Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 6.2.5. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

560044

Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series.

Data Leak Prevention

Bug ID

Description

616918 DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS.

DNS Filter

Bug ID

Description

582374

License shows expiry date of 0000-00-00.

649985

Random SDNS rating timeout events on 6K/7K SLBC with FGSP.

Endpoint Control

Bug ID

Description

637454

Cloud-based EMS FSSO connector in FortiGate failed to connected with FortiClient EMS proxy in public cloud.

Explicit Proxy

Bug ID

Description

540091

Cannot access explicit FTP proxy via VIP.

599637

Web proxy does not work properly to redirect Chrome browser to websites when disclaimer is enabled in proxy policy.

617934

FortiGate web proxy should support forward server on TLS 1.3 certificate inspection connection.

634515

HTTP 1.1 host header is lost in FortiGuard web proxy requests.

644121

Explicit proxy error 504, DNS fails for a specific domain.

Firewall

Bug ID

Description

586764

Abnormal prolonged CPU spike with cmdbsvr and WAD processes when making change to large policy list (10 000+ policies).

586995

Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary.

595949

Any changes to the security policy table causes the hit count to reset.

633856

Sessions are marked dirty when IPsec dialup client connects/disconnects and policy routes are used.

644225

Challenge ACK is being dropped.

644638

Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor.

644865

Query string parameters omitted (HTTP redirect, SSL offloading).

647410

append command allows mixing VIP and firewall address as destination objects in a firewall policy.

648951

External threat feed entry 0.0.0.0/0 shows as invalid but it blocks traffic.

653828

When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds.

660461

Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU in a large, complex configuration.

FortiView

Bug ID

Description

635309

When choosing to view Compromised Hosts, FortiGate returns an error 500 when FQDN is set in config log fortianalyzer setting.

643198

Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data.

660753

In FortiView Sources dashboard, after filtering by subnet, drilling down will always show the first entry.

673225

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. The data can be shown if source interface's role is LAN, DMZ, or undefined.

GUI

Bug ID

Description

354464

Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made.

514632

Inconsistent reference count when using ports in HA session-sync-dev.

529094

When creating an anti-spam block/allowlist entry, Mark as Reject should be grayed out.

535099

The SSID dialog page does not have support for the new MAC address filter.

541042

Log viewer forwarded traffic does not support multiple filters for one field.

584915

OK button missing from many pages when viewed in Chrome on an Android device.

584939

VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-".

598222

After upgrading to 6.4.x from 6.2.5 and earlier, users must clear the browser cache for the best user experience with the new firmware.

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

612236

RADIUS test fails from the GUI as it does not use the configured Authentication method, and authentication fails; test passes on the CLI.

621254

When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error.

638752

FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface.

650307

GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt list.

651711

Unable to select an address group when configuring Source IP Pools for an SSL VPN portal.

653726

Filtering log results with a regular expression incorrectly yields no results.

656429

Intermittent GUI process crash if a managed FortiSwitch returns a reset status.

660165

When creating SD-WAN rules in the GUI, the destination interface preference is not saved when the strategy is manual.

662640

Some GUI pages (dashboard, topology, policy list, interface list) are slow to load on low-end platforms when there are many concurrent HTTPSD requests.

663351

Connectivity test for RADIUS server using CHAP authentication always returns failure.

664007

GUI incorrectly shows warning, Botnet package update unavailable, if antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

666545

When FortiGate is in HA mode, GUI may take a long time or fail to show traffic logs from FortiAnalyzer. Log retrieval from disk does not have this issue.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

689605

On some browser versions, GUI shows a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

HA

Bug ID

Description

615001

LAG does not come up after link failed signal is triggered.

626715

Out-of-sync issue caused by firewall address group member is either duplicated or out of order.

630070

HA is failing over due to cmdbsvr crashes.

634604

SCTP sessions are not fully synchronized between primary and secondary devices in version 5.6.11 on FG-3240C.

639307

Both primary and secondary consoles keep printing get_ha_sync_obj_sig_4dir: stat /etc/cert/ca/5c44d531.0 error 2.

640428

SSL VPN related auth login user event logs do not require HA to be in sync.

643958

Inconsistent data from FFDB caused several confsyncd crashes.

647679

Inconsistent values for HA cluster inside the SNMP.

648073

HA cluster uses physical port MAC address at the time of HA failover.

651674

Long sessions lost on new primary after HA failover.

