Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved issues

The following issues have been fixed in version 6.2.5. For inquires about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

497024

Flow mode banned word spam filter log is missing the banned word.

Anti Virus

Bug ID

Description

582368

URL threat detection version shows a large negative number after FortiGate reboots.

615805

Device goes into conserve mode due to large files.

Application Control

Bug ID

Description

630075

After upgrading, FortiGate faced an internet access issue when IPS and AC profiles are enabled and the outgoing interface is an npu_vlink.

Data Leak Prevention

Bug ID

Description

582480

scanunit crashes with signal 11 in dlpscan_mailheader when AV scans files via IMAP.

Endpoint Control

Bug ID

Description

608301

EMS serial number format should be flexible.

Explicit Proxy

Bug ID

Description

591012

WAD crashed at wad_disclaimer_get with signal 11 when disclaimer is enabled in proxy policy and the browser is Chrome.

610298

Compare and sync the VSD change in V5.6 to WAD VS.

650540

FortiGate sends traffic to an incorrect port using a wrong source NAT IP address.

Firewall

Bug ID

Description

596633

In NGFW mode, IPS engine drops RPC data channel when IPS profile is applied to a security policy.

603263

Increase the maximum limit for the optional parameters in SCTP INIT packet. After the fix, the maximum limit is 10 instead of 4 parameters.

606962

Timeout value is not reflected correctly to a new session when changing timeout value for system session-ttl on FortiGate-HV.

610557

FortiGate VIP object offers weak elliptic curves since VS implementation in WAD for FortiOS 6.0 and above.

615073

FTP session helper does not work when there is reflected (auxiliary) session.

622045

Traffic not matched by security policy when using service groups in NGFW policy mode.

FortiView

Bug ID

Description

573138

When the data source is FortiGate Cloud, there is no paging to load sessions; only entries 1-499 are rendered.

GUI

Bug ID

Description

401862

Monitor page display incorrect virtual server entries for IPv6, VIP46, and VIP64; right-clicking gives an error.

493819

Reorder function on Authentication Rules page does not work.

513694

User cannot log in to GUI when password change is required and has pre-login or post-login banner enabled or FIPS mode.

564849

HA warning message remains after primary device takes back control.

594534

GUI shows Invalid LDAP server error while LDAP query successfully finished.

594702

When sorting the interface list by the Name column, the ports are not always in the correct order (port10 appears before port2).

601568

Interface status is not displayed on faceplate when viewing from the System > HA page.

604682

GUI takes two minutes to load VPN > IPsec Tunnels for 1483 tunnels.

605496

Configured overlapped subnet on GUI still shows error message after enabling subnet overlap.

614056

Disabling the Idle Logout toggle on the SSL-VPN Settings page does not change the idle timeout setting, so the change does not persist after clicking Apply.

615267

In Firefox, SAML SSO admin cannot create additional SSO admins or normal admins via the GUI.

616878

DHCP relay IP address not showing on Network > Interfaces page for VLAN interface.

620854

GUI should not add speed to virtual switch member port (FG-101F).

623109

IPS Filter Details column is empty when All is used.

624551

On POE devices, several sections of the GUI take over 15 seconds to fully load.

628373

Software switch members and their VLANs are not visible in the GUI interfaces list.

633937

GUI is not displaying DHCP configuration if the interface name includes the \ character.

638277

Firewall address group object (including interface subnet) is invisible in Accessible Networks.

639756

Monitor > SD-WAN Monitor keeps loading after disabling VPN member.

642402

LCP-1250RJ3SR-K transceiver shows a warning in the GUI even though it is certified.

644999

Fortinet-sold active direct attached cable (SP-CABLE-ADASFP+) is showing as not certified by Fortinet.

646327

Web filter profile dialog cannot load URL filter table if there are a lot of URL filters.

650800

Unable to delete multiple phase 2 selectors at the same time from the VPN IPsec tunnels dialog.

654339

GUI search does not work in the interface list if DHCP client and range columns are present.

HA

Bug ID

Description

621583

HA cannot display status in GUI when heartbeat cables reconnect.

623642

It takes up to 10 seconds to get NPU VDOM link up when rebooting primary unit.

627610

When HA primary device is down, a time synchronization with NTP servers will be disabled after failback.

631342

FG-100D HA A-P mode not syncing.

