Known issues
The following issues have been identified in version 6.2.5. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.
Anti Virus
Bug ID |
Description |
---|---|
560044 |
Secondary device blades occasionally report critical log event |
Data Leak Prevention
Bug ID |
Description |
---|---|
616918 | DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS. |
DNS Filter
Bug ID |
Description |
---|---|
582374 |
License shows expiry date of 0000-00-00 . |
649985 |
Random SDNS rating timeout events on 6K/7K SLBC with FGSP. |
Endpoint Control
Bug ID |
Description |
---|---|
637454 |
Cloud-based EMS FSSO connector in FortiGate failed to connected with FortiClient EMS proxy in public cloud. |
Explicit Proxy
Bug ID |
Description |
---|---|
540091 |
Cannot access explicit FTP proxy via VIP. |
599637 |
Web proxy does not work properly to redirect Chrome browser to websites when disclaimer is enabled in proxy policy. |
617934 |
FortiGate web proxy should support forward server on TLS 1.3 certificate inspection connection. |
634515 |
HTTP 1.1 host header is lost in FortiGuard web proxy requests. |
644121 |
Explicit proxy error 504, DNS fails for a specific domain. |
Firewall
Bug ID |
Description |
---|---|
586764 |
Abnormal prolonged CPU spike with cmdbsvr and WAD processes when making change to large policy list (10 000+ policies). |
586995 |
Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary. |
595949 |
Any changes to the security policy table causes the hit count to reset. |
633856 |
Sessions are marked as dirty when a route change happens, but the route still exists. |
644638 |
Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor. |
644865 |
Query string parameters omitted (HTTP redirect, SSL offloading). |
647410 |
|
648951 |
External threat feed entry |
653828 |
When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds. |
660461 |
Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU in a large, complex configuration. |
FortiView
Bug ID |
Description |
---|---|
635309 |
When FortiAnalyzer logging is configured using an FQDN domain, the GUI displays a 500 error message on the FortiView Compromised Hosts page. |
643198 |
Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data. |
660753 |
In FortiView Sources dashboard, after filtering by subnet, drilling down will always show the first entry. |
673225 |
FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. The data is displayed if the source interface's role is LAN, DMZ, or undefined. |
GUI
Bug ID |
Description |
---|---|
354464 |
Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made. |
514632 |
Inconsistent reference count when using ports in HA |
529094 |
When creating an antispam block/allow list entry, Mark as Reject should be grayed out. |
541042 |
Log viewer forwarded traffic does not support multiple filters for one field. |
584915 |
OK button missing from many pages when viewed in Chrome on an Android device. |
584939 |
VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-". |
598222 |
After upgrading to 6.4.x from 6.2.5 and earlier, users must clear the browser cache for the best user experience with the new firmware. |
602102 |
Warning message is not displayed when a user configures an interface with a static IP address that is already in use. |
602397 |
Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. |
612236 |
RADIUS test fails from the GUI as it does not use the configured Authentication method, and authentication fails; test passes on the CLI. |
621254 |
When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error. |
638752 |
FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface. |
650307 |
GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt list. |
651711 |
Unable to select an address group when configuring Source IP Pools for an SSL VPN portal. |
653726 |
Filtering log results with a regular expression incorrectly yields no results. |
656429 |
Intermittent GUI process crash if a managed FortiSwitch returns a reset status. |
660165 |
When creating SD-WAN rules in the GUI, the destination interface preference is not saved when the strategy is manual. |
662640 |
Some GUI pages (dashboard, topology, policy list, interface list) are slow to load on low-end platforms when there are many concurrent HTTPSD requests. |
663351 |
Connectivity test for RADIUS server using CHAP authentication always returns failure. |
664007 |
GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration. |
666545 |
When in HA mode, the FortiGate GUI may take a long time or may fail to show traffic logs from FortiAnalyzer. Log retrieval from disk does not have this issue. |
672599 |
After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly. |
689605 |
On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0. |
695163 |
When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range. Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs. |
HA
Bug ID |
Description |
---|---|
615001 |
LAG does not come up after link failed signal is triggered. |
626715 |
Out-of-sync issue caused by firewall address group member is either duplicated or out of order. |
630070 |
HA is failing over due to cmdbsvr crashes. |
634604 |
SCTP sessions are not fully synchronized between primary and secondary devices in version 5.6.11 on FG-3240C. |
639307 |
Both primary and secondary consoles keep printing |
640428 |
SSL VPN related auth login user event logs do not require HA to be in sync. |
643958 |
Inconsistent data from FFDB caused several confsyncd crashes. |
647679 |
Inconsistent values for HA cluster inside the SNMP. |
648073 |
HA cluster uses physical port MAC address at the time of HA failover. |