678309

Cluster is out of sync because of config vpn certificate ca after upgrade.

Intrusion Prevention

Bug ID

Description

565747

IPS engine 5.00027 has signal 11 crash.

586544

IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668

IPS engine 5.00035 has signal 11 crash.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

655371

Logging is intermittent for FortiGate IDS passive in one-armed sniffer mode.

IPsec VPN

Bug ID

Description

592361

Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.

611451

ADVPN spoke one behind NAT shortcut cannot connect to another spoke that is not behind NAT.

639806

User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject.

644780

Rectify the consequences if password renewal on FortiClient is canceled.

646012

DHCP over IPsec randomly works when net-device is disabled.

655895

Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).

659535

Setting same phase1-interface in SD-WAN member and SD-WAN zone causes iked watchdog timeout.

Log & Report

Bug ID

Description

606533

User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI.

634947

rlogd signal 11 crashes.

641450

The miglogd processes is bound to busy CPUs, even though there are other completely idle CPUs available.

650325

The miglogd process crashes with signal 11.

Proxy

Bug ID

Description

550350

Should not be able to set inspection-mode proxy with IPS-enabled only policy.

578850

Application WAD crash several times due to signal alarm.

582475

WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

617322

DLP FTP proxy with splice option sends delete command to server before data transfer completes.

629504

SSH status in SSL profile changes to deep-inspection from disable after upgrading.

638039

Delete validation is not working for Protecting SSL Server profile.

648831

WAD memory leak caused by Kerberos proxy authentication.

658654

Cannot access specific website using proxy-based UTM with certification inspection due to delays from the server in replying to ClientHello message when a second connection from the same IP is also waiting for ClientHello.

REST API

Bug ID

Description

584631 REST API admin with token unable to configure HA setting (via login session works).

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

624621

Log traffic to remote servers does not follow SD-WAN rules.

627901

set dscp-forward option is missing when using maximize bandwidth strategy in SD-WAN rule.

632285

Health check SLA status log shows configured bandwidth value instead of used bandwidth value.

641050

Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route.

646418

SD-WAN information available in session list is confusing.

654482

SD-WAN route tag is removed with multiple BGP paths in place.

662845

HA secondary also sends SD-WAN sla-fail-log-period to FortiAnalyzer.

666829

Application bfdd crashes.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

629723

SDN dynamic address import is too slow, and HA sync may miss endpoints in high scale and stress conditions.

649556

FortiNAC requests to FortiGate can timeout on low-end models when there are many concurrent requests.

SSL VPN

Bug ID

Description

505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.

548599

SSL VPN crashes on parsing some special URLs.

620793

A page inside a bookmark not opening in SSL VPN web mode.

627456

Traffic cannot pass when SAML user logs in to SSL VPN portal with group match.

630432

Slides on https://re***.nz website are displayed in SSL VPN web mode.

631082

FortiManager tabs/page do not load when accessed via SSL VPN web mode.

635814

FortiGate GUI cannot be rendered and displayed via SSL VPN portal.

636332

With SSL VPN proxy JIRA web application, get one wrong URL without proxy path.

641379

Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal.

643749

SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters the wrong password.

644506

Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password.

645368

FortiClient randomly fails to connect to SSL VPN tunnel mode stuck at 98% with two-factor authentication token.

648433

Internal website loading issue in SSL VPN web portal for ca***.fr.

652880

SSL VPN crashes in a scenario where a large number of groups is sent to fnbam for authentication.

657689

The system allows enabling split tunnel when the SSL VPN policy is configured with destination all. It is not consistent with 5.6.x and 6.0.x.

665879

When SSL VPN processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML.

Switch Controller

Bug ID

Description

588584

GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.

605864

If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting.

649913

HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager.

652745

Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

574716

The ospfNbrState OID takes too long to update.

578031

FortiManager Cloud cannot be removed once the FortiGate has trouble on contract.

585882

Error in log, msg="Interface 12345678001-ext:64 not found in the list!", while creating a long name VDOM in FG-SVM.

594264

NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session TTL expiry.

597893

FortiExtender interface admin status changes cannot be detected by FortiManager because the FortiGate checksum does not change.

598464

Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.

598928

FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN.

600032

SNMP does not provide routing table for non-management VDOM.

602643

Interface gets removed from SD-WAN after rebooting when the interface is defined in both SD-WAN and zone.

605723

FG-600E stops sending out packets on its SPF and copper port on NP6.