637843

HA secondary device is reporting multiple events (DDNS update failed).

638287

private-data-encryption causes cluster to be periodically out of sync due to customer certificates.

645293

traceroute not working in asymmetric FGSP environment.

656099

mgmt interfaces are excluded for heartbeat interfaces (even if dedicate-mgmt is not enabled).

Intrusion Prevention

Bug ID

Description

587363

IPS engine and IPS helper crash with signal 6 (aborted).

595062

SSL offloading randomly does not work when UTM (AV/IPS) is enabled on firewall policy.

631381

RDP NLA authentication blocked by FortiGate when enabling IPS profile in the security group (central NAT).

IPsec VPN

Bug ID

Description

584982

The customer is unable to log in to VPN with RADIUS intermittently.

606129

iked crash when proposal is AES-GCM.

607134

Upon reboot, failover or re-negotiation occurs with an active FEC enabled and tunnel traffic can no longer pass.

610390

IKEv2 EAP certificate authentication failings after upgrading from to 6.2.1 to 6.2.3.

610558

ADVPN cannot establish after primary ISP has recovered from failure and traffic between spokes is dropped.

631968

IKE daemon signal 6 crash when phase1 add-gw-route is enabled.

634883

IKE crashes at ike_hasync__xauth.

635325

Static route for site-to site VPN remains active even when the tunnel is down.

Log & Report

Bug ID

Description

605405

IPS logs are recorded twice with TCP offloading on virtual server.

608565

FortiGate sends incorrect long session logs to FortiGate Cloud.

612779

Reliable syslogd session goes into bad state due to traffic shaper.

616835

Logs from HA secondary unit cannot be uploaded to FortiCloud.

628358

Logs are not generated in GUI and CLI after checking the file system (after power cable disconnected).

635013

FortiOS gives wrong time stamp when querying FortiGate Cloud log view.

643840

vwlservice should log the SD-WAN rule and not an internet service; impacts FortiAnalyzer SD-WAN monitor widgets and reports.

Proxy

Bug ID

Description

586909

When CIFS profile is loaded, using MacOS to access Windows Share causes WAD to crash.

612333

In FortiGate with squid configuration (proxy chain), get ERR_SSL_PROTOCOL_ERROR when using Google Chrome with certificate/deep inspection.

615791

Abbreviated handshake randomly receives fatal illegal_parameter against zendesk.com services/sites.

617099

WAD crashes every few minutes.

623108

FTP-TP reaches high memory usage and triggers conserve mode.

631723

AV in proxy inspection mode blocks Cisco Webex traffic.

632085

When CIFS profile is loaded, using MacOS (Mojave 10.14) to access Windows 2016 SMB Share causes WAD to crash.

637389

The WAD process is crashing multiple times.

640427

Web proxy WAD crash under WAN Opt auto-active mode.

Routing

Bug ID

Description

602679

Prevent BGP daemon crashing when peer breaks TCP connection.

602826

BGP route is not added into kernel during ADVPN test.

608106

BGP daemon crashes when TCP connection is broken by peer.

611539

Editing/adding any address object that is referenced in policy is generating false positive SD-WAN alert messages.

613716

Local-out TCP traffic changes output interface when irrelevant interface is flapping that causes disconnections.

619343

Cannot ping old VRIPs when adding new VRIPs.

625345

The single BGP update message contains the same prefix in withdrawn routes and NLRI (advertised route).

627951

NTP and FSSO not following SD-WAN rules

628896

DHCP relay does not match the SD-WAN policy route.

629521

SD-WAN IPv6 default route cannot be redistributed into BGP using set default-originateroutemap6.

635716

FortiGuard web filter traffic also needs to follow SD-WAN service.

Security Fabric

Bug ID

Description

597139

Crash happens due to segfault in CSF.

609182

Security Fabric Settings page sometimes cannot load FortiSandbox URL threat detection version despite FortiSandbox being connected.

SSL VPN

Bug ID

Description

595505

FortiGate does not send client IP address as a framed IP address to RADIUS server in RADIUS accounting request message.

600029

Sending RADIUS accounting interim update messages with SSL VPN client framed IP are delayed.

604772

SSL VPN tunnel is unexpectedly down sometimes when certificate bundle is updated.

606271

Double redirection through SSL web mode not working.

