URL threat detection version shows a large negative number after FortiGate reboots.

WAD crashed at wad_disclaimer_get with signal 11 when disclaimer is enabled in proxy policy and the browser is Chrome.

Compare and sync the VSD change in V5.6 to WAD VS.

In NGFW mode, IPS engine drops RPC data channel when IPS profile is applied to a security policy.

Increase the maximum limit for the optional parameters in SCTP INIT packet. After the fix, the maximum limit is 10 instead of 4 parameters.

Timeout value is not reflected correctly to a new session when changing timeout value for system session-ttl on FortiGate-HV.

FortiGate VIP object offers weak elliptic curves since VS implementation in WAD for FortiOS 6.0 and above.

FTP session helper does not work when there is reflected (auxiliary) session.

Monitor page display incorrect virtual server entries for IPv6, VIP46, and VIP64; right-clicking gives an error.

Reorder function on Authentication Rules page does not work.

User cannot log in to GUI when password change is required and has pre-login or post-login banner enabled or FIPS mode.

HA warning message remains after primary device takes back control.

GUI shows Invalid LDAP server error while LDAP query successfully finished.

When sorting the interface list by the Name column, the ports are not always in the correct order (port10 appears before port2).

Interface status is not displayed on faceplate when viewing from the System > HA page.

GUI takes two minutes to load VPN > IPsec Tunnels for 1483 tunnels.

Configured overlapped subnet on GUI still shows error message after enabling subnet overlap.

Disabling the Idle Logout toggle on the SSL-VPN Settings page does not change the idle timeout setting, so the change does not persist after clicking Apply.

In Firefox, SAML SSO admin cannot create additional SSO admins or normal admins via the GUI.

DHCP relay IP address not showing on Network > Interfaces page for VLAN interface.

GUI should not add speed to virtual switch member port (FG-101F).

IPS Filter Details column is empty when All is used.

On POE devices, several sections of the GUI take over 15 seconds to fully load.

Software switch members and their VLANs are not visible in the GUI interfaces list.

GUI is not displaying DHCP configuration if the interface name includes the \ character.

Firewall address group object (including interface subnet) is invisible in Accessible Networks.

Monitor > SD-WAN Monitor keeps loading after disabling VPN member.

LCP-1250RJ3SR-K transceiver shows a warning in the GUI even though it is certified.

Fortinet-sold active direct attached cable (SP-CABLE-ADASFP+) is showing as not certified by Fortinet.

Web filter profile dialog cannot load URL filter table if there are a lot of URL filters.

Unable to delete multiple phase 2 selectors at the same time from the VPN IPsec tunnels dialog.

HA cannot display status in GUI when heartbeat cables reconnect.

It takes up to 10 seconds to get NPU VDOM link up when rebooting primary unit.

When HA primary device is down, a time synchronization with NTP servers will be disabled after failback.

FG-100D HA A-P mode not syncing.

HA secondary device is reporting multiple events (DDNS update failed).

private-data-encryption causes cluster to be periodically out of sync due to customer certificates.

traceroute not working in asymmetric FGSP environment.

IPS engine and IPS helper crash with signal 6 (aborted).

SSL offloading randomly does not work when UTM (AV/IPS) is enabled on firewall policy.

The customer is unable to log in to VPN with RADIUS intermittently.

iked crash when proposal is AES-GCM.

Upon reboot, failover or re-negotiation occurs with an active FEC enabled and tunnel traffic can no longer pass.

IKEv2 EAP certificate authentication failings after upgrading from to 6.2.1 to 6.2.3.

ADVPN cannot establish after primary ISP has recovered from failure and traffic between spokes is dropped.

IKE daemon signal 6 crash when phase1 add-gw-route is enabled.

IKE crashes at ike_hasync__xauth.

IPS logs are recorded twice with TCP offloading on virtual server.

FortiGate sends incorrect long session logs to FortiGate Cloud.

Reliable syslogd session goes into bad state due to traffic shaper.

Logs from HA secondary unit cannot be uploaded to FortiCloud.

Logs are not generated in GUI and CLI after checking the file system (after power cable disconnected).

FortiOS gives wrong time stamp when querying FortiGate Cloud log view.

When CIFS profile is loaded, using MacOS to access Windows Share causes WAD to crash.

