Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 6.2.6. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

DNS Filter

Bug ID

Description

582374

License shows expiry date of 0000-00-00.

Explicit Proxy

Bug ID

Description

540091

Cannot access explicit FTP proxy via VIP.

Firewall

Bug ID

Description

651321

sflowd is crashing due to invalid custom application category.

FortiView

Bug ID

Description

635309

When choosing to view Compromised Hosts, FortiGate returns an error 500 when FQDN is set in config log fortianalyzer setting.

673225

The FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

GUI

Bug ID

Description

354464

AntiVirus archive logging enabled from the CLI will be disabled by editing the AntiVirus profile in the GUI, even if no changes are made.

514632

Inconsistent reference count when using ports in HA session-sync-dev.

529094

When creating an anti-spam block/allowlist entry, Mark as Reject should be grayed out.

535099

The SSID dialog page does not have support for the new MAC address filter.

541042

Log viewer forwarded traffic does not support multiple filters for one field.

584915

OK button missing from many pages when viewed in Chrome on an Android device.

584939

VPN event logs shows incorrectly when adding two Action filters and one of them contains "-".

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

621254

When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error.

656429

Intermittent GUI process crash if a managed FortiSwitch returns a reset status.

662640

Some GUI pages (dashboard, topology, policy list, interface list) are slow to load on low-end platforms when there are many concurrent HTTPSD requests.

664007

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

688994

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

689605

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

691277

When logs are retrieved from FortiAnalyzer, the GUI displays the same traffic logs for primary and secondary HA devices.

HA

Bug ID

Description

616345

Secondary device failed to sync with primary device when FGSP is peer configured, but hasync fails to bind socket.

678309

Cluster is out of sync because of config vpn certificate ca after upgrade.

700271

On non-hyperscale license systems, the secondary FortiGate responds to ARP queries. Affected platforms: all NP7 platforms 180XF/260XF/420XF/440XF that were released on 6.2.6.

Intrusion Prevention

Bug ID

Description

565747

IPS engine 5.00027 has signal 11 crash.

586544

IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668

IPS engine 5.00035 has signal 11 crash.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

657541

On FG-80D, the IPS engine daemon count drops to 0 when the CPU number is 4.

668631

IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates.

Workaround: disable CP or disable the extended database.

config ips global
    set database regular
    set cp-accel-mode none
end

689590

IP quarantine is not working on FG-80D.

IPsec VPN

Bug ID

Description

610203

When an offloaded IPsec SA uses NP6 reserved space, it gets stuck and packets on the tunnel start to drop.

644780

Rectify the consequences if password renewal on FortiClient is canceled.

645196

Static routes added by iked in non-root VDOM are not removed when tunnel interface status is set to down by configuration change.

655895

Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).

663126

Packets for the existing session are still forwarded via the old tunnel after the routing changed on the ADVPN hub.

668554

Upon upgrading to FortiOS 6.2.6, a device with IPsec configured may experience IKE process crashes when any configuration change is made or an address change occur on a dynamic interface.

Log & Report

Bug ID

Description

606533

User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI.

651581

FortiGate tried to connect to FortiGate Cloud with the primary IP after reboot, although the secondary IP is the source in the FortiGuard log.

REST API

Bug ID

Description

584631 REST API admin with token unable to configure HA setting (via login session works).

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

654032

SD-WAN IPv6 route tag command is not available in the SD-WAN services.

661769

SD-WAN rule disappears when an SD-WAN member experiences a dynamic change, such as during a dynamic PPPoE interface update.

668982

Possible memory leak when BGP table version increases.

670017

FortiGate as first hop router sometimes does not send register messages to the RP.

672061

In IPsec topology with hub and ~1000 spokes, hundreds of spoke tunnels are flapping, causing BGP instability for other spokes.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

649556

FortiNAC requests to FortiGate can timeout on low-end models when there are many concurrent requests.

669436

Filter lookup for Azure connector in Subnet and Virtual Network sections only shows results for VMSS instance.

SSL VPN

Bug ID

Description

505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.

666194

WALLIX Manager GUI interface is not loading through SSL VPN web mode.

667780

Policy check cache should include user or group information.

669685

Split tunneling is not adding FQDN addresses to the routes.

669707

The jstor.org webpage is not loading via SSL VPN bookmark.

670803

Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode.

Switch Controller

Bug ID

Description

588584

GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.

605864

If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting.

