Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved issues

The following issues have been fixed in version 6.2.4. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

557998

Quarantined CDR files cannot be downloaded. Encountered 404 error when clicking Archived File.

563250

Shared memory does not empty out properly under /tmp.

594696

Sample file eicar.exe cannot pass through SMTPS, POP3S, or IMAPS with deep inspection and flow enabled on IPv6 policy.

Data Leak Prevention

Bug ID

Description

563447

Cannot download DLP archived file from GUI for HTTPS, FTPS, SMTP and SMTPS.

571171

Excessive false positives for credit card DLP profiles.

574722

DLP blocks Gmail with deep inspection.

591178

WAD fails to determine the correct file name when downloading a file from Nextcloud.

Explicit Proxy

Bug ID

Description

589166

EPSV does not work when using an FTP proxy.

594580

FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message.

594598

Enabling proxy policies (+400) increases memory by 30% and up to 80% total.

603707

The specified port configurations of https-incoming-port for config web-proxy explicit disappeared after rebooting.

605209

LDAP ignores source-ip with web proxy Kerberos authentication.

Firewall

Bug ID

Description

593103

When a policy denies traffic for a VIP and send-deny-packet is enabled, ICMP unreachable message references the mapped address, not the external.

595044

Get new CLI signal 11 crash log when performing execute internet-service refresh.

595790

Hit Count column does not work for security policy with multiple VDOMs.

596218

ISDB ID is missing when configuring internet service group objects.

598559

ISDB matches all objects and chooses the best one based on their weight values and the firewall policy.

599253

GUI traffic shaper Bandwidth Utilization should use KBps units.

600051

Cannot establish the connection to the real servers using VIP server load-balancing after upgrading to FortiOS 6.2.2.

600644

IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies.

601331

Virtual load-balance VIP and intermittent HTTP health check failures.

604886

Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.

606834

Adding more than one dynamic FSSO firewall address results in GUI and CLI error.

611840

Firewall policy search with decimal in the name fails in GUI.

FortiView

Bug ID

Description

592309

FortiView physical topology page cannot load; get Failed to get FortiView data error message.

GUI

Bug ID

Description

557786

GUI response is very slow when accessing IPsec Monitor (api/v2/monitor/vpn/ipsec is taking a long

time).

565309

Application groups improvements.

579711

Cannot run Security Rating due to disk issue (diagnose security-rating clean fails).

584314

NGFW mode should have a link to show all applications in the list.

585055

High CPU utilization by httpsd daemon if there are too many API connections.

585924

Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages.

589709

Status icon in Tunnel column on IPsec Tunnels page should be removed.

593624

GUI behavior is different with local user using super admin profile and TACACS user using super admin profile.

593899

Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error.

598247

One-minute memory; CPU and Sessions widgets stopped updating after system entered and exited conserve mode.

598725

Login page shows random characters when system language is not English.

599245

Nessus vulnerability scan tool reported more medium level vulnerabilities for 6.2.3 compared with the 6.2.2 result.

599284

pyfcgid crashed with signal 11 (Segmentation fault) received.

599401

FortiGuard quota category details displays No matching entries found for local category.

599612

GUI should allow user to create redundant IPsec tunnel over different interface to the same remote gateway.

600120

Reduce the number of core used by httpsd for low-end platforms.

601653

When deleting an AV profile in the GUI, there is no confirmation message prompt.

602637

Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3.

602692

Security Rating result for SSL VPN certificate fails when using a 384-bit elliptic curve certificate.

603583

Data source is missing in child table entries in a complex type property.

603913

GUI should add interface value check when creating a new zone.

605493

Admin cannot log in to FortiGate GUI.

605677

System goes into conserve mode when editing ISDB entries through GUI.

606074

Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3.

606394

DPD setting in GUI cannot be reflected correctly when Dialup User and On Demand are set by the IPsec wizard.

606428

GUI does not allow multiple IPsec tunnels with the same destination IP bound to the same interface but sourced from a different IP.

607296

Firewall address page keeps loading addresses with read-write permission.

607972

FortiGate enters conserve mode when accessing Amazon AWS ISDB object.

609064

Revoke Token in GUI reports URL not found on server.

610181

FG-OPC-ONDEMAND (FGVMPG license) shows FortiCare is not supported even though the license was registered in FortiCare.

610573

When saving configuration under global interface, explicit proxy settings are removed.

611436

FortiGate displays a hacked web page after selecting an IPS log.

615085

Slow GUI response with httpsd intermittently consuming high CPU when GUI is accessed.

615462

GUI takes 10-15 seconds to load Device Inventory, IPv4 Policy, and Interfaces pages.

617364

GUI does not list AliCloud SDN address filter.

HA

Bug ID

Description

530215, 601550

Application hasync might crash several times due to accessing some out of bound memory when processing hastats data.

588908

FG-3400E hasync reports the network is unreachable.

596575

HA active-active primary unit attempts to steer HTTP and SMTP sessions to secondary unit over NPU-VLINK interfaces.