In FortiGate with squid configuration (proxy chain), get ERR_SSL_PROTOCOL_ERROR when using Google Chrome with certificate/deep inspection.

Abbreviated handshake randomly receives fatal illegal_parameter against zendesk.com services/sites.

WAD crashes every few minutes.

FTP-TP reaches high memory usage and triggers conserve mode.

AV in proxy inspection mode blocks Cisco Webex traffic.

When CIFS profile is loaded, using MacOS (Mojave 10.14) to access Windows 2016 SMB Share causes WAD to crash.

The WAD process is crashing multiple times.

Prevent BGP daemon crashing when peer breaks TCP connection.

BGP route is not added into kernel during ADVPN test.

BGP daemon crashes when TCP connection is broken by peer.

Editing/adding any address object that is referenced in policy is generating false positive SD-WAN alert messages.

Local-out TCP traffic changes output interface when irrelevant interface is flapping that causes disconnections.

Cannot ping old VRIPs when adding new VRIPs.

The single BGP update message contains the same prefix in withdrawn routes and NLRI (advertised route).

NTP and FSSO not following SD-WAN rules

DHCP relay does not match the SD-WAN policy route.

SD-WAN IPv6 default route cannot be redistributed into BGP using set default-originateroutemap6.

Crash happens due to segfault in CSF.

FortiGate does not send client IP address as a framed IP address to RADIUS server in RADIUS accounting request message.

Sending RADIUS accounting interim update messages with SSL VPN client framed IP are delayed.

SSL VPN tunnel is unexpectedly down sometimes when certificate bundle is updated.

Double redirection through SSL web mode not working.

RDP connection via SSL VPN web portal does not work with UserPrincipalName (UPN) and NLA security.

Get 305 error when browsing website through SSL VPN web mode bookmark and sslvpnd crashes.

Videos from live cameras via SSL VPN web mode not working.

https://outlook.office365.com cannot be accessed in SSL VPN web portal.

CLI command get vpn ssl monitor displays users from other VDOM.

Adding FQDN routing address in split tunnel configuration injects single route in client for multiple A records.

SSL VPN disconnected when importing or renaming CA certificates.

SSL VPN web mode not displaying full customer webpage after logging in.

Add memory protection for web mode SSL VPN child process (guacd).

Pages could not be shown after logging in to back-end application server.

Memory corrupt in some DNS callback cases causes SSL VPN crash.

An internal website via SSL VPN web portal failed to load an external resource.

Log entry for tunnel stats shows wrong tunnel ID when using RDP bookmark.

The company website is not shown properly in SSL VPN web mode.

Riverbed SteelCentral AppResponse login form is not displaying in SSL VPN web mode.

Internal aixws7test2 portal is not loading in SSL VPN web mode.

After SSL VPN proxy, some JS files of hapi website could not work.

SAML login button is lost on SSL VPN portal.

Internal site http://va***.com not completely loading through SSL VPN web mode bookmark.

For guacd daemon generated for RDP session, it would sometimes be in an unknown state with 100% CPU and could not be released.

Internal server error 500 while accessing contolavdip portal in SSL VPN web mode.

Map could not be displayed correctly in SSL VPN web mode.

Website (pr***.com) not loading properly in SSL VPN web mode.

After the upgrade to 6.0.10/6.2.4/6.4.0, SSL VPN portal mapping/remote authentication is matching user into the incorrect group.

Internal website hosted in bookmark https://in***.cat is not loading completely in SSL VPN web mode.

Some JS files of jira.***.vwg could not run in SSL VPN web mode.

SSL VPN log entries display users from other VDOMs.

FG-100D traffic traversing port1-port16 only saturates CPU0.

CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120 and device reboots.

SFP+ 1G speed should be supported on FG-1100E, FG-1800F, FG-2200E, and FG-3300E series.

FG-201E stops sending out packets and NP6lite is stuck.

Potential memory leak triggered by FTP command in WAD.

sentbyte of NTP on local traffic log shows as 0 bytes, even though NTP client receives the packet.

High CPU usage issue caused by high depth expectation sessions in the same hash table slot.

Failed to set ping-option source to Auto.

After a reboot of the PPPoE server, the FortiGate (PPPoE clients, 35 clients) keeps flapping (connection down and up) for a long time before connecting successfully.