651674 |
Long sessions lost on new primary after HA failover. |
678309 |
Cluster is out of sync because of |
Intrusion Prevention
Bug ID |
Description |
---|---|
565747 |
IPS engine 5.00027 has signal 11 crash. |
586544 |
IPS intelligent mode not working when reflect sessions are created on different physical interfaces. |
587668 |
IPS engine 5.00035 has signal 11 crash. |
590087 |
When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit. |
655371 |
Logging is intermittent for FortiGate IDS passive in one-armed sniffer mode. |
657541 |
On FG-80D, the IPS engine daemon count drops to 0 when the CPU number is 4. |
689590 |
IP quarantine is not working on FG-80D. |
IPsec VPN
Bug ID |
Description |
---|---|
592361 |
Cannot pass traffic over ADVPN if: |
611451 |
ADVPN spoke one behind NAT shortcut cannot connect to another spoke that is not behind NAT. |
639806 |
User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject. |
646012 |
DHCP over IPsec randomly works when |
655895 |
Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6). |
659535 |
Setting same |
Log & Report
Bug ID |
Description |
---|---|
606533 |
User observes |
634947 |
rlogd signal 11 crashes. |
641450 |
The miglogd processes is bound to busy CPUs, even though there are other completely idle CPUs available. |
650325 |
The miglogd process crashes with signal 11. |
Proxy
Bug ID |
Description |
---|---|
550350 |
Should not be able to set |
578850 |
Application WAD crash several times due to signal alarm. |
582475 |
WAD is crashing with signal 6 in |
617322 |
DLP FTP proxy with splice option sends delete command to server before data transfer completes. |
629504 |
SSH status in SSL profile changes to |
638039 |
Delete validation is not working for Protecting SSL Server profile. |
648831 |
WAD memory leak caused by Kerberos proxy authentication. |
658654 |
Cannot access specific website using proxy-based UTM with certification inspection due to delays from the server in replying to ClientHello message when a second connection from the same IP is also waiting for ClientHello. |
REST API
Bug ID |
Description |
---|---|
584631 | REST API administrator with token unable to configure HA setting (via login session works). |
Routing
Bug ID |
Description |
---|---|
537354 |
BFD/BGP dropping when |
624621 |
Log traffic to remote servers does not follow SD-WAN rules. |
627901 |
|
632285 |
Health check SLA status log shows configured bandwidth value instead of used bandwidth value. |
641050 |
Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route. |
646418 |
SD-WAN information available in session list is confusing. |
654482 |
SD-WAN route tag is removed with multiple BGP paths in place. |
662845 |
HA secondary also sends SD-WAN |
666829 |
Application bfdd crashes. |
Security Fabric
Bug ID |
Description |
---|---|
614691 |
Slow GUI performance in large Fabric topology with over 50 downstream devices. |
629723 |
SDN dynamic address import is too slow, and HA sync may miss endpoints in high scale and stress conditions. |
649556 |
FortiNAC requests to FortiGate can timeout on low-end models when there are many concurrent requests. |
SSL VPN
Bug ID |
Description |
---|---|
505986 | On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication. |
548599 |
SSL VPN crashes on parsing some special URLs. |
620793 |
A page inside a bookmark not opening in SSL VPN web mode. |
627456 |
Traffic cannot pass when SAML user logs in to SSL VPN portal with group match. |
630432 |
Slides on https://re***.nz website are displayed in SSL VPN web mode. |
631082 |
FortiManager tabs/page do not load when accessed via SSL VPN web mode. |
635814 |
FortiGate GUI cannot be rendered and displayed via SSL VPN portal. |
636332 |
With SSL VPN proxy JIRA web application, get one wrong URL without proxy path. |
641379 |
Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal. |
643749 |
SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters the wrong password. |
644506 |
Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password. |
645368 |
FortiClient randomly fails to connect to SSL VPN tunnel mode stuck at 98% with two-factor authentication token. |
648433 |
Internal website loading issue in SSL VPN web portal for ca***.fr. |
652880 |
SSL VPN crashes in a scenario where a large number of groups is sent to fnbam for authentication. |
657689 |
The system allows enabling split tunnel when the SSL VPN policy is configured with destination |
665879 |
When SSL VPN processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML. |
Switch Controller
Bug ID |
Description |
---|---|
588584 |
GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM. |
605864 |
If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting. |
649913 |
HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager. |
652745 |
Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber. |
System
Bug ID |
Description |
---|---|
464340 |
EHP drops for units with no NP service module. |
574716 |
The ospfNbrState OID takes too long to update. |
578031 |
FortiManager Cloud cannot be removed once the FortiGate has trouble on contract. |
585882 |
Error in log, |
594264 |
NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session TTL expiry. |
597893 |
FortiExtender interface admin status changes cannot be detected by FortiManager because the FortiGate checksum does not change. |
598464 |
Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side. |
598928 |
FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN. |
600032 |
SNMP does not provide routing table for non-management VDOM. |
602643 |