596837

Deleting tunnel on primary unit via API call will not delete it from the secondary unit.

598937

Local user creation causes HA to be out of sync for several minutes.

602266

The configuration of the SD-WAN interface gateway IP should not sync.

602406

In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the secondary unit.

613714

HA failover takes over one minute when monitored aggregate interface goes down on primary device.

621621

Ether-type HA cannot be changed.

Intrusion Prevention

Bug ID

Description

605610

Security Policy page is slow to load due to empty security firewall statistic returning from IPS engine.

608501

IPS forwards attacks that are previously identified as dropped.

IPsec VPN

Bug ID

Description

516029

Remove the IPsec global lock.

557812

IPsec does not support the new interface-subnet type in its phase2-interface and ipv4-split-include settings for dialup VPN.

589096

In IPsec after HA failover, performance regression and IKESAs are lost.

590633

Packet loss observed after ADVPN shortcut is created.

594962

IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a non-FortiGate in a remote peer gateway.

595810

Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection.

596429

Traffic unable to pass through for certain phase 2 selectors when there is double SA.

597435

Problem establishing ADVPN shortcuts between spokes when the spoke has an additional VPN running.

597748

L2TP/IPsec VPN disconnects frequently.

599471

IKEv2 responder can delete static selectors when local narrowing occurs.

602240

IKEv2 EAP-TLS handshake detected retransmit of client, but FortiGate does not retransmit its response.

603090

The OCVPN log file was not closed or properly trimmed due to the incorrect state_refcnt. The OCVPN log file stayed open, grew extremely large, and was never trimmed.

604334

L2TP disconnection when transferring large files.

604923

IKE memory leak when IKEv2 certificate subject alternative name/peer ID matching occurs.

607212

IKEv2 DPD is not triggered if network overlay network ID was mismatched when first configured.

609033

After two HA failovers, one VPN interface member of SD-WAN cannot forward packets.

611148

L2TP/IPsec does not send framed IP address in RADIUS accounting updates.

612319

MTU calculation of shared dynamic phase 1 interface is too low compared to its phase 2 MTU and makes fragmentation high.

615360

OCVPN secondary hub cannot register.

622506

L2TP over IPsec tunnel established, but traffic cannot pass because wrong interface gets in route lookup.

Log & Report

Bug ID

Description

593557

Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address.

595151

Log filter for user name in UPN format is not consistent when the log location is set to FortiAnalyzer and local disk.

602459

GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion.

605174

Incorrect sentdelta/rcvddelta in statistic traffic logs.

Proxy

Bug ID

Description

561552

WAD crashed with signal 6 (MAPI/RPC).

594829

FTP connection is not working with AV profile in proxy inspection mode when FTP user name contains an @.

610466

Multiple WAD crash on FG-500D after upgrading from 6.2.3 ( wad_url_filter_user_cat_load_entry.constprop.7 ).

REST API

Bug ID

Description

599516 When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access.

Routing

Bug ID

Description

580207

Policy route does not apply to local-out traffic.

593951

Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based.

597733

IPv6 ECMP routes cannot be synchronized correctly to HA secondary unit.

598665

BGP route is in routing table but not in FIB (kernel routing table).

599667

OSPF over ADVPN flapping after shortcut tunnel established.

599884

Traffic not following SD-WAN rules when one of the interfaces is VLAN.

600332

SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.

600830

SD-WAN health check reports have packet loss if response time is longer than the check interval.

600995

Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2.

602223

SD-WAN route is not added in routing table when the SD-WAN interface members are IPv4 over IPv6 IPsec.

602679

Prevent BGP daemon crashing when peer breaks TCP connection.

603063

Locally originated traffic on non-default VRF may follow route on VRF 0 when there are routes with the same prefix on both VRFs.

604390

FortiOS 6.2.3 by default drops reply packets received from a different interface (unlike 6.2.2).

Security Fabric

Bug ID

Description

586024

Automation stitch cannot execute shutdown command when FortiGate enters kernel conserve mode.

588262

IP address Threat Feed fabric connector not working.

599474

FortiGate SDN connector not seeing all available tag name-value pairs.

604670

Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system's timezone configuration.

SSL VPN

Bug ID

Description

556657

Internal website not working through SSL VPN web mode.

561585

SSL VPN does not correctly show Windows Admin center application.

563022

SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy.

582115

Third-party (Ultimo) web app does not load over SSL VPN web portal.

582265

RDP sessions are terminated (disconnect) unexpectedly.

587300

In web mode, third-party webpage stuck on loading animation; JavaScript error in console.

587732

The SSL VPN web mode SSH widget is not connecting to the SSH server.

588066

SSO for HTTPS fails when using "\" (backslash) with the domain\username format.

588587

Different portals of SIPLAN COMPESA do not show properly in web mode.

593367

SSL VPN bookmark does not load after clicking from the portal.

593621

Website not fully loading through web portal bookmark; loads correctly with iPad user agent.

595627

Cannot access some specific sites through SSL VPN web mode.

596296

SSL VPN fails 90% when connecting with FortiClient.