607687

RDP connection via SSL VPN web portal does not work with UserPrincipalName (UPN) and NLA security.

608464

Get 305 error when browsing website through SSL VPN web mode bookmark and sslvpnd crashes.

610579

Videos from live cameras via SSL VPN web mode not working.

617170

https://outlook.office365.com cannot be accessed in SSL VPN web portal.

620508

CLI command get vpn ssl monitor displays users from other VDOM.

622068

Adding FQDN routing address in split tunnel configuration injects single route in client for multiple A records.

622110

SSL VPN disconnected when importing or renaming CA certificates.

622871

SSL VPN web mode not displaying full customer webpage after logging in.

623076

Add memory protection for web mode SSL VPN child process (guacd).

623231

Pages could not be shown after logging in to back-end application server.

623379

Memory corrupt in some DNS callback cases causes SSL VPN crash.

624145

An internal website via SSL VPN web portal failed to load an external resource.

624899

Log entry for tunnel stats shows wrong tunnel ID when using RDP bookmark.

624904

The company website is not shown properly in SSL VPN web mode.

625301

Riverbed SteelCentral AppResponse login form is not displaying in SSL VPN web mode.

628821

Internal aixws7test2 portal is not loading in SSL VPN web mode.

629190

After SSL VPN proxy, some JS files of hapi website could not work.

629373

SAML login button is lost on SSL VPN portal.

631130

Internal site http://va***.com not completely loading through SSL VPN web mode bookmark.

633812

For guacd daemon generated for RDP session, it would sometimes be in an unknown state with 100% CPU and could not be released.

634991

Internal server error 500 while accessing contolavdip portal in SSL VPN web mode.

635307

Map could not be displayed correctly in SSL VPN web mode.

636984

Website (pr***.com) not loading properly in SSL VPN web mode.

637018

After the upgrade to 6.0.10/6.2.4/6.4.0, SSL VPN portal mapping/remote authentication is matching user into the incorrect group.

638733

Internal website hosted in bookmark https://in***.cat is not loading completely in SSL VPN web mode.

648369

Some JS files of jira.***.vwg could not run in SSL VPN web mode.

649130

SSL VPN log entries display users from other VDOMs.

654534

SAML authentications occurring through SSL VPN web mode are not completing.

System

Bug ID

Description

503125

FG-100D traffic traversing port1-port16 only saturates CPU0.

567019

CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120 and device reboots.

576323

SFP+ 1G speed should be supported on FG-1100E, FG-1800F, FG-2200E, and FG-3300E series.

581496

FG-201E stops sending out packets and NP6lite is stuck.

594871

Potential memory leak triggered by FTP command in WAD.

604613

sentbyte of NTP on local traffic log shows as 0 bytes, even though NTP client receives the packet.

607357

High CPU usage issue caused by high depth expectation sessions in the same hash table slot.

607836

Failed to set ping-option source to Auto.

608442

After a reboot of the PPPoE server, the FortiGate (PPPoE clients, 35 clients) keeps flapping (connection down and up) for a long time before connecting successfully.

609660

NPU offloading enabled dropping traffic from IPsec VPN tunnel remote gateway.

611512

When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE.

612302

FortiOS is not sending out IPv6 router advertisements from the link-local addresses added on the fly.

612351

Many no session matched logs while managing FortiGate.

613017

ip6-extra-addr does not perform router advertisement after reboot in HA.

613136

Uninitialized variable that may potentially cause httpsd signal 6 and 11 crash issue.

615435

Crashes might happen due to CMDB query allocation fail that causes a segfault.

616022

Long delay and cmdbsvr at 100% CPU consumption when modifying address objects and address groups via GUI or REST API.

617134

Traffic not showing statistics for VLAN interfaces base on hardware switch.

617154

Fortinet_CA is missing in FG-3400E.

617409

The FG-800D HA LED is off when HA status is normal.

618762

Fail to detect transceiver on all SFP28/QSFP ports. Affected platforms: FG-3300E and FG-3301E.

620827

Over a period of time, FG-60E goes into memory conserve mode caused by resource leak of sepmd daemon.

623501

FG-80D may fail to boot due to a limitation in the size of the bootloader and kernel.

626371

Request to blocked signature with SSL mirrored traffic capture causes FG-500E to reboot.

632353

Virtual WAN link stops responding after 45 members.

