Resolved issues
The following issues have been fixed in version 6.2.6. For inquires about a particular bug, please contact Customer Service & Support.
Anti Virus
Bug ID |
Description |
---|---|
560044 |
Secondary device blades occasionally report critical log event |
Data Leak Prevention
Bug ID |
Description |
---|---|
616918 |
DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS. |
DNS Filter
Bug ID |
Description |
---|---|
649985 |
Random SDNS rating timeout events on 6K/7K SLBC with FGSP. |
Endpoint Control
Bug ID |
Description |
---|---|
637454 |
Cloud-based EMS FSSO connector in FortiGate failed to connected with FortiClient EMS proxy in public cloud. |
Explicit Proxy
Bug ID |
Description |
---|---|
599637 |
Web proxy does not work properly to redirect Chrome browser to websites when disclaimer is enabled in proxy policy. |
617934 |
FortiGate web proxy should support forward server on TLS 1.3 certificate inspection connection. |
630434 |
WAD crashed at wad_ssl_port_p2s_supported_versions with signal 11. |
634515 |
HTTP 1.1 host header is lost in FortiGuard web proxy requests. |
644121 |
Explicit proxy error 504, DNS fails for a specific domain. |
Firewall
Bug ID |
Description |
---|---|
586764 |
Abnormal prolonged CPU spike with cmdbsvr and WAD processes when making change to large policy list (10 000+ policies). |
586995 |
Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary. |
595949 |
Any changes to the security policy table causes the hit count to reset. |
628841 |
Internet service entry not detected due to some IP ranges being duplicated. |
633856 |
Sessions are marked dirty when IPsec dialup client connects/disconnects and policy routes are used. |
644225 |
Challenge ACK is being dropped. |
644638 |
Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor. |
644865 |
Query string parameters omitted (HTTP redirect, SSL offloading). |
647410 |
|
648951 |
External threat feed entry |
653828 |
When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds. |
660461 |
Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU. |
FortiView
Bug ID |
Description |
---|---|
643198 |
Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data. |
660753 |
In FortiView Sources dashboard, after filtering by subnet, drilling down will always show the first entry. |
GUI
Bug ID |
Description |
---|---|
598222 |
After upgrading to 6.4.x from 6.2.5 and earlier, users must clear the browser cache for the best user experience