596352

SAML user name is not correctly recorded in logs when logging in to SSL VPN portal via SSO entry, and history cannot be shown.

596412

Not possible to download PDF file after connecting to portal through SSL VPN bookmark.

596441

FortiOS does not correctly re-write the Exchange OWA logoff URL when accessed via SSL VPN bookmark.

596757

SSL VPN connection stuck at 95% or 98%.

596846

Unable to deauthenticate FSSO user in GUI, but it works in CLI.

597336

Webpage does not load properly through SSL VPN web mode (fails to show CAPTCHA).

597566

Add SSL VPN SSO user logged in from SAML response.

597634

In SSL VPN web mode, internal web services not working and tunnel mode is working fine.

597658

Internal custom web application page running on Apache Tomcat is not displaying in SSL VPN web mode.

598659

SSL VPN daemon crash.

598660

Internal website is not accessible from SSL VPN as the URL is being modified.

598850

SAML authentication group match does not work for SSL VPN; mismatched SAML user can also log in.

599394

SSL VPN web portal bookmarks are not fully loading for Vivendi SelfService application.

599658

GUI is not rendered well by SSL VPN portal when using domain and user to log in.

599668

In SSL VPN web mode, page keeps loading after user authenticates into internal application.

599671

In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.

599777

Problem with rat***.com portal accessed via SSL VPN web mode.

599960

RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed.

600029

Sending RADIUS accounting interim update messages with SSL VPN client framed IP are delayed.

600103

Sslvpnd crashes when trying to query a DNS host name without a period (.).

601084

Site in .NET framework 4.6 or 4.7 not loading in SSL VPN web mode.

601867

SSL VPN web mode cannot open DFS share subdirectories, gives invalid HTTP request message.

602392

Cannot access remote site using SSL VPN web mode after upgrading to FOS 6.2.2.

602645

SSL VPN synology NAS web bookmark log in page does not work after upgrading to 6.2.3.

603518

Internal website not working in SSL VPN web mode; cannot load ESS/MSS page.

603779

Chinese characters are garbled when downloading from SMB/CIFS in SSL VPN web mode.

603817

Internal website is not shown properly in SSL VPN web mode.

603957

SSL VPN LDAP authentication does not work in multiple user group configurations after upgrading the firewall to 6.0.7.

604882

Internal SAP website not working in SSL VPN web mode.

605110

Mobile token is not required when LDAP user and LDAP group are set in SSL VPN policy together.

605699

Internal HRIS website dropdown list box not loading in SSL VPN web mode.

607413

SMB/CIFS bookmark name gets scrambled if it contains special characters like space, backslash, colon, etc.

608453

Internal website is not accessible from SSL VPN due to some Sage X3 JS files with errors.

610564

RDP over web mode SSL VPN to a Windows Server changes the time zone to GMT.

613111

Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer.

613641

SSL VPN web mode custom FortiClient download URL with %s causing sslvpnd to crash.

616879

Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer.

621270

SSL VPN user groups are corrupted in auth list when the user is a member of more than 100 groups.

624197

SSL VPN web mode does not completely load the redirected corporate SSO page when accessing an internal resource.

625338

sslvpnd crashing with signal 7 on get_free_idx.

625554

SSL VPN connection was used when the DTLS UDP packet process failed and connection was destroyed.

Switch Controller

Bug ID

Description

517663

On a managed FortiSwitch already running the latest GA image, Upgrade Available is shown.

601547

Unable to push user group configuration from FortiGate to FortiSwitch, and user.group configuration is deleted.

607707

Unable to push configuration changes from FortiGate to FortiSwitch.

608231

LLDP policy did not download completely to the managed FortiSwitch 108Es.

613323

FortiSwitch trunk configuration sync issue after FortiGate failover.

System

Bug ID

Description

436904

Get fgt140d_i2c_write_byte_data:874 i2c_write_byte_data(0, 0x73, 0x00, 0x04) error! message by detecting transceiver. Affected platforms: FG-140D and FG-140D-POE.

515201

FortiGate cannot display the script name from FortiManager.

527459

SSDN address filter unable to handle space character.

576337

SNMP polling stopped when FortiManager API script executed onto FortiGate.

582498

Traffic can not be offloaded to both NTurbo and NP6 when DOS policy is applied on ingress/egress interface in a policy with IPS.

585053

NP6 VLAN LACP-based interface RX/TX counters not increasing.

586990

Customer with FG-50E getting high CPU with 6.2.1.

589079

QSFP interface goes down when the get system interface transceiver command is interrupted.

589723

Wrong source IP is bound for config system fortiguard.

590021

Enabling auto-asic-offload results in keeping action=deny in traffic log with an accept entry.

590423

FortiManager needs patch and minor number to update global database when FortiGate firmware upgrade does not trigger an auto-retrieve configuration.

592148

Issue with TCP packets when traversing the virtual wire pair in transparent mode.

592570

VLAN switch does not work on FG-100E.

592827

FortiGate is not sending DHCP request after receiving offer.