632635

Frame size option in sniffer does not work.

632788

DSL module of FortiWiFi 60E-DSL shows as not ready after upgrade.

633102

DHCPv6 client's DUID generated on two different FortiGates match.

634600

FWF-60E-DSL ADSL2+ connection provided by BT in the UK does not work after upgrading from 6.0.9 to 6.2.4.

636069

Unable to handle kernel NULL pointer dereference at 000000000000008f.

637420

execute shutdown reboots instead of shutting down on SoC4 platforms.

638041

SFP28 port group (ha1, ha2, port1 and port2) missing 1000full speed option. Affected platforms: FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

641419

FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632).

643188

Interface forward-error-correction setting not honored after reboot.

647593

After reboot, forward-error-correction value is not maintained as it should be.

647718

VDOM with long name cannot be deleted.

648977

Sometimes when updating the FortiGate license, there is a certificate verification failure.

Upgrade

Bug ID

Description

615972

After upgrading from 6.2.2 to 6.2.3, the description field in the table has disappeared under DHCP reservation.

635589

Upon upgrading to FortiOS 6.2.4, DoS policies configured on interfaces may drop traffic that is passing through the DoS policy configuration. Note that this can occur if the DoS policy is configured in drop or monitor mode.

Workaround: disable the DoS policy.

649948

Upon upgrading to an affected 6.2 or 6.4 firmware, IKE/IPsec SAs are not synced to the primary when HA uninterruptible-upgrade is enabled. As a result, IPsec traffic from a client may be detected as having an invalid SPI until the client starts a new negotiation.

User & Device

Bug ID

Description

591170

Sessions are removed from the session table when FSSO group order is changed.

604844

auth-concurrent setting in user group is not working as expected.

605838

Device identification scanner crashes on receipt of SSDP search.

620941

Two-factor authentication using FortiClient SSL VPN and FortiToken Cloud is not working due to push notification delay.

621161

src-vis crashes on receipt of certain ONVIF packets.

626532

fnbamd is not sending Calling-Station-Id in Access-Request for L2TP/IPsec since 5.4.0.

627144

Remote admin LDAP user login has authentication failure when the same LDAP user has local two-factor authentication.

629487

Older FortiGate models do not have CA2 and will cause EMS server authentication to fail.

637577

Inconsistent fnbamd LDAP group match result.

638593

Certificate verification fails if any CA in a peer-provided certificate chain expires, but its cross-signed certificate is still valid in the system trust store.

VM

Bug ID

Description

613730

Unable to update routing table for a resource group in a different subscription with FortiGate Azure SDN.

614038

vMotion causing sessions to be disconnected as it consider sessions stateless.

623376

Cross-zone HA breaks after upgrading to 6.4.0 because upgrade process does not add relevant items under vdom-exception.

624657

Azure changes FPGA for Accelerated Networking live and VM loses SR-IOV interfaces.

626705

By assigning port1 as the HA management port, the HA secondary unit node is now able to send system information to the Azure portal through waagent so that up-to-date information is displayed on the Azure dashboard.

If port1 is not used as the HA management port, the Azure display and Azure Security Center alerts will not reflect the correct state of the node, which may result in unnecessary alarms.

634499

AWS FortiGate NIC gets swapped between port2 and port3 after FortiGate reboots.

641038

SSL VPN performance problem on OCI due to driver.

VoIP

Bug ID

Description

620742

RAS helper does not NAT the port 1720 in the callSignalAddress field of the RegistrationRequest packet sent from the endpoint.

630024

voipd crashes repeatedly.

Web Filter

Bug ID

Description

618153

FSSO users cannot proceed on web filter warning page in flow-based inspection.

636754

If the last line in a threat feed does not end with "\n", it is not parsed and is not displayed in the GUI.

657466

local urlfilter configuration in a flow mode web filter does not work when the matched FortiGuard category is also enabled in the web filter profile.

WiFi Controller

Bug ID

Description

625326

FortiAP not coming online on FG-PPPoE interface.

641811

In FG-100F/101F with PPPoE interface, the FortiGate could not manage FortiAP.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

606237

FortiOS 6.2.5 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-6648

618238

FortiOS 6.2 running AV engine version 6.00145 or later is no longer vulnerable to the following CVE Reference:

  • CVE-2020-9295

634975

FortiOS 6.2.5 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-12819

Resolved issues

The following issues have been fixed in version 6.2.5. For inquires about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

497024

Flow mode banned word spam filter log is missing the banned word.