671135

flcfg crashes while configuring FortiSwitches through FortiLink.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

578031

FortiManager Cloud cannot be removed once the FortiGate has trouble on contract.

600032

SNMP does not provide routing table for non-management VDOM.

607565

Interface emac-vlan feature does not work on SoC4 platform.

635308

factoryreset2 does not preserve all interfaces.

637014

FortiGate in LENC mode unable to pass firmware signature verification and shows as uncertified after GUI upgrade.

657629

ARM-based platforms do not have sensor readings included in SNMP MIBs.

660709

The sflowd process has high CPU usage when application control is enabled.

663083

Offloaded traffic from IPsec crossing the NPU VDOM link is dropped.

666205

High CPU on L2TP process caused by loop.

669951

confsyncd may crash when there is an error parsing through the internet service database, but no error is returned.

676697

When a VRF is used on SoC4 platforms, nTurbo traffic is wrongly categorized as GTPU.

694202

stpforward does not work with LAG interfaces on a transparent VDOM.

695803

Unable to reorder firewall DoS policy in GUI or CLI.

Upgrade

Bug ID

Description

658664

FortiExtender status becomes discovered after upgrading from 6.0.10 (build 0365).

Workaround: change the admin from discovered to enable after upgrading.

config extender-controller extender
    edit <id>
        set admin enable
    next
end

User & Device

Bug ID

Description

595583

Device identification via LLDP on an aggregate interface does not work.

667689

Cannot select remote certificate imported from CLI for SAML IdP.

682711

TACACS users cannot log in via the console.

VM

Bug ID

Description

587757

FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type.

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

605511

FG-VM-GCP reboots a couple of times due to kernel panic.

608881

IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

620654

Spoke dialup IPsec VPN does not initiate connection to hub after FG-VM HA failover in Azure.

640436

FortiGate AWS bootstrapped from configuration does not read SAML settings.

682420

Dialup IPsec tunnel from Azure may not be re-established after HA failover.

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

WiFi Controller

Bug ID

Description

609549

In the CLI, the WTP profile for radio-2 802.11ac and 80 MHz channels does not match the syntax collection files.

680503

The current Fortinet_Wifi certificate will expire on 2021-02-11.

Known issues

The following issues have been identified in version 6.2.6. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

DNS Filter

Bug ID

Description

582374

License shows expiry date of 0000-00-00.

Explicit Proxy

Bug ID

Description

540091

Cannot access explicit FTP proxy via VIP.

Firewall

Bug ID

Description

651321

sflowd is crashing due to invalid custom application category.

FortiView

Bug ID

Description

635309

When choosing to view Compromised Hosts, FortiGate returns an error 500 when FQDN is set in config log fortianalyzer setting.

673225

The FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

GUI

Bug ID

Description

354464

AntiVirus archive logging enabled from the CLI will be disabled by editing the AntiVirus profile in the GUI, even if no changes are made.

514632

Inconsistent reference count when using ports in HA session-sync-dev.

529094

When creating an anti-spam block/allowlist entry, Mark as Reject should be grayed out.

535099

The SSID dialog page does not have support for the new MAC address filter.

541042

Log viewer forwarded traffic does not support multiple filters for one field.

584915

OK button missing from many pages when viewed in Chrome on an Android device.

584939

VPN event logs shows incorrectly when adding two Action filters and one of them contains "-".

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

621254

When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error.

656429

Intermittent GUI process crash if a managed FortiSwitch returns a reset status.

662640

Some GUI pages (dashboard, topology, policy list, interface list) are slow to load on low-end platforms when there are many concurrent HTTPSD requests.

664007

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

688994

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

689605

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

691277

When logs are retrieved from FortiAnalyzer, the GUI displays the same traffic logs for primary and secondary HA devices.

HA

Bug ID

Description

616345

Secondary device failed to sync with primary device when FGSP is peer configured, but hasync fails to bind socket.

678309

Cluster is out of sync because of config vpn certificate ca after upgrade.

700271

On non-hyperscale license systems, the secondary FortiGate responds to ARP queries. Affected platforms: all NP7 platforms 180XF/260XF/420XF/440XF that were released on 6.2.6.

Intrusion Prevention

Bug ID

Description

565747

IPS engine 5.00027 has signal 11 crash.

586544

IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668

IPS engine 5.00035 has signal 11 crash.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

657541

On FG-80D, the IPS engine daemon count drops to 0 when the CPU number is 4.