593426

Remove DST for Brazil.

594018

Update daemon is locked to one resolved update server.

594577

Out of order packets for an offloaded multicast stream.

594865

diagnose internet-service match does not return the IP value of the IP reputation database object.

595338

Unable to execute ping6 when configuring execute ping6-options tos, except for

default.

595467

Invalid multicast policy created after transparent VDOM restored.

598527

ISDB may cause crashes after downgrading FortiGate firmware.

602523

DDNS monitor-interface uses the monitored interface if DDNS services other than FortiGuard DDNS are used.

602548

Some of the clients are not getting their IP through DHCP intermittently.

603194

NP multicast session remains after the kernel session is deleted.

603551

DHCPv6 relay does not work on FG-2200E.

604462

xcvrd crashed with signal 11.

604550

Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0.

604699

Header line that is not freed might cause system to enter conserve mode in a transparent mode deployment.

606597

When changing time zone on FG-101E, get Failed to set SMC timezone message.

607015

More than usual NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens quite often on some global NTP servers.

607452

Automatically logged out of CLI when trying to configure STP due to /bin/newcli crash.

610900

Low throughput on FG-2201E for traffic with ECN flag enabled.

610903

SMC NTP functions are enabled on some of the models that do not support the feature.

610976

Get kernel panic when creating VLAN on GENEVE interface.

612113

xcvrd attaches shared memory multiple times causing huge memory consumption.

617453

fgfmsd crash due to REST agent.

621771

FortiGate cannot be accessed by ping/telnet/ssh/capwap in transparent VDOM.

623113

FortiGate not entering A records in shadow DNS database for cross-subdomain CNAME requests.

626785

FG-101F should support the same WTP size (128) as FG-100F.

627409

Cannot create hardware switch on FG-100F.

User & Device

Bug ID

Description

573317

SSO admin with a user name over 35 characters cannot log in after the first login.

592047

GUI RADIUS test fails with vdom-dns configuration.

593361

No source IP option available for OCSP certificate checking.

594863

UPN extraction does not work for particular PKI.

596844

Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device identification.

602407

Deny log messages do not contain the username and group information.

605206

FortiClient server certificate in FSSO CA uses weak public key strength of 1024 bits and certificate expiring in May 2020.

605404

FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy with thousands of address objects.

605437

FortiOS does not understand CMPv2 grantedWithMods response.

605950

RDP sessions are terminated (disconnect) unexpectedly.

609655

Captive portal exemption after upgrading the device from 6.2.2 to 6.2.3.

615513, 697304

The scep-url option is truncated to 64 characters, despite the maximum length being 255 characters.

VM

Bug ID

Description

575346

gui-wanopt cache missing under system settings after upgrading a FortiGate VM with two disks.

594248

Enabling or disabling SR-IOV under vNIC creates duplicate MAC addresses and extra interfaces on the FortiGate.

597003

Unable to bypass self-signed certificates on Chrome in macOS Catalina.

598419

Static routes are not in sync on FortiGate Azure.

599430

FG-VM-AZURE fails to boot up due to rtnl_lock deadlock.

600975

Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing NETVSC offering and vPCI offering at the same time.

601357

FortiGate VM Azure in HA has unsuccessful failover.

601528

License validation failure log message missing when using FortiManager to validate a VM.

603365

HA secondary member instance shuts down due to RAM difference after stopping/starting the cluster instances.

603599

VIP in autoscale on GCP not syncing to other nodes.

603426

AWS-PAYG in HA setup can lose its VM license after rebooting with certain setup.

605103

E1000 network adapter will be deleted if there is a VMXNET3 network adapter.

605435

API call to associate elastic IP is triggered only when the unit becomes the primary device.

606439

License validation failure log message missing when using FortiManager to validate VM.

609283

IP pools are synchronized in FortiGate Azure HA.

612611

Very hard to download image for FG-AWSONDEMAND from FDS.

614544

AWS VM sometimes could not get fdsm image list from FDS.

622031

AZD keeps crashing if Azure VM contains more than 15 tags.

VoIP

Bug ID

Description

599117

voipd process crash.

601275

MGCP session helper does not NAT the MGCP body.

Web Filter

Bug ID

Description

551956

Proxy web filtering blocks innocent sites due to urlsource="FortiSandBox Block".

593203

Cannot enter a name for a web rating override and save—error message appears when entering the name.

606965

Unable to allow specific YouTube channel when all other YouTube channels or videos are blocked.

WiFi Controller

Bug ID

Description

563630

Kernel panic observed on FWF-60E.

594170

FortiAPs not shown in the GUI.

595653

FortiGate in transparent mode cannot manage FortiAP devices successfully.

599690

Unable to perform COA with device MAC address for 802.1x wireless connection when use-management-vdom is enabled.

601012

When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country code.

608717

Packet loss over CAPWAP tunneled SSID.

615219

FortiGate cannot create WTP entry for FortiAP in transparent mode.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

558685

FortiOS 6.2.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-12812

Resolved issues

The following issues have been fixed in version 6.2.4. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

557998

Quarantined CDR files cannot be downloaded. Encountered 404 error when clicking Archived File.