Anti Virus

Bug ID

Description

582368

URL threat detection version shows a large negative number after FortiGate reboots.

615805

Device goes into conserve mode due to large files.

Application Control

Bug ID

Description

630075

After upgrading, FortiGate faced an internet access issue when IPS and AC profiles are enabled and the outgoing interface is an npu_vlink.

Data Leak Prevention

Bug ID

Description

582480

scanunit crashes with signal 11 in dlpscan_mailheader when AV scans files via IMAP.

Endpoint Control

Bug ID

Description

608301

EMS serial number format should be flexible.

Explicit Proxy

Bug ID

Description

591012

WAD crashed at wad_disclaimer_get with signal 11 when disclaimer is enabled in proxy policy and the browser is Chrome.

610298

Compare and sync the VSD change in V5.6 to WAD VS.

650540

FortiGate sends traffic to an incorrect port using a wrong source NAT IP address.

Firewall

Bug ID

Description

596633

In NGFW mode, IPS engine drops RPC data channel when IPS profile is applied to a security policy.

603263

Increase the maximum limit for the optional parameters in SCTP INIT packet. After the fix, the maximum limit is 10 instead of 4 parameters.

606962

Timeout value is not reflected correctly to a new session when changing timeout value for system session-ttl on FortiGate-HV.

610557

FortiGate VIP object offers weak elliptic curves since VS implementation in WAD for FortiOS 6.0 and above.

615073

FTP session helper does not work when there is reflected (auxiliary) session.

622045

Traffic not matched by security policy when using service groups in NGFW policy mode.

FortiView

Bug ID

Description

573138

When the data source is FortiGate Cloud, there is no paging to load sessions; only entries 1-499 are rendered.

GUI

Bug ID

Description

401862

Monitor page display incorrect virtual server entries for IPv6, VIP46, and VIP64; right-clicking gives an error.

493819

Reorder function on Authentication Rules page does not work.

513694

User cannot log in to GUI when password change is required and has pre-login or post-login banner enabled or FIPS mode.

564849

HA warning message remains after primary device takes back control.

594534

GUI shows Invalid LDAP server error while LDAP query successfully finished.

594702

When sorting the interface list by the Name column, the ports are not always in the correct order (port10 appears before port2).

601568

Interface status is not displayed on faceplate when viewing from the System > HA page.

604682

GUI takes two minutes to load VPN > IPsec Tunnels for 1483 tunnels.

605496

Configured overlapped subnet on GUI still shows error message after enabling subnet overlap.

614056

Disabling the Idle Logout toggle on the SSL-VPN Settings page does not change the idle timeout setting, so the change does not persist after clicking Apply.

615267

In Firefox, SAML SSO admin cannot create additional SSO admins or normal admins via the GUI.

616878

DHCP relay IP address not showing on Network > Interfaces page for VLAN interface.

620854

GUI should not add speed to virtual switch member port (FG-101F).

623109

IPS Filter Details column is empty when All is used.

624551

On POE devices, several sections of the GUI take over 15 seconds to fully load.

628373

Software switch members and their VLANs are not visible in the GUI interfaces list.

633937

GUI is not displaying DHCP configuration if the interface name includes the \ character.

638277

Firewall address group object (including interface subnet) is invisible in Accessible Networks.

639756

Monitor > SD-WAN Monitor keeps loading after disabling VPN member.

642402

LCP-1250RJ3SR-K transceiver shows a warning in the GUI even though it is certified.

644999

Fortinet-sold active direct attached cable (SP-CABLE-ADASFP+) is showing as not certified by Fortinet.

646327

Web filter profile dialog cannot load URL filter table if there are a lot of URL filters.

650800

Unable to delete multiple phase 2 selectors at the same time from the VPN IPsec tunnels dialog.

654339

GUI search does not work in the interface list if DHCP client and range columns are present.

HA

Bug ID

Description

621583

HA cannot display status in GUI when heartbeat cables reconnect.

623642

It takes up to 10 seconds to get NPU VDOM link up when rebooting primary unit.

627610

When HA primary device is down, a time synchronization with NTP servers will be disabled after failback.

631342

FG-100D HA A-P mode not syncing.