668631

IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates.

Workaround: disable CP or disable the extended database.

config ips global
    set database regular
    set cp-accel-mode none
end

689590

IP quarantine is not working on FG-80D.

IPsec VPN

Bug ID

Description

610203

When an offloaded IPsec SA uses NP6 reserved space, it gets stuck and packets on the tunnel start to drop.

644780

Rectify the consequences if password renewal on FortiClient is canceled.

645196

Static routes added by iked in non-root VDOM are not removed when tunnel interface status is set to down by configuration change.

655895

Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).

663126

Packets for the existing session are still forwarded via the old tunnel after the routing changed on the ADVPN hub.

668554

Upon upgrading to FortiOS 6.2.6, a device with IPsec configured may experience IKE process crashes when any configuration change is made or an address change occur on a dynamic interface.

Log & Report

Bug ID

Description

606533

User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI.

651581

FortiGate tried to connect to FortiGate Cloud with the primary IP after reboot, although the secondary IP is the source in the FortiGuard log.

REST API

Bug ID

Description

584631 REST API admin with token unable to configure HA setting (via login session works).

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

654032

SD-WAN IPv6 route tag command is not available in the SD-WAN services.

661769

SD-WAN rule disappears when an SD-WAN member experiences a dynamic change, such as during a dynamic PPPoE interface update.

668982

Possible memory leak when BGP table version increases.

670017

FortiGate as first hop router sometimes does not send register messages to the RP.

672061

In IPsec topology with hub and ~1000 spokes, hundreds of spoke tunnels are flapping, causing BGP instability for other spokes.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

649556

FortiNAC requests to FortiGate can timeout on low-end models when there are many concurrent requests.

669436

Filter lookup for Azure connector in Subnet and Virtual Network sections only shows results for VMSS instance.

SSL VPN

Bug ID

Description

505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.

666194

WALLIX Manager GUI interface is not loading through SSL VPN web mode.

667780

Policy check cache should include user or group information.

669685

Split tunneling is not adding FQDN addresses to the routes.

669707

The jstor.org webpage is not loading via SSL VPN bookmark.

670803

Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode.

Switch Controller

Bug ID

Description

588584

GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.

605864

If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting.

671135

flcfg crashes while configuring FortiSwitches through FortiLink.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

578031

FortiManager Cloud cannot be removed once the FortiGate has trouble on contract.

600032

SNMP does not provide routing table for non-management VDOM.

607565

Interface emac-vlan feature does not work on SoC4 platform.

635308

factoryreset2 does not preserve all interfaces.

637014

FortiGate in LENC mode unable to pass firmware signature verification and shows as uncertified after GUI upgrade.

657629

ARM-based platforms do not have sensor readings included in SNMP MIBs.

660709

The sflowd process has high CPU usage when application control is enabled.

663083

Offloaded traffic from IPsec crossing the NPU VDOM link is dropped.

666205

High CPU on L2TP process caused by loop.

669951

confsyncd may crash when there is an error parsing through the internet service database, but no error is returned.

676697

When a VRF is used on SoC4 platforms, nTurbo traffic is wrongly categorized as GTPU.

694202

stpforward does not work with LAG interfaces on a transparent VDOM.

695803

Unable to reorder firewall DoS policy in GUI or CLI.

Upgrade

Bug ID

Description

658664

FortiExtender status becomes discovered after upgrading from 6.0.10 (build 0365).

Workaround: change the admin from discovered to enable after upgrading.

config extender-controller extender
    edit <id>
        set admin enable
    next
end

User & Device

Bug ID

Description

595583

Device identification via LLDP on an aggregate interface does not work.

667689

Cannot select remote certificate imported from CLI for SAML IdP.

682711

TACACS users cannot log in via the console.

VM

Bug ID

Description

587757

FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type.

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

605511

FG-VM-GCP reboots a couple of times due to kernel panic.

608881

IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

620654

Spoke dialup IPsec VPN does not initiate connection to hub after FG-VM HA failover in Azure.

640436

FortiGate AWS bootstrapped from configuration does not read SAML settings.

682420

Dialup IPsec tunnel from Azure may not be re-established after HA failover.

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

WiFi Controller

Bug ID

Description

609549

In the CLI, the WTP profile for radio-2 802.11ac and 80 MHz channels does not match the syntax collection files.

680503

The current Fortinet_Wifi certificate will expire on 2021-02-11.