563250

Shared memory does not empty out properly under /tmp.

594696

Sample file eicar.exe cannot pass through SMTPS, POP3S, or IMAPS with deep inspection and flow enabled on IPv6 policy.

Data Leak Prevention

Bug ID

Description

563447

Cannot download DLP archived file from GUI for HTTPS, FTPS, SMTP and SMTPS.

571171

Excessive false positives for credit card DLP profiles.

574722

DLP blocks Gmail with deep inspection.

591178

WAD fails to determine the correct file name when downloading a file from Nextcloud.

Explicit Proxy

Bug ID

Description

589166

EPSV does not work when using an FTP proxy.

594580

FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message.

594598

Enabling proxy policies (+400) increases memory by 30% and up to 80% total.

603707

The specified port configurations of https-incoming-port for config web-proxy explicit disappeared after rebooting.

605209

LDAP ignores source-ip with web proxy Kerberos authentication.

Firewall

Bug ID

Description

593103

When a policy denies traffic for a VIP and send-deny-packet is enabled, ICMP unreachable message references the mapped address, not the external.

595044

Get new CLI signal 11 crash log when performing execute internet-service refresh.

595790

Hit Count column does not work for security policy with multiple VDOMs.

596218

ISDB ID is missing when configuring internet service group objects.

598559

ISDB matches all objects and chooses the best one based on their weight values and the firewall policy.

599253

GUI traffic shaper Bandwidth Utilization should use KBps units.

600051

Cannot establish the connection to the real servers using VIP server load-balancing after upgrading to FortiOS 6.2.2.

600644

IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies.

601331

Virtual load-balance VIP and intermittent HTTP health check failures.

604886

Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.

606834

Adding more than one dynamic FSSO firewall address results in GUI and CLI error.

611840

Firewall policy search with decimal in the name fails in GUI.

FortiView

Bug ID

Description

592309

FortiView physical topology page cannot load; get Failed to get FortiView data error message.

GUI

Bug ID

Description

557786

GUI response is very slow when accessing IPsec Monitor (api/v2/monitor/vpn/ipsec is taking a long

time).

565309

Application groups improvements.

579711

Cannot run Security Rating due to disk issue (diagnose security-rating clean fails).

584314

NGFW mode should have a link to show all applications in the list.

585055

High CPU utilization by httpsd daemon if there are too many API connections.

585924

Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages.

589709

Status icon in Tunnel column on IPsec Tunnels page should be removed.

593624

GUI behavior is different with local user using super admin profile and TACACS user using super admin profile.

593899

Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error.

598247

One-minute memory; CPU and Sessions widgets stopped updating after system entered and exited conserve mode.

598725

Login page shows random characters when system language is not English.

599245

Nessus vulnerability scan tool reported more medium level vulnerabilities for 6.2.3 compared with the 6.2.2 result.

599284

pyfcgid crashed with signal 11 (Segmentation fault) received.

599401

FortiGuard quota category details displays No matching entries found for local category.

599612

GUI should allow user to create redundant IPsec tunnel over different interface to the same remote gateway.

600120

Reduce the number of core used by httpsd for low-end platforms.

601653

When deleting an AV profile in the GUI, there is no confirmation message prompt.

602637

Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3.

602692

Security Rating result for SSL VPN certificate fails when using a 384-bit elliptic curve certificate.

603583

Data source is missing in child table entries in a complex type property.

603913

GUI should add interface value check when creating a new zone.

605493

Admin cannot log in to FortiGate GUI.

605677

System goes into conserve mode when editing ISDB entries through GUI.

606074

Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3.

606394

DPD setting in GUI cannot be reflected correctly when Dialup User and On Demand are set by the IPsec wizard.

606428

GUI does not allow multiple IPsec tunnels with the same destination IP bound to the same interface but sourced from a different IP.

607296

Firewall address page keeps loading addresses with read-write permission.

607972

FortiGate enters conserve mode when accessing Amazon AWS ISDB object.

609064

Revoke Token in GUI reports URL not found on server.

610181

FG-OPC-ONDEMAND (FGVMPG license) shows FortiCare is not supported even though the license was registered in FortiCare.

610573

When saving configuration under global interface, explicit proxy settings are removed.

611436

FortiGate displays a hacked web page after selecting an IPS log.

615085

Slow GUI response with httpsd intermittently consuming high CPU when GUI is accessed.

615462

GUI takes 10-15 seconds to load Device Inventory, IPv4 Policy, and Interfaces pages.

617364

GUI does not list AliCloud SDN address filter.

HA

Bug ID

Description

530215, 601550

Application hasync might crash several times due to accessing some out of bound memory when processing hastats data.

588908

FG-3400E hasync reports the network is unreachable.

596575

HA active-active primary unit attempts to steer HTTP and SMTP sessions to secondary unit over NPU-VLINK interfaces.

596837

Deleting tunnel on primary unit via API call will not delete it from the secondary unit.

