Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

Resolved issues

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 6.2.6 Build 1158. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.2.6 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.2.6 Build 1158.

Bug ID

Description

501057

Resolved an issue that caused incorrect IPsec routes to be added to the DP processor routing table.

514807

IPsec no longer creates routs with proto=17.

527035

Resolved an issue that prevented ADVPN shortcut tunnels from being established.

528800

IPsec routes are no longer duplicated in the DP processor routing database.

578845

Resolved an issue that caused some dial-up IPsec tunnels to be processed on FPCs or FPMs that are not the primary FPC or FPM when IPsec load balancing is disabled.

586808

From the CLI, mgmt-vdom VDOM is no longer included in the count of the number of VDOMs.

590047

PPPoE connection status is no longer reported incorrectly on the management board or primary FIM GUI.

600595

Resolved an issue that prevented IPsec routes in the FIB from updating on all FPCs or FPMs after an interface change.

605770

Resolved an issue that prevented stale IPsec routes from being removed automatically.

607206 612622

Because the FortiGate-6000 and 7000 do not support usage-based ECMP load balancing, the usage-based option has been removed from the following command:

config system settings

set v4-ecmp-mode {source-ip-based | weight-based | source-dest-ip-based}

end

613306

Resolved an issue that caused the Radvd process to use 99% CPU when handling a large number orf LDAP users.

613617

The source-ip setting when configuring FortiGuard and FortiSandbox and other services has been removed for FortiGate-6000 and 7000 platforms.

642920 All supported transceivers display correctly on network interface GUI pages.

643032

Resolved an issue that prevented the secondary FortiGate-6000 or 7000 in an HA configuration from connecting to FortiSandbox.

644278

Resolved an issue that prevented FQDN firewall addresses that include wildcard characters from being synchronized to all FPMs or FPCs.

646660

To make sure that ICMP echo requests and reply packets always go to the same FPC or FPM, the FortiGate-6000 and 7000 now always send DP ICMP packets to the DP processor, regardless of the dp-load-distribution setting.

647259

Resolved an issue that caused the Load Balance Monitor GUI page to stop responding.

648248

Local-out communication over an IPsec tunnel now works as expected.

650894

Resolved an issue that caused FortiManager to incorrectly report an IPsec tunnel being down even though the tunnel is up and passing traffic.

652777

Resolved an HA issue that caused some sessions on the primary FortiGate-6000 or 7000 to incorrectly have both "synced" & "nosyn_ses" states.

658405

The IPv4 Policy page now displays correct hit count numbers for each firewall policy.

662552

Resolved an issue with IPsec tunnels in an IPsec aggregate not installing routes.

663706

Resolved an issue that caused data heartbeat timeouts and delays resulting in interface flapping during a FortiGuard update.

671046

The Security Fabric and Configuration Sync Monitor pop ups that display the status of the FortiGate-6000 management board and FPCs and the FortiGate-7000 FIMs and FPMs now display the correct management port if the system HTTPS management port has been changed.

671530

Resolved an issue that prevented data interface mac address change from being synchronized to all FPCs or FPMs.

672641

Resolved an issue that caused EMAC -VLAN interfaces to block some traffic types.

677816

Added support for the Security Fabric when operating an HA cluster in transparent mode. Because transparent mode was not supported, FPCs and FPMs on the secondary FortiGate-6000 or 7000 in an HA cluster were not able to synchronize.

681877

Resolved an issue that caused API calls to incorrectly report an IPsec tunnel being down even though the tunnel is up and passing traffic.

685592

Resolved an issue that limited firewall throughput over NPU VDOM inter-VDOM link interfaces.

688736

Resolved an issue that prevented recording some traffic logs for DLP sessions.

689085

Resolved an issue that caused IPsec negotiations to fail on phase 2 if the negotiation was in progress during a FortiGate-7000 primary FIM failover.

689444

Resolved an issue that caused SNMP queries of FortiGate-6000 or 7000 systems to seem to randomly fail.

690010

Optimized FPM-7630E performance by increasing the number of IPS engines allowed.

690733

Resolved an issue that caused IPsec SA rekeying to send the new key to the wrong FPC or FPM.

691702 693013

Resolved an issue that caused the cmdbsvr process to crash and reduce throughput.

692687

Resolved an issue that removed firewall users from the user database after a graceful HA firmware upgrade.

693209

Resolved an issue that caused the miglogd processes to use up to 99% of CPU resources after a configuration change to a FortiGate-6000 or 7000 with a large number of firewall policies.

693784

The diagnose load-balance info smm-led command now works as expected.