607565

Interface emac-vlan feature does not work on SoC4 platform.

609112

IPv6 push update fails.

609783

SNMP failed to retrieve HA cluster secondary information from secondary serial number in TP mode.

619023

Proxy ARP configuration not loaded after interface shut/not shut.

627269

Wildcard FQDN not resolved on the secondary unit.

628642

Issue when packets from same session are forwarded to each LACP member when NPx offload is enabled.

630861

Support FortiManager when private-data-encryption is enabled in FortiOS.

633827

Errors during fuzzy tests on FG-1500D.

634929

NP6 SSE drops after a couple of hours in a stability test.

636999

LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models.

637983

FG-100F memory configuration check fails because of wrong threshold.

642327

FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant interface with non-NPU port.

644380

FG-40F/60F kernel panic if upgrading from 6.4.0 due to configuration file having a name conflict of fortilink as both aggregate interface and virtual switch name.

Workaround: back up the 6.4.0 configuration, perform a clean installation via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration.

645363

SNMP monitoring does not provide the SD-WAN member interface name.

645848

FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection.

647151

Unable to configure aggregate interface type on FG-30E-3G4G.

647777

FortiGate not responding to DHCP relay requests from clients behind a DHCP relay.

654159

NP6Xlite traffic not sent over the tunnel when NPU is enabled.

657629

ARM-based platforms do not have sensor readings included in SNMP MIBs.

658933

Under some circumstances, it was possible for Update D to create zombie processes.

662681

Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes.

662989

FG-40F/41F aggregate interface gets removed after upgrading to 6.2.5 from 6.2.4 firmware version.

666030

Empty firewall objects after pushing several policy deletes.

670838

It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%.

677825

Traffic on VLAN and NPU VDOM link interfaces fails after switching from standalone to HA mode.

689345

npd crashes because FOS object is null.

689619

Traffic dropped with NP7 IPsec hardware acceleration when packet size higher than PMTU and lower than tunnel MTU.

689625

Kernel crashes when using FCLF8522P2BTLFTN SFPs on HA interfaces. Affected models: FG-1800F and FG-1801F.

689735

NP7 drops frames shorter than 32 bytes at HTX. HA session synchronization packets are not balanced to multiple HRX queues because the frames have the same source and destination MAC address.

694202

stpforward does not work with LAG interfaces on a transparent VDOM.

Upgrade

Bug ID

Description

658664

FortiExtender status becomes discovered after upgrading from 6.0.10 (build 0365).

Workaround: change the admin from discovered to enable after upgrading.

config extender-controller extender
    edit <id>
        set admin enable
    next
end

User & Device

Bug ID

Description

546794

De-authentication of RSSO user does not clear the login from the motherboard.

580155

fnbamd crash.

591461

FortiGate does not send user IP to TACACS server during authentication.

595583

Device identification via LLDP on an aggregate interface does not work.

658982

ADVPN IKEv2 certificate authentication does not work with OCSP check when certificates do not contain OCSP path.

659456

REST API authentication fails for API user with PKI group enabled due to fnbamd crash.

VM

Bug ID

Description

587180

FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.

587757

FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type.

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

603100

Autoscale not syncing certificate among the cluster members.

605511

FG-VM-GCP reboots a couple of times due to kernel panic.

606527

GUI and CLI interface dropdown lists are inconsistent.

608881

IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

620654

Spoke dialup IPsec VPN does not initiate connection to hub after FG-VM HA failover in Azure.

634245

Dynamic address objects are not resolved to all addresses using Azure SDN connector.

640436

FortiGate AWS bootstrapped from configuration does not read SAML settings.

652416

AWS Fabric connector always uses root VDOM even though it is not a management VDOM.

659333

Slow route change for HA failover in GCP cloud.

663276

After cloning the OCI instance, the OCID does not refresh to the new OCID.

668131

EIP is not updating properly on FG-VM Azure.

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

670166

FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5.

Web Filter

Bug ID

Description

587018

Add URL flow filter counters to SNMP.

610553

User browser gets URL block page instead of warning page when using HTTPS IP URL.

620803

Group name missing on web filter warning page in proxy-based inspection.

629005

foauthd has signal 11 crashes when FortiGate authenticates a web filter category.

659372

Inconsistent behavior between external list and FortiGuard categories/local override.

WiFi Controller

Bug ID

Description

618456

High cw_acd usage upon polling a large number of wireless clients with REST API.