598937

Local user creation causes HA to be out of sync for several minutes.

602266

The configuration of the SD-WAN interface gateway IP should not sync.

602406

In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the secondary unit.

613714

HA failover takes over one minute when monitored aggregate interface goes down on primary device.

621621

Ether-type HA cannot be changed.

Intrusion Prevention

Bug ID

Description

605610

Security Policy page is slow to load due to empty security firewall statistic returning from IPS engine.

608501

IPS forwards attacks that are previously identified as dropped.

IPsec VPN

Bug ID

Description

516029

Remove the IPsec global lock.

557812

IPsec does not support the new interface-subnet type in its phase2-interface and ipv4-split-include settings for dialup VPN.

589096

In IPsec after HA failover, performance regression and IKESAs are lost.

590633

Packet loss observed after ADVPN shortcut is created.

594962

IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a non-FortiGate in a remote peer gateway.

595810

Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection.

596429

Traffic unable to pass through for certain phase 2 selectors when there is double SA.

597435

Problem establishing ADVPN shortcuts between spokes when the spoke has an additional VPN running.

597748

L2TP/IPsec VPN disconnects frequently.

599471

IKEv2 responder can delete static selectors when local narrowing occurs.

602240

IKEv2 EAP-TLS handshake detected retransmit of client, but FortiGate does not retransmit its response.

603090

The OCVPN log file was not closed or properly trimmed due to the incorrect state_refcnt. The OCVPN log file stayed open, grew extremely large, and was never trimmed.

604334

L2TP disconnection when transferring large files.

604923

IKE memory leak when IKEv2 certificate subject alternative name/peer ID matching occurs.

607212

IKEv2 DPD is not triggered if network overlay network ID was mismatched when first configured.

609033

After two HA failovers, one VPN interface member of SD-WAN cannot forward packets.

611148

L2TP/IPsec does not send framed IP address in RADIUS accounting updates.

612319

MTU calculation of shared dynamic phase 1 interface is too low compared to its phase 2 MTU and makes fragmentation high.

615360

OCVPN secondary hub cannot register.

622506

L2TP over IPsec tunnel established, but traffic cannot pass because wrong interface gets in route lookup.

Log & Report

Bug ID

Description

593557

Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address.

595151

Log filter for user name in UPN format is not consistent when the log location is set to FortiAnalyzer and local disk.

602459

GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion.

605174

Incorrect sentdelta/rcvddelta in statistic traffic logs.

Proxy

Bug ID

Description

561552

WAD crashed with signal 6 (MAPI/RPC).

594829

FTP connection is not working with AV profile in proxy inspection mode when FTP user name contains an @.

610466

Multiple WAD crash on FG-500D after upgrading from 6.2.3 ( wad_url_filter_user_cat_load_entry.constprop.7 ).

REST API

Bug ID

Description

599516 When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access.

Routing

Bug ID

Description

580207

Policy route does not apply to local-out traffic.

593951

Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based.

597733

IPv6 ECMP routes cannot be synchronized correctly to HA secondary unit.

598665

BGP route is in routing table but not in FIB (kernel routing table).

599667

OSPF over ADVPN flapping after shortcut tunnel established.

599884

Traffic not following SD-WAN rules when one of the interfaces is VLAN.

600332

SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.

600830

SD-WAN health check reports have packet loss if response time is longer than the check interval.

600995

Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2.

602223

SD-WAN route is not added in routing table when the SD-WAN interface members are IPv4 over IPv6 IPsec.

602679

Prevent BGP daemon crashing when peer breaks TCP connection.

603063

Locally originated traffic on non-default VRF may follow route on VRF 0 when there are routes with the same prefix on both VRFs.

604390

FortiOS 6.2.3 by default drops reply packets received from a different interface (unlike 6.2.2).

Security Fabric

Bug ID

Description

586024

Automation stitch cannot execute shutdown command when FortiGate enters kernel conserve mode.

588262

IP address Threat Feed fabric connector not working.

599474

FortiGate SDN connector not seeing all available tag name-value pairs.

604670

Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system's timezone configuration.

SSL VPN

Bug ID

Description

556657

Internal website not working through SSL VPN web mode.

561585

SSL VPN does not correctly show Windows Admin center application.

563022

SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy.

582115

Third-party (Ultimo) web app does not load over SSL VPN web portal.

582265

RDP sessions are terminated (disconnect) unexpectedly.

587300

In web mode, third-party webpage stuck on loading animation; JavaScript error in console.

587732

The SSL VPN web mode SSH widget is not connecting to the SSH server.

588066

SSO for HTTPS fails when using "\" (backslash) with the domain\username format.

588587

Different portals of SIPLAN COMPESA do not show properly in web mode.

593367

SSL VPN bookmark does not load after clicking from the portal.

593621

Website not fully loading through web portal bookmark; loads correctly with iPad user agent.

595627

Cannot access some specific sites through SSL VPN web mode.

596296

SSL VPN fails 90% when connecting with FortiClient.