695265

Resolved an issue that caused the confsynccmdd process to crash on all FPCs or FPMs after entering the diagnose sys cmdb-profile top10 total command on the primary FIM or management board.

695334

Resolved an issue that prevented FIM data interfaces in LAGs from negotiating with connected network equipment.

696465

Configuring a FortiAnalyzer is no longer required if your FortiGate-6000 or 7000 is not the root FortiGate in a security fabric.

696711

Resolved an issue that caused could prevent FPMs in chassis 2 from joining an FGCP cluster after resetting chassis 2 to factory defaults and then re-configuring it for HA and rejoining the cluster.

696797

Resolved an issue that caused FortiGate-6000F interfaces port25 to port28 to appear to be have an maximum speed of 10G instead of the correct 100G.

696985

Resolved an issue that caused FTP data session pinholes to remain active after their data connection is closed.

697492

IPsec Dead Peer Detection (DPD) now works as expected on FortiGate-6000 and 7000 platforms.

698635

Resolved an issue with the get system status command displaying incorrect information about the primary FPC or FPM from the secondary chassis CLI.

698979

The command diagnose sys confsync cached-csum now includes a global option that shows global checksums.

699824

Resolved an issue that caused VRRP packets received by a FortiGate-7121F FPM data interface causing a layer 2 loop and leading to traffic loss.

700426

Resolved an issue with UDP pinholes.

700582

Resolved an issue that incorrectly caused the status of an IPsec interface to appear as down on the GUI even though the interface is actually up and passing traffic.

0702483

To support IPsec VPN load balancing, DHCP SAs are now synchronized to all FPCs or FPMs.

703185

Resolved an issue that prevented the FortiGate-6000 or 7000 from synchronizing the deletion of an API user, created with the config system api-user command. When an API user is deleted from the management board or primary FIM, the user is also deleted from the FPCs and FPMs.

0704642

Resolved an issue that caused FPMs to be removed from the SLBC cluster during a syn-ack flood attack.

705495

Resolved an issue that resulted in the source NAT with IP pools assigning different public addresses to the same user if some of the user's sessions are handled by different FPCs or FPMs.

706119

Resolved an issue that caused the confsyncd process to fail on individual FPCs or FPMs after a configuration change.

709919 703578

Multiple fixes to improve support for BGP over IPsec tunnels.

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 6.2.6 Build 1158. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.2.6 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.2.6 Build 1158.

Bug ID

Description

501057

Resolved an issue that caused incorrect IPsec routes to be added to the DP processor routing table.

514807

IPsec no longer creates routs with proto=17.

527035

Resolved an issue that prevented ADVPN shortcut tunnels from being established.

528800

IPsec routes are no longer duplicated in the DP processor routing database.

578845

Resolved an issue that caused some dial-up IPsec tunnels to be processed on FPCs or FPMs that are not the primary FPC or FPM when IPsec load balancing is disabled.

586808

From the CLI, mgmt-vdom VDOM is no longer included in the count of the number of VDOMs.

590047

PPPoE connection status is no longer reported incorrectly on the management board or primary FIM GUI.

600595

Resolved an issue that prevented IPsec routes in the FIB from updating on all FPCs or FPMs after an interface change.

605770

Resolved an issue that prevented stale IPsec routes from being removed automatically.

607206 612622

Because the FortiGate-6000 and 7000 do not support usage-based ECMP load balancing, the usage-based option has been removed from the following command:

config system settings

set v4-ecmp-mode {source-ip-based | weight-based | source-dest-ip-based}

end

613306

Resolved an issue that caused the Radvd process to use 99% CPU when handling a large number orf LDAP users.

613617

The source-ip setting when configuring FortiGuard and FortiSandbox and other services has been removed for FortiGate-6000 and 7000 platforms.

642920 All supported transceivers display correctly on network interface GUI pages.

643032

Resolved an issue that prevented the secondary FortiGate-6000 or 7000 in an HA configuration from connecting to FortiSandbox.

644278

Resolved an issue that prevented FQDN firewall addresses that include wildcard characters from being synchronized to all FPMs or FPCs.

646660

To make sure that ICMP echo requests and reply packets always go to the same FPC or FPM, the FortiGate-6000 and 7000 now always send DP ICMP packets to the DP processor, regardless of the dp-load-distribution setting.

647259

Resolved an issue that caused the Load Balance Monitor GUI page to stop responding.

648248

Local-out communication over an IPsec tunnel now works as expected.

650894

Resolved an issue that caused FortiManager to incorrectly report an IPsec tunnel being down even though the tunnel is up and passing traffic.