637843

HA secondary device is reporting multiple events (DDNS update failed).

638287

private-data-encryption causes cluster to be periodically out of sync due to customer certificates.

645293

traceroute not working in asymmetric FGSP environment.

656099

mgmt interfaces are excluded for heartbeat interfaces (even if dedicate-mgmt is not enabled).

Intrusion Prevention

Bug ID

Description

587363

IPS engine and IPS helper crash with signal 6 (aborted).

595062

SSL offloading randomly does not work when UTM (AV/IPS) is enabled on firewall policy.

631381

RDP NLA authentication blocked by FortiGate when enabling IPS profile in the security group (central NAT).

IPsec VPN

Bug ID

Description

584982

The customer is unable to log in to VPN with RADIUS intermittently.

606129

iked crash when proposal is AES-GCM.

607134

Upon reboot, failover or re-negotiation occurs with an active FEC enabled and tunnel traffic can no longer pass.

610390

IKEv2 EAP certificate authentication failings after upgrading from to 6.2.1 to 6.2.3.

610558

ADVPN cannot establish after primary ISP has recovered from failure and traffic between spokes is dropped.

631968

IKE daemon signal 6 crash when phase1 add-gw-route is enabled.

634883

IKE crashes at ike_hasync__xauth.

635325

Static route for site-to site VPN remains active even when the tunnel is down.

Log & Report

Bug ID

Description

605405

IPS logs are recorded twice with TCP offloading on virtual server.

608565

FortiGate sends incorrect long session logs to FortiGate Cloud.

612779

Reliable syslogd session goes into bad state due to traffic shaper.

616835

Logs from HA secondary unit cannot be uploaded to FortiCloud.

628358

Logs are not generated in GUI and CLI after checking the file system (after power cable disconnected).

635013

FortiOS gives wrong time stamp when querying FortiGate Cloud log view.

643840

vwlservice should log the SD-WAN rule and not an internet service; impacts FortiAnalyzer SD-WAN monitor widgets and reports.

Proxy

Bug ID

Description

586909

When CIFS profile is loaded, using MacOS to access Windows Share causes WAD to crash.

612333

In FortiGate with squid configuration (proxy chain), get ERR_SSL_PROTOCOL_ERROR when using Google Chrome with certificate/deep inspection.

615791

Abbreviated handshake randomly receives fatal illegal_parameter against zendesk.com services/sites.

617099

WAD crashes every few minutes.

623108

FTP-TP reaches high memory usage and triggers conserve mode.

631723

AV in proxy inspection mode blocks Cisco Webex traffic.

632085

When CIFS profile is loaded, using MacOS (Mojave 10.14) to access Windows 2016 SMB Share causes WAD to crash.

637389

The WAD process is crashing multiple times.

640427

Web proxy WAD crash under WAN Opt auto-active mode.

Routing

Bug ID

Description

602679

Prevent BGP daemon crashing when peer breaks TCP connection.

602826

BGP route is not added into kernel during ADVPN test.

608106

BGP daemon crashes when TCP connection is broken by peer.

611539

Editing/adding any address object that is referenced in policy is generating false positive SD-WAN alert messages.

613716

Local-out TCP traffic changes output interface when irrelevant interface is flapping that causes disconnections.

619343

Cannot ping old VRIPs when adding new VRIPs.

625345

The single BGP update message contains the same prefix in withdrawn routes and NLRI (advertised route).

627951

NTP and FSSO not following SD-WAN rules

628896

DHCP relay does not match the SD-WAN policy route.

629521

SD-WAN IPv6 default route cannot be redistributed into BGP using set default-originateroutemap6.

635716

FortiGuard web filter traffic also needs to follow SD-WAN service.

Security Fabric

Bug ID

Description

597139

Crash happens due to segfault in CSF.

609182

Security Fabric Settings page sometimes cannot load FortiSandbox URL threat detection version despite FortiSandbox being connected.

SSL VPN

Bug ID

Description

595505

FortiGate does not send client IP address as a framed IP address to RADIUS server in RADIUS accounting request message.

600029

Sending RADIUS accounting interim update messages with SSL VPN client framed IP are delayed.

604772

SSL VPN tunnel is unexpectedly down sometimes when certificate bundle is updated.

606271

Double redirection through SSL web mode not working.