596352

SAML user name is not correctly recorded in logs when logging in to SSL VPN portal via SSO entry, and history cannot be shown.

596412

Not possible to download PDF file after connecting to portal through SSL VPN bookmark.

596441

FortiOS does not correctly re-write the Exchange OWA logoff URL when accessed via SSL VPN bookmark.

596757

SSL VPN connection stuck at 95% or 98%.

596846

Unable to deauthenticate FSSO user in GUI, but it works in CLI.

597336

Webpage does not load properly through SSL VPN web mode (fails to show CAPTCHA).

597566

Add SSL VPN SSO user logged in from SAML response.

597634

In SSL VPN web mode, internal web services not working and tunnel mode is working fine.

597658

Internal custom web application page running on Apache Tomcat is not displaying in SSL VPN web mode.

598659

SSL VPN daemon crash.

598660

Internal website is not accessible from SSL VPN as the URL is being modified.

598850

SAML authentication group match does not work for SSL VPN; mismatched SAML user can also log in.

599394

SSL VPN web portal bookmarks are not fully loading for Vivendi SelfService application.

599658

GUI is not rendered well by SSL VPN portal when using domain and user to log in.

599668

In SSL VPN web mode, page keeps loading after user authenticates into internal application.

599671

In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.

599777

Problem with rat***.com portal accessed via SSL VPN web mode.

599960

RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed.

600029

Sending RADIUS accounting interim update messages with SSL VPN client framed IP are delayed.

600103

Sslvpnd crashes when trying to query a DNS host name without a period (.).

601084

Site in .NET framework 4.6 or 4.7 not loading in SSL VPN web mode.

601867

SSL VPN web mode cannot open DFS share subdirectories, gives invalid HTTP request message.

602392

Cannot access remote site using SSL VPN web mode after upgrading to FOS 6.2.2.

602645

SSL VPN synology NAS web bookmark log in page does not work after upgrading to 6.2.3.

603518

Internal website not working in SSL VPN web mode; cannot load ESS/MSS page.

603779

Chinese characters are garbled when downloading from SMB/CIFS in SSL VPN web mode.

603817

Internal website is not shown properly in SSL VPN web mode.

603957

SSL VPN LDAP authentication does not work in multiple user group configurations after upgrading the firewall to 6.0.7.

604882

Internal SAP website not working in SSL VPN web mode.

605110

Mobile token is not required when LDAP user and LDAP group are set in SSL VPN policy together.

605699

Internal HRIS website dropdown list box not loading in SSL VPN web mode.

607413

SMB/CIFS bookmark name gets scrambled if it contains special characters like space, backslash, colon, etc.

608453

Internal website is not accessible from SSL VPN due to some Sage X3 JS files with errors.

610564

RDP over web mode SSL VPN to a Windows Server changes the time zone to GMT.

613111

Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer.

613641

SSL VPN web mode custom FortiClient download URL with %s causing sslvpnd to crash.

616879

Traffic cannot pass through FortiGate for SSL VPN web mode if the user is a PKI peer.

621270

SSL VPN user groups are corrupted in auth list when the user is a member of more than 100 groups.

624197

SSL VPN web mode does not completely load the redirected corporate SSO page when accessing an internal resource.

625338

sslvpnd crashing with signal 7 on get_free_idx.

625554

SSL VPN connection was used when the DTLS UDP packet process failed and connection was destroyed.

Switch Controller

Bug ID

Description

517663

On a managed FortiSwitch already running the latest GA image, Upgrade Available is shown.

601547

Unable to push user group configuration from FortiGate to FortiSwitch, and user.group configuration is deleted.

607707

Unable to push configuration changes from FortiGate to FortiSwitch.

608231

LLDP policy did not download completely to the managed FortiSwitch 108Es.

613323

FortiSwitch trunk configuration sync issue after FortiGate failover.

System

Bug ID

Description

436904

Get fgt140d_i2c_write_byte_data:874 i2c_write_byte_data(0, 0x73, 0x00, 0x04) error! message by detecting transceiver. Affected platforms: FG-140D and FG-140D-POE.

515201

FortiGate cannot display the script name from FortiManager.

527459

SSDN address filter unable to handle space character.

576337

SNMP polling stopped when FortiManager API script executed onto FortiGate.

582498

Traffic can not be offloaded to both NTurbo and NP6 when DOS policy is applied on ingress/egress interface in a policy with IPS.

585053

NP6 VLAN LACP-based interface RX/TX counters not increasing.

586990

Customer with FG-50E getting high CPU with 6.2.1.

589079

QSFP interface goes down when the get system interface transceiver command is interrupted.

589723

Wrong source IP is bound for config system fortiguard.

590021

Enabling auto-asic-offload results in keeping action=deny in traffic log with an accept entry.

590423

FortiManager needs patch and minor number to update global database when FortiGate firmware upgrade does not trigger an auto-retrieve configuration.

592148

Issue with TCP packets when traversing the virtual wire pair in transparent mode.

592570

VLAN switch does not work on FG-100E.