652777

Resolved an HA issue that caused some sessions on the primary FortiGate-6000 or 7000 to incorrectly have both "synced" & "nosyn_ses" states.

658405

The IPv4 Policy page now displays correct hit count numbers for each firewall policy.

662552

Resolved an issue with IPsec tunnels in an IPsec aggregate not installing routes.

663706

Resolved an issue that caused data heartbeat timeouts and delays resulting in interface flapping during a FortiGuard update.

671046

The Security Fabric and Configuration Sync Monitor pop ups that display the status of the FortiGate-6000 management board and FPCs and the FortiGate-7000 FIMs and FPMs now display the correct management port if the system HTTPS management port has been changed.

671530

Resolved an issue that prevented data interface mac address change from being synchronized to all FPCs or FPMs.

672641

Resolved an issue that caused EMAC -VLAN interfaces to block some traffic types.

677816

Added support for the Security Fabric when operating an HA cluster in transparent mode. Because transparent mode was not supported, FPCs and FPMs on the secondary FortiGate-6000 or 7000 in an HA cluster were not able to synchronize.

681877

Resolved an issue that caused API calls to incorrectly report an IPsec tunnel being down even though the tunnel is up and passing traffic.

685592

Resolved an issue that limited firewall throughput over NPU VDOM inter-VDOM link interfaces.

688736

Resolved an issue that prevented recording some traffic logs for DLP sessions.

689085

Resolved an issue that caused IPsec negotiations to fail on phase 2 if the negotiation was in progress during a FortiGate-7000 primary FIM failover.

689444

Resolved an issue that caused SNMP queries of FortiGate-6000 or 7000 systems to seem to randomly fail.

690010

Optimized FPM-7630E performance by increasing the number of IPS engines allowed.

690733

Resolved an issue that caused IPsec SA rekeying to send the new key to the wrong FPC or FPM.

691702 693013

Resolved an issue that caused the cmdbsvr process to crash and reduce throughput.

692687

Resolved an issue that removed firewall users from the user database after a graceful HA firmware upgrade.

693209

Resolved an issue that caused the miglogd processes to use up to 99% of CPU resources after a configuration change to a FortiGate-6000 or 7000 with a large number of firewall policies.

693784

The diagnose load-balance info smm-led command now works as expected.

695265

Resolved an issue that caused the confsynccmdd process to crash on all FPCs or FPMs after entering the diagnose sys cmdb-profile top10 total command on the primary FIM or management board.

695334

Resolved an issue that prevented FIM data interfaces in LAGs from negotiating with connected network equipment.

696465

Configuring a FortiAnalyzer is no longer required if your FortiGate-6000 or 7000 is not the root FortiGate in a security fabric.

696711

Resolved an issue that caused could prevent FPMs in chassis 2 from joining an FGCP cluster after resetting chassis 2 to factory defaults and then re-configuring it for HA and rejoining the cluster.

696797

Resolved an issue that caused FortiGate-6000F interfaces port25 to port28 to appear to be have an maximum speed of 10G instead of the correct 100G.

696985

Resolved an issue that caused FTP data session pinholes to remain active after their data connection is closed.

697492

IPsec Dead Peer Detection (DPD) now works as expected on FortiGate-6000 and 7000 platforms.

698635

Resolved an issue with the get system status command displaying incorrect information about the primary FPC or FPM from the secondary chassis CLI.

698979

The command diagnose sys confsync cached-csum now includes a global option that shows global checksums.

699824

Resolved an issue that caused VRRP packets received by a FortiGate-7121F FPM data interface causing a layer 2 loop and leading to traffic loss.

700426

Resolved an issue with UDP pinholes.

700582

Resolved an issue that incorrectly caused the status of an IPsec interface to appear as down on the GUI even though the interface is actually up and passing traffic.

0702483

To support IPsec VPN load balancing, DHCP SAs are now synchronized to all FPCs or FPMs.

703185

Resolved an issue that prevented the FortiGate-6000 or 7000 from synchronizing the deletion of an API user, created with the config system api-user command. When an API user is deleted from the management board or primary FIM, the user is also deleted from the FPCs and FPMs.

0704642

Resolved an issue that caused FPMs to be removed from the SLBC cluster during a syn-ack flood attack.

705495

Resolved an issue that resulted in the source NAT with IP pools assigning different public addresses to the same user if some of the user's sessions are handled by different FPCs or FPMs.

706119

Resolved an issue that caused the confsyncd process to fail on individual FPCs or FPMs after a configuration change.

709919 703578

Multiple fixes to improve support for BGP over IPsec tunnels.