Known issues

The following issues have been identified in version 6.2.5. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

560044

Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series.

Data Leak Prevention

Bug ID

Description

616918 DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS.

DNS Filter

Bug ID

Description

582374

License shows expiry date of 0000-00-00.

649985

Random SDNS rating timeout events on 6K/7K SLBC with FGSP.

Endpoint Control

Bug ID

Description

637454

Cloud-based EMS FSSO connector in FortiGate failed to connected with FortiClient EMS proxy in public cloud.

Explicit Proxy

Bug ID

Description

540091

Cannot access explicit FTP proxy via VIP.

599637

Web proxy does not work properly to redirect Chrome browser to websites when disclaimer is enabled in proxy policy.

617934

FortiGate web proxy should support forward server on TLS 1.3 certificate inspection connection.

634515

HTTP 1.1 host header is lost in FortiGuard web proxy requests.

644121

Explicit proxy error 504, DNS fails for a specific domain.

Firewall

Bug ID

Description

586764

Abnormal prolonged CPU spike with cmdbsvr and WAD processes when making change to large policy list (10 000+ policies).

586995

Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary.

595949

Any changes to the security policy table causes the hit count to reset.

633856

Sessions are marked dirty when IPsec dialup client connects/disconnects and policy routes are used.

644225

Challenge ACK is being dropped.

644638

Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor.

644865

Query string parameters omitted (HTTP redirect, SSL offloading).

647410

append command allows mixing VIP and firewall address as destination objects in a firewall policy.

648951

External threat feed entry 0.0.0.0/0 shows as invalid but it blocks traffic.

653828

When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds.

660461

Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU in a large, complex configuration.

FortiView

Bug ID

Description

635309

When choosing to view Compromised Hosts, FortiGate returns an error 500 when FQDN is set in config log fortianalyzer setting.

643198

Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data.

660753

In FortiView Sources dashboard, after filtering by subnet, drilling down will always show the first entry.

673225

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. The data can be shown if source interface's role is LAN, DMZ, or undefined.

GUI

Bug ID

Description

354464

Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made.

514632

Inconsistent reference count when using ports in HA session-sync-dev.

529094

When creating an anti-spam block/allowlist entry, Mark as Reject should be grayed out.

535099

The SSID dialog page does not have support for the new MAC address filter.

541042

Log viewer forwarded traffic does not support multiple filters for one field.

584915

OK button missing from many pages when viewed in Chrome on an Android device.

584939

VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-".

598222

After upgrading to 6.4.x from 6.2.5 and earlier, users must clear the browser cache for the best user experience with the new firmware.

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

612236

RADIUS test fails from the GUI as it does not use the configured Authentication method, and authentication fails; test passes on the CLI.

621254

When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error.

638752

FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface.

650307

GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt list.

651711

Unable to select an address group when configuring Source IP Pools for an SSL VPN portal.

653726

Filtering log results with a regular expression incorrectly yields no results.

656429

Intermittent GUI process crash if a managed FortiSwitch returns a reset status.

660165

When creating SD-WAN rules in the GUI, the destination interface preference is not saved when the strategy is manual.

662640

Some GUI pages (dashboard, topology, policy list, interface list) are slow to load on low-end platforms when there are many concurrent HTTPSD requests.

663351

Connectivity test for RADIUS server using CHAP authentication always returns failure.

664007

GUI incorrectly shows warning, Botnet package update unavailable, if antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

666545

When FortiGate is in HA mode, GUI may take a long time or fail to show traffic logs from FortiAnalyzer. Log retrieval from disk does not have this issue.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

689605

On some browser versions, GUI shows a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

HA

Bug ID

Description

615001

LAG does not come up after link failed signal is triggered.

626715

Out-of-sync issue caused by firewall address group member is either duplicated or out of order.

630070

HA is failing over due to cmdbsvr crashes.

634604

SCTP sessions are not fully synchronized between primary and secondary devices in version 5.6.11 on FG-3240C.

639307

Both primary and secondary consoles keep printing get_ha_sync_obj_sig_4dir: stat /etc/cert/ca/5c44d531.0 error 2.

640428

SSL VPN related auth login user event logs do not require HA to be in sync.

643958

Inconsistent data from FFDB caused several confsyncd crashes.

647679

Inconsistent values for HA cluster inside the SNMP.

648073

HA cluster uses physical port MAC address at the time of HA failover.

651674

Long sessions lost on new primary after HA failover.