592827

FortiGate is not sending DHCP request after receiving offer.

593426

Remove DST for Brazil.

594018

Update daemon is locked to one resolved update server.

594577

Out of order packets for an offloaded multicast stream.

594865

diagnose internet-service match does not return the IP value of the IP reputation database object.

595338

Unable to execute ping6 when configuring execute ping6-options tos, except for

default.

595467

Invalid multicast policy created after transparent VDOM restored.

598527

ISDB may cause crashes after downgrading FortiGate firmware.

602523

DDNS monitor-interface uses the monitored interface if DDNS services other than FortiGuard DDNS are used.

602548

Some of the clients are not getting their IP through DHCP intermittently.

603194

NP multicast session remains after the kernel session is deleted.

603551

DHCPv6 relay does not work on FG-2200E.

604462

xcvrd crashed with signal 11.

604550

Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0.

604699

Header line that is not freed might cause system to enter conserve mode in a transparent mode deployment.

606597

When changing time zone on FG-101E, get Failed to set SMC timezone message.

607015

More than usual NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens quite often on some global NTP servers.

607452

Automatically logged out of CLI when trying to configure STP due to /bin/newcli crash.

610900

Low throughput on FG-2201E for traffic with ECN flag enabled.

610903

SMC NTP functions are enabled on some of the models that do not support the feature.

610976

Get kernel panic when creating VLAN on GENEVE interface.

612113

xcvrd attaches shared memory multiple times causing huge memory consumption.

617453

fgfmsd crash due to REST agent.

621771

FortiGate cannot be accessed by ping/telnet/ssh/capwap in transparent VDOM.

623113

FortiGate not entering A records in shadow DNS database for cross-subdomain CNAME requests.

626785

FG-101F should support the same WTP size (128) as FG-100F.

627409

Cannot create hardware switch on FG-100F.

User & Device

Bug ID

Description

573317

SSO admin with a user name over 35 characters cannot log in after the first login.

592047

GUI RADIUS test fails with vdom-dns configuration.

593361

No source IP option available for OCSP certificate checking.

594863

UPN extraction does not work for particular PKI.

596844

Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device identification.

602407

Deny log messages do not contain the username and group information.

605206

FortiClient server certificate in FSSO CA uses weak public key strength of 1024 bits and certificate expiring in May 2020.

605404

FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy with thousands of address objects.

605437

FortiOS does not understand CMPv2 grantedWithMods response.

605950

RDP sessions are terminated (disconnect) unexpectedly.

609655

Captive portal exemption after upgrading the device from 6.2.2 to 6.2.3.

615513, 697304

The scep-url option is truncated to 64 characters, despite the maximum length being 255 characters.

VM

Bug ID

Description

575346

gui-wanopt cache missing under system settings after upgrading a FortiGate VM with two disks.

594248

Enabling or disabling SR-IOV under vNIC creates duplicate MAC addresses and extra interfaces on the FortiGate.

597003

Unable to bypass self-signed certificates on Chrome in macOS Catalina.

598419

Static routes are not in sync on FortiGate Azure.

599430

FG-VM-AZURE fails to boot up due to rtnl_lock deadlock.

600975

Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing NETVSC offering and vPCI offering at the same time.

601357

FortiGate VM Azure in HA has unsuccessful failover.

601528

License validation failure log message missing when using FortiManager to validate a VM.

603365

HA secondary member instance shuts down due to RAM difference after stopping/starting the cluster instances.

603599

VIP in autoscale on GCP not syncing to other nodes.

603426

AWS-PAYG in HA setup can lose its VM license after rebooting with certain setup.

605103

E1000 network adapter will be deleted if there is a VMXNET3 network adapter.

605435

API call to associate elastic IP is triggered only when the unit becomes the primary device.

606439

License validation failure log message missing when using FortiManager to validate VM.

609283

IP pools are synchronized in FortiGate Azure HA.

612611

Very hard to download image for FG-AWSONDEMAND from FDS.

614544

AWS VM sometimes could not get fdsm image list from FDS.

622031

AZD keeps crashing if Azure VM contains more than 15 tags.

VoIP

Bug ID

Description

599117

voipd process crash.

601275

MGCP session helper does not NAT the MGCP body.

Web Filter

Bug ID

Description

551956

Proxy web filtering blocks innocent sites due to urlsource="FortiSandBox Block".

593203

Cannot enter a name for a web rating override and save—error message appears when entering the name.

606965

Unable to allow specific YouTube channel when all other YouTube channels or videos are blocked.

WiFi Controller

Bug ID

Description

563630

Kernel panic observed on FWF-60E.

594170

FortiAPs not shown in the GUI.

595653

FortiGate in transparent mode cannot manage FortiAP devices successfully.

599690

Unable to perform COA with device MAC address for 802.1x wireless connection when use-management-vdom is enabled.

601012

When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country code.

608717

Packet loss over CAPWAP tunneled SSID.

615219

FortiGate cannot create WTP entry for FortiAP in transparent mode.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

558685

FortiOS 6.2.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-12812