn.i-ready.com through SSL VPN web portal.

SSL VPN web mode goes to 99% on a specific bookmark.

sslvpnd worker process crashes, causing a zombie tunnel session.

Internal website not working in SSL VPN web mode.

FortiSwitch managed by FortiGate not updating the RADIUS settings and user group in the FortiSwitch.

Adding factory-reset device to HA fails with switch-controller.qos settings in root.

TCP traffic with tcp_ecn tag cannot go through ipip ipv6 tunnel with NP6 offload enabled.

X.509 certificate support required for FGFM portocol.

Router info does not update after plugging out/plugging in USB modem.

FortiGuard filtering services show as unavailable for read-only admin.

FGR-30D cannot add ports SFP1 and SFP2 on a virtual hardware switch.

HPE does not protect against DDoS attacks like flood on IKE and BGP destination ports.

Aggregate link does not work for LACP mode active for FG-60E internal ports but works for wan1 and wan2 combination.

RX/TX counters for VLAN interfaces based on LACP interface are 0.

There was a hardware defect in an earlier revision of SSD used for FG-61E. When powering off then powering on in a very short time, the SSD may jump into ROM mode and cannot recover until a power circle.

Making a change to a policy through inline editing is very slow with large table sizes.

Session TTL expiry timer is not reset for VLAN traffic when offloading is enabled.

ASIC offloading sessions sticking to interfaces after SD-WAN SLA interface selection.

Missing mpsk-schedules option when restoring configuration via VDOM.

FG-80D and FG-92D kernel error in CLI during FortiGate boot up.

FG-3980E VLANs over LAG interface show no TX/RX statistics.

High CPU usage due to dnsproxy process as high at 99%.

Problems with cmdbsvr while handling a large number of FSSO address groups and security policies.

FG-201E stops sending out packets and NP6lite is stuck.

SSH/RDP sessions are terminated unexpectedly.

Session clash event log found on FG-6500F when passing a lot of the same source IP ICMP traffic over load-balance VIP.

Enabling offloading drops fragmented packets.

fgfmsd crashed with signal 11 when some code accesses a VDOM that has been deleted, but does not check the return value from CMDB query.

Script to purge and re-create a local-in-policy ran against the remote FortiGate directly (in the CLI) is causing auto-update issues.

Console outputs unregister_netdevice error on UoM setup.

NTPD does not requery the DNS server unless it restarts.

GUI cannot show default Fortinet logo for replacement messages.

When an SD-WAN member is disabled or VWL is disabled, snmpwalk shows "No Such Object available on this agent at this OID" message.

FortiGate sends ICMP type 3 code 3 (port unreachable) for UDP 500 and UDP 520 against vulnerability scan.

NetFlow traffic records sent with wrong interface index 0 (inputint = 0 and outputint = 0).

get system inter transceiver reports error for some transceivers.

Kernel crashes when sniffing packets on interfaces that are related to EMAC VLAN.

FortiGate returns invalid configuration during FortiManager retrieving configuration.

EMAC VLAN drops traffic when asymmetric roue enabled on internet VDOM.

Local system DNS setting instead of DNS setting acquired from upstream DHCP server was assigned to client under management VDOM.

Dedicated management CPU running on high CPU (soft IRQ).

alertemail username length cannot go beyond 35 characters.

OID for the IPsec VPN phase 2 selector only displays the first one on the list.

Cannot change the mask for an existing secondary IP on interfaces.

FortiGate got rebooted automatically due to kernel crash.

diagnose hardware test suite all fails due to FortiLink loopback test.

FortiGate accepts invalid configuration from FortiManager.

Communication over PPPoE fails after installing PPPoE configuration from FortiManager.

SOC4 devices may reboot by watchdog after upgrading to FortiOS 6.2.2 (build 6083).

Affected platforms: FG-60F, FG-61F, FG-100F, and FG-101F.

Constant DHCPD crashes.

Local FSSO poller regularly missing logon events.

Wrong categorization of OS from device detection.

Brief connectivity loss on shared service when RDP session is logged in to from local device.

Authentication list entry is not created/updated after changing the client PC with another user in FSSO polling mode.

The session to the SQL database is closed as timeout when a new user logs in to terminal server.

fnbamd takes high CPU usage and user not able to authenticate.

Mobile token authentication does not work for SSL VPN on SOC3 platforms.

Affected models include: FG-60E, FG-60E-POE, FG-61E, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-100E, FG-100EF, FG-101E, FG-140E, FWF-60E, FWF-61E.

Gmail POP3 authentication fails with certificate error since version 6.0.5.

RADIUS state attribute truncated in access request when using third-party MFA (ping ID).

Client PC matching multiple authentication methods (firewall, FSSO, RSSO, WSSO) may not be matched to NGFW policies correctly.

Only one CPU core in AWS is being used for traffic processing.

vMotion tasks cause connections to be dropped as sessions related to vMotion VMs do not appear on the destination VMX.

Should replace GUI option to register to FortiCare from AWS PAYG with link to portal for registration.

EIP does not failover if the primary FortiGate is rebooted or stopped from the Alibaba Cloud console.

FGCP cluster member reboots in infinite loop and hatalk daemon dumps the core with segmentation fault.

Azure SDN connector unable to connect to Azure Kubneretes integrated with AAD.

VM deployed in ESX platform with VMXNET3 does not show the correct speed and duplex settings.

FG-VM-LENC unable to validate new license.

Azure FortiGate crashing frequently when MLX4 driver RX jumbo.

VLAN not working on FortiGate in a Hyper-V deployment.

Allow PAYG AWS VM to bootstrap the configuration first before acquiring FortiCare license.

Azure FortiGate-VM (BYOL) unable to boot up when loading a lower vCPU license than the instance's vCPU.

Azure autoscale not syncing after upgrading to 6.2.2.

In Alibaba Cloud, multiple VPC route entries fail to switch when HA fails over.

HA not fully failing over when using OCI.

FG-VM64-AWS not responding to ICMP6 request when destination IPv6 address is in the neighbor cache entry.

In NGFW mode, Security Profiles GUI is missing Web Rating Overrides page.

Wrong web filter category when using flow-based inspection.

Administrator logged in with web filter read/write privilege cannot create or edit web filter profiles in the GUI.

When editing a FortiAP profile on the FortiGate web UI, the previously selected SSID group(s) cannot be displayed.

When FortiAP is managed with cross VDOM links, the WiFi client cannot join to SSID when auto-asic-offload is enabled.

Errors pop up while creating or editing as SSID.

WPA2-Enterprise SSID should support acct-all-servers setting in RADIUS to send accounting messages to all servers.

FortiAP unable to connect to FortiGate via IPsec VPN tunnel with dtls-policy clear-text.

FortiOS GUI cannot support FAP-U431F and FAP-U433F profiles.

Captive portal (disclaimer) redirect not working for Android phones.

FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

• CVE-2007-6750

FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

• CVE-2019-17655

FortiOS 6.2.3 is no longer vulnerable to the following CVE Reference:

• CVE-2019-15703