678309

Cluster is out of sync because of config vpn certificate ca after upgrade.

Intrusion Prevention

Bug ID

Description

565747

IPS engine 5.00027 has signal 11 crash.

586544

IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668

IPS engine 5.00035 has signal 11 crash.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

655371

Logging is intermittent for FortiGate IDS passive in one-armed sniffer mode.

IPsec VPN

Bug ID

Description

592361

Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.

611451

ADVPN spoke one behind NAT shortcut cannot connect to another spoke that is not behind NAT.

639806

User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject.

644780

Rectify the consequences if password renewal on FortiClient is canceled.

646012

DHCP over IPsec randomly works when net-device is disabled.

655895

Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).

659535

Setting same phase1-interface in SD-WAN member and SD-WAN zone causes iked watchdog timeout.

Log & Report

Bug ID

Description

606533

User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI.

634947

rlogd signal 11 crashes.

641450

The miglogd processes is bound to busy CPUs, even though there are other completely idle CPUs available.

650325

The miglogd process crashes with signal 11.

Proxy

Bug ID

Description

550350

Should not be able to set inspection-mode proxy with IPS-enabled only policy.

578850

Application WAD crash several times due to signal alarm.

582475

WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

617322

DLP FTP proxy with splice option sends delete command to server before data transfer completes.

629504

SSH status in SSL profile changes to deep-inspection from disable after upgrading.

638039

Delete validation is not working for Protecting SSL Server profile.

648831

WAD memory leak caused by Kerberos proxy authentication.

658654

Cannot access specific website using proxy-based UTM with certification inspection due to delays from the server in replying to ClientHello message when a second connection from the same IP is also waiting for ClientHello.

REST API

Bug ID

Description

584631 REST API admin with token unable to configure HA setting (via login session works).

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

624621

Log traffic to remote servers does not follow SD-WAN rules.

627901

set dscp-forward option is missing when using maximize bandwidth strategy in SD-WAN rule.

632285

Health check SLA status log shows configured bandwidth value instead of used bandwidth value.

641050

Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route.

646418

SD-WAN information available in session list is confusing.

654482

SD-WAN route tag is removed with multiple BGP paths in place.

662845

HA secondary also sends SD-WAN sla-fail-log-period to FortiAnalyzer.

666829

Application bfdd crashes.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

629723

SDN dynamic address import is too slow, and HA sync may miss endpoints in high scale and stress conditions.

649556

FortiNAC requests to FortiGate can timeout on low-end models when there are many concurrent requests.

SSL VPN

Bug ID

Description

505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.

548599

SSL VPN crashes on parsing some special URLs.

620793

A page inside a bookmark not opening in SSL VPN web mode.

627456

Traffic cannot pass when SAML user logs in to SSL VPN portal with group match.

630432

Slides on https://re***.nz website are displayed in SSL VPN web mode.

631082

FortiManager tabs/page do not load when accessed via SSL VPN web mode.

635814

FortiGate GUI cannot be rendered and displayed via SSL VPN portal.

636332

With SSL VPN proxy JIRA web application, get one wrong URL without proxy path.

641379

Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal.

643749

SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters the wrong password.

644506

Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password.

645368

FortiClient randomly fails to connect to SSL VPN tunnel mode stuck at 98% with two-factor authentication token.

648433

Internal website loading issue in SSL VPN web portal for ca***.fr.

652880

SSL VPN crashes in a scenario where a large number of groups is sent to fnbam for authentication.

657689

The system allows enabling split tunnel when the SSL VPN policy is configured with destination all. It is not consistent with 5.6.x and 6.0.x.

665879

When SSL VPN processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML.

Switch Controller

Bug ID

Description

588584

GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.

605864

If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting.

649913

HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager.

652745

Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

574716

The ospfNbrState OID takes too long to update.

578031

FortiManager Cloud cannot be removed once the FortiGate has trouble on contract.

585882

Error in log, msg="Interface 12345678001-ext:64 not found in the list!", while creating a long name VDOM in FG-SVM.

594264

NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session TTL expiry.

597893

FortiExtender interface admin status changes cannot be detected by FortiManager because the FortiGate checksum does not change.

598464

Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.

598928

FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN.

600032

SNMP does not provide routing table for non-management VDOM.

602643

Interface gets removed from SD-WAN after rebooting when the interface is defined in both SD-WAN and zone.

605723

FG-600E stops sending out packets on its SPF and copper port on NP6.