Interface gets removed from SD-WAN after rebooting when the interface is defined in both SD-WAN and zone. |
605723 |
FG-600E stops sending out packets on its SPF and copper port on NP6. |
607565 |
Interface |
609112 |
IPv6 push update fails. |
609783 |
SNMP failed to retrieve HA cluster secondary information from secondary serial number in TP mode. |
619023 |
Proxy ARP configuration not loaded after interface shut/not shut. |
627269 |
Wildcard FQDN not resolved on the secondary unit. |
628642 |
Issue when packets from same session are forwarded to each LACP member when NPx offload is enabled. |
630861 |
Support FortiManager when |
633827 |
Errors during fuzzy tests on FG-1500D. |
634929 |
NP6 SSE drops after a couple of hours in a stability test. |
636999 |
LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models. |
637983 |
FG-100F memory configuration check fails because of wrong threshold. |
642327 |
FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant interface with non-NPU port. |
644380 |
FG-40F/60F kernel panic if upgrading from 6.4.0 due to configuration file having a name conflict of Workaround: back up the 6.4.0 configuration, perform a clean installation via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration. |
645363 |
SNMP monitoring does not provide the SD-WAN member interface name. |
645848 |
FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection. |
647151 |
Unable to configure aggregate interface type on FG-30E-3G4G. |
647777 |
FortiGate not responding to DHCP relay requests from clients behind a DHCP relay. |
654159 |
NP6Xlite traffic not sent over the tunnel when NPU is enabled. |
657629 |
ARM-based platforms do not have sensor readings included in SNMP MIBs. |
658933 |
Under some circumstances, it was possible for Update D to create zombie processes. |
662681 |
Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes. |
662989 |
FG-40F/41F aggregate interface gets removed after upgrading to 6.2.5 from 6.2.4 firmware version. |
663603 |
The maximum number of IPS supported by each NTurbo load balancer should be 7 instead of 8 on FG-3300E and FG-3301E. |
666030 |
Empty firewall objects after pushing several policy deletes. |
670838 |
It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%. |
677825 |
Traffic on VLAN and NPU VDOM link interfaces fails after switching from standalone to HA mode. |
689345 |
npd crashes because FOS object is null. |
689619 |
Traffic dropped with NP7 IPsec hardware acceleration when packet size higher than PMTU and lower than tunnel MTU. |
689625 |
Kernel crashes when using FCLF8522P2BTLFTN SFPs on HA interfaces. Affected models: FG-1800F and FG-1801F. |
689735 |
NP7 drops frames shorter than 32 bytes at HTX. HA session synchronization packets are not balanced to multiple HRX queues because the frames have the same source and destination MAC address. |
692943 |
If an updated FFDB package is found, crash may happen at |
694202 |
|
Upgrade
Bug ID |
Description |
---|---|
658664 |
FortiExtender status becomes Workaround: change the config extender-controller extender edit <id> set admin enable next end |
User & Device
Bug ID |
Description |
---|---|
546794 |
De-authentication of RSSO user does not clear the login from the motherboard. |
580155 |
fnbamd crash. |
591461 |
FortiGate does not send user IP to TACACS server during authentication. |
595583 |
Device identification via LLDP on an aggregate interface does not work. |
658982 |
ADVPN IKEv2 certificate authentication does not work with OCSP check when certificates do not contain OCSP path. |
659456 |
REST API authentication fails for API user with PKI group enabled due to fnbamd crash. |
VM
Bug ID |
Description |
---|---|
587180 |
FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host. |
587757 |
FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type. |
596742 |
Azure SDN connector replicates configuration from primary device to secondary device during configuration restore. |
603100 |
Autoscale not syncing certificate among the cluster members. |
605511 |
FG-VM-GCP reboots a couple of times due to kernel panic. |
606527 |
GUI and CLI interface dropdown lists are inconsistent. |
608881 |
IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup. |
620654 |
Spoke dialup IPsec VPN does not initiate connection to hub after FG-VM HA failover in Azure. |
634245 |
Dynamic address objects are not resolved to all addresses using Azure SDN connector. |
640436 |
FortiGate AWS bootstrapped from configuration does not read SAML settings. |
652416 |
AWS Fabric connector always uses root VDOM even though it is not a management VDOM. |
659333 |
Slow route change for HA failover in GCP cloud. |
663276 |
After cloning the OCI instance, the OCID does not refresh to the new OCID. |
668131 |
EIP is not updating properly on FG-VM Azure. |
668625 |
During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available. |
670166 |
FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5. |
685782 |
HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite |
Web Filter
Bug ID |
Description |
---|---|
587018 |
Add URL flow filter counters to SNMP. |
610553 |
User browser gets URL block page instead of warning page when using HTTPS IP URL. |
620803 |
Group name missing on web filter warning page in proxy-based inspection. |
629005 |
foauthd has signal 11 crashes when FortiGate authenticates a web filter category. |
659372 |
Inconsistent behavior between external list and FortiGuard categories/local override. |
WiFi Controller
Bug ID |
Description |
---|---|
618456 |
High cw_acd usage upon polling a large number of wireless clients with REST API. |