NPU offloading enabled dropping traffic from IPsec VPN tunnel remote gateway.

When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE.

FortiOS is not sending out IPv6 router advertisements from the link-local addresses added on the fly.

Many no session matched logs while managing FortiGate.

ip6-extra-addr does not perform router advertisement after reboot in HA.

Uninitialized variable that may potentially cause httpsd signal 6 and 11 crash issue.

Crashes might happen due to CMDB query allocation fail that causes a segfault.

Long delay and cmdbsvr at 100% CPU consumption when modifying address objects and address groups via GUI or REST API.

Traffic not showing statistics for VLAN interfaces base on hardware switch.

Fortinet_CA is missing in FG-3400E.

The FG-800D HA LED is off when HA status is normal.

Fail to detect transceiver on all SFP28/QSFP ports. Affected platforms: FG-3300E and FG-3301E.

Over a period of time, FG-60E goes into memory conserve mode caused by resource leak of sepmd daemon.

FG-80D may fail to boot due to a limitation in the size of the bootloader and kernel.

Request to blocked signature with SSL mirrored traffic capture causes FG-500E to reboot.

Virtual WAN link stops responding after 45 members.

Frame size option in sniffer does not work.

DSL module of FortiWiFi 60E-DSL shows as not ready after upgrade.

DHCPv6 client's DUID generated on two different FortiGates match.

FWF-60E-DSL ADSL2+ connection provided by BT in the UK does not work after upgrading from 6.0.9 to 6.2.4.

Unable to handle kernel NULL pointer dereference at 000000000000008f.

execute shutdown reboots instead of shutting down on SoC4 platforms.

SFP28 port group (ha1, ha2, port1 and port2) missing 1000full speed option. Affected platforms: FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632).

Interface forward-error-correction setting not honored after reboot.

After reboot, forward-error-correction value is not maintained as it should be.

VDOM with long name cannot be deleted.

After upgrading from 6.2.2 to 6.2.3, the description field in the table has disappeared under DHCP reservation.

Upon upgrading to FortiOS 6.2.4, DoS policies configured on interfaces may drop traffic that is passing through the DoS policy configuration. Note that this can occur if the DoS policy is configured in drop or monitor mode.

Workaround: disable the DoS policy.

Sessions are removed from the session table when FSSO group order is changed.

auth-concurrent setting in user group is not working as expected.

Device identification scanner crashes on receipt of SSDP search.

Two-factor authentication using FortiClient SSL VPN and FortiToken Cloud is not working due to push notification delay.

src-vis crashes on receipt of certain ONVIF packets.

fnbamd is not sending Calling-Station-Id in Access-Request for L2TP/IPsec since 5.4.0.

Remote admin LDAP user login has authentication failure when the same LDAP user has local two-factor authentication.

Older FortiGate models do not have CA2 and will cause EMS server authentication to fail.

Inconsistent fnbamd LDAP group match result.

Unable to update routing table for a resource group in a different subscription with FortiGate Azure SDN.

vMotion causing sessions to be disconnected as it consider sessions stateless.

Cross-zone HA breaks after upgrading to 6.4.0 because upgrade process does not add relevant items under vdom-exception.

Azure changes FPGA for Accelerated Networking live and VM loses SR-IOV interfaces.

By assigning port1 as the HA management port, the HA secondary unit node is now able to send system information to the Azure portal through waagent so that up-to-date information is displayed on the Azure dashboard.

If port1 is not used as the HA management port, the Azure display and Azure Security Center alerts will not reflect the correct state of the node, which may result in unnecessary alarms.

AWS FortiGate NIC gets swapped between port2 and port3 after FortiGate reboots.

RAS helper does not NAT the port 1720 in the callSignalAddress field of the RegistrationRequest packet sent from the endpoint.

FSSO users cannot proceed on web filter warning page in flow-based inspection.

If the last line in a threat feed does not end with "\n", it is not parsed and is not displayed in the GUI.

FortiAP not coming online on FG-PPPoE interface.

FortiOS 6.2.5 is no longer vulnerable to the following CVE Reference:

• CVE-2020-6648

FortiOS 6.2 running AV engine version 6.00145 or later is no longer vulnerable to the following CVE Reference:

• CVE-2020-9295