607565

Interface emac-vlan feature does not work on SoC4 platform.

609112

IPv6 push update fails.

609783

SNMP failed to retrieve HA cluster secondary information from secondary serial number in TP mode.

619023

Proxy ARP configuration not loaded after interface shut/not shut.

627269

Wildcard FQDN not resolved on the secondary unit.

628642

Issue when packets from same session are forwarded to each LACP member when NPx offload is enabled.

630861

Support FortiManager when private-data-encryption is enabled in FortiOS.

633827

Errors during fuzzy tests on FG-1500D.

634929

NP6 SSE drops after a couple of hours in a stability test.

636999

LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models.

637983

FG-100F memory configuration check fails because of wrong threshold.

642327

FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant interface with non-NPU port.

644380

FG-40F/60F kernel panic if upgrading from 6.4.0 due to configuration file having a name conflict of fortilink as both aggregate interface and virtual switch name.

Workaround: back up the 6.4.0 configuration, perform a clean installation via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration.

645363

SNMP monitoring does not provide the SD-WAN member interface name.

645848

FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection.

647151

Unable to configure aggregate interface type on FG-30E-3G4G.

647777

FortiGate not responding to DHCP relay requests from clients behind a DHCP relay.

654159

NP6Xlite traffic not sent over the tunnel when NPU is enabled.

657629

ARM-based platforms do not have sensor readings included in SNMP MIBs.

658933

Under some circumstances, it was possible for Update D to create zombie processes.

662681

Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes.

662989

FG-40F/41F aggregate interface gets removed after upgrading to 6.2.5 from 6.2.4 firmware version.

666030

Empty firewall objects after pushing several policy deletes.

670838

It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%.

677825

Traffic on VLAN and NPU VDOM link interfaces fails after switching from standalone to HA mode.

689345

npd crashes because FOS object is null.

689619

Traffic dropped with NP7 IPsec hardware acceleration when packet size higher than PMTU and lower than tunnel MTU.

689625

Kernel crashes when using FCLF8522P2BTLFTN SFPs on HA interfaces. Affected models: FG-1800F and FG-1801F.

689735

NP7 drops frames shorter than 32 bytes at HTX. HA session synchronization packets are not balanced to multiple HRX queues because the frames have the same source and destination MAC address.

694202

stpforward does not work with LAG interfaces on a transparent VDOM.

Upgrade

Bug ID

Description

658664

FortiExtender status becomes discovered after upgrading from 6.0.10 (build 0365).

Workaround: change the admin from discovered to enable after upgrading.

config extender-controller extender
    edit <id>
        set admin enable
    next
end

User & Device

Bug ID

Description

546794

De-authentication of RSSO user does not clear the login from the motherboard.

580155

fnbamd crash.

591461

FortiGate does not send user IP to TACACS server during authentication.

595583

Device identification via LLDP on an aggregate interface does not work.

658982

ADVPN IKEv2 certificate authentication does not work with OCSP check when certificates do not contain OCSP path.

659456

REST API authentication fails for API user with PKI group enabled due to fnbamd crash.

VM

Bug ID

Description

587180

FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.

587757

FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type.

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

603100

Autoscale not syncing certificate among the cluster members.

605511

FG-VM-GCP reboots a couple of times due to kernel panic.

606527

GUI and CLI interface dropdown lists are inconsistent.

608881

IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

620654

Spoke dialup IPsec VPN does not initiate connection to hub after FG-VM HA failover in Azure.

634245

Dynamic address objects are not resolved to all addresses using Azure SDN connector.

640436

FortiGate AWS bootstrapped from configuration does not read SAML settings.

652416

AWS Fabric connector always uses root VDOM even though it is not a management VDOM.

659333

Slow route change for HA failover in GCP cloud.

663276

After cloning the OCI instance, the OCID does not refresh to the new OCID.

668131

EIP is not updating properly on FG-VM Azure.

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

670166

FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5.

Web Filter

Bug ID

Description

587018

Add URL flow filter counters to SNMP.

610553

User browser gets URL block page instead of warning page when using HTTPS IP URL.

620803

Group name missing on web filter warning page in proxy-based inspection.

629005

foauthd has signal 11 crashes when FortiGate authenticates a web filter category.

659372

Inconsistent behavior between external list and FortiGuard categories/local override.

WiFi Controller

Bug ID

Description

618456

High cw_acd usage upon polling a large number of wireless clients with REST API.