607687

RDP connection via SSL VPN web portal does not work with UserPrincipalName (UPN) and NLA security.

608464

Get 305 error when browsing website through SSL VPN web mode bookmark and sslvpnd crashes.

610579

Videos from live cameras via SSL VPN web mode not working.

617170

https://outlook.office365.com cannot be accessed in SSL VPN web portal.

620508

CLI command get vpn ssl monitor displays users from other VDOM.

622068

Adding FQDN routing address in split tunnel configuration injects single route in client for multiple A records.

622110

SSL VPN disconnected when importing or renaming CA certificates.

622871

SSL VPN web mode not displaying full customer webpage after logging in.

623076

Add memory protection for web mode SSL VPN child process (guacd).

623231

Pages could not be shown after logging in to back-end application server.

623379

Memory corrupt in some DNS callback cases causes SSL VPN crash.

624145

An internal website via SSL VPN web portal failed to load an external resource.

624899

Log entry for tunnel stats shows wrong tunnel ID when using RDP bookmark.

624904

The company website is not shown properly in SSL VPN web mode.

625301

Riverbed SteelCentral AppResponse login form is not displaying in SSL VPN web mode.

628821

Internal aixws7test2 portal is not loading in SSL VPN web mode.

629190

After SSL VPN proxy, some JS files of hapi website could not work.

629373

SAML login button is lost on SSL VPN portal.

631130

Internal site http://va***.com not completely loading through SSL VPN web mode bookmark.

633812

For guacd daemon generated for RDP session, it would sometimes be in an unknown state with 100% CPU and could not be released.

634991

Internal server error 500 while accessing contolavdip portal in SSL VPN web mode.

635307

Map could not be displayed correctly in SSL VPN web mode.

636984

Website (pr***.com) not loading properly in SSL VPN web mode.

637018

After the upgrade to 6.0.10/6.2.4/6.4.0, SSL VPN portal mapping/remote authentication is matching user into the incorrect group.

638733

Internal website hosted in bookmark https://in***.cat is not loading completely in SSL VPN web mode.

648369

Some JS files of jira.***.vwg could not run in SSL VPN web mode.

649130

SSL VPN log entries display users from other VDOMs.

654534

SAML authentications occurring through SSL VPN web mode are not completing.

System

Bug ID

Description

503125

FG-100D traffic traversing port1-port16 only saturates CPU0.

567019

CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120 and device reboots.

576323

SFP+ 1G speed should be supported on FG-1100E, FG-1800F, FG-2200E, and FG-3300E series.

581496

FG-201E stops sending out packets and NP6lite is stuck.

594871

Potential memory leak triggered by FTP command in WAD.

604613

sentbyte of NTP on local traffic log shows as 0 bytes, even though NTP client receives the packet.

607357

High CPU usage issue caused by high depth expectation sessions in the same hash table slot.

607836

Failed to set ping-option source to Auto.

608442

After a reboot of the PPPoE server, the FortiGate (PPPoE clients, 35 clients) keeps flapping (connection down and up) for a long time before connecting successfully.

609660

NPU offloading enabled dropping traffic from IPsec VPN tunnel remote gateway.

611512

When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE.

612302

FortiOS is not sending out IPv6 router advertisements from the link-local addresses added on the fly.

612351

Many no session matched logs while managing FortiGate.

613017

ip6-extra-addr does not perform router advertisement after reboot in HA.

613136

Uninitialized variable that may potentially cause httpsd signal 6 and 11 crash issue.

615435

Crashes might happen due to CMDB query allocation fail that causes a segfault.

616022

Long delay and cmdbsvr at 100% CPU consumption when modifying address objects and address groups via GUI or REST API.

617134

Traffic not showing statistics for VLAN interfaces base on hardware switch.

617154

Fortinet_CA is missing in FG-3400E.

617409

The FG-800D HA LED is off when HA status is normal.

618762

Fail to detect transceiver on all SFP28/QSFP ports. Affected platforms: FG-3300E and FG-3301E.

620827

Over a period of time, FG-60E goes into memory conserve mode caused by resource leak of sepmd daemon.

623501

FG-80D may fail to boot due to a limitation in the size of the bootloader and kernel.

626371

Request to blocked signature with SSL mirrored traffic capture causes FG-500E to reboot.

632353

Virtual WAN link stops responding after 45 members.

632635

Frame size option in sniffer does not work.

632788

DSL module of FortiWiFi 60E-DSL shows as not ready after upgrade.

633102

DHCPv6 client's DUID generated on two different FortiGates match.

634600

FWF-60E-DSL ADSL2+ connection provided by BT in the UK does not work after upgrading from 6.0.9 to 6.2.4.

636069

Unable to handle kernel NULL pointer dereference at 000000000000008f.

637420

execute shutdown reboots instead of shutting down on SoC4 platforms.

638041

SFP28 port group (ha1, ha2, port1 and port2) missing 1000full speed option. Affected platforms: FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

641419

FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632).

643188

Interface forward-error-correction setting not honored after reboot.

647593

After reboot, forward-error-correction value is not maintained as it should be.

647718

VDOM with long name cannot be deleted.

648977

Sometimes when updating the FortiGate license, there is a certificate verification failure.

Upgrade

Bug ID

Description

615972

After upgrading from 6.2.2 to 6.2.3, the description field in the table has disappeared under DHCP reservation.

635589

Upon upgrading to FortiOS 6.2.4, DoS policies configured on interfaces may drop traffic that is passing through the DoS policy configuration. Note that this can occur if the DoS policy is configured in drop or monitor mode.

Workaround: disable the DoS policy.

649948

Upon upgrading to an affected 6.2 or 6.4 firmware, IKE/IPsec SAs are not synced to the primary when HA uninterruptible-upgrade is enabled. As a result, IPsec traffic from a client may be detected as having an invalid SPI until the client starts a new negotiation.

User & Device

Bug ID

Description

591170

Sessions are removed from the session table when FSSO group order is changed.

604844

auth-concurrent setting in user group is not working as expected.

605838

Device identification scanner crashes on receipt of SSDP search.

620941

Two-factor authentication using FortiClient SSL VPN and FortiToken Cloud is not working due to push notification delay.

621161

src-vis crashes on receipt of certain ONVIF packets.

626532

fnbamd is not sending Calling-Station-Id in Access-Request for L2TP/IPsec since 5.4.0.

627144

Remote admin LDAP user login has authentication failure when the same LDAP user has local two-factor authentication.

629487

Older FortiGate models do not have CA2 and will cause EMS server authentication to fail.

637577

Inconsistent fnbamd LDAP group match result.

638593

Certificate verification fails if any CA in a peer-provided certificate chain expires, but its cross-signed certificate is still valid in the system trust store.

VM

Bug ID

Description

613730

Unable to update routing table for a resource group in a different subscription with FortiGate Azure SDN.

614038

vMotion causing sessions to be disconnected as it consider sessions stateless.

623376

Cross-zone HA breaks after upgrading to 6.4.0 because upgrade process does not add relevant items under vdom-exception.

624657

Azure changes FPGA for Accelerated Networking live and VM loses SR-IOV interfaces.

626705

By assigning port1 as the HA management port, the HA secondary unit node is now able to send system information to the Azure portal through waagent so that up-to-date information is displayed on the Azure dashboard.

If port1 is not used as the HA management port, the Azure display and Azure Security Center alerts will not reflect the correct state of the node, which may result in unnecessary alarms.

634499

AWS FortiGate NIC gets swapped between port2 and port3 after FortiGate reboots.

641038

SSL VPN performance problem on OCI due to driver.

VoIP

Bug ID

Description

620742

RAS helper does not NAT the port 1720 in the callSignalAddress field of the RegistrationRequest packet sent from the endpoint.

630024

voipd crashes repeatedly.

Web Filter

Bug ID

Description

618153

FSSO users cannot proceed on web filter warning page in flow-based inspection.

636754

If the last line in a threat feed does not end with "\n", it is not parsed and is not displayed in the GUI.

657466

local urlfilter configuration in a flow mode web filter does not work when the matched FortiGuard category is also enabled in the web filter profile.

WiFi Controller

Bug ID

Description

625326

FortiAP not coming online on FG-PPPoE interface.

641811

In FG-100F/101F with PPPoE interface, the FortiGate could not manage FortiAP.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

606237

FortiOS 6.2.5 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-6648

618238

FortiOS 6.2 running AV engine version 6.00145 or later is no longer vulnerable to the following CVE Reference:

  • CVE-2020-9295

634975

FortiOS 6.2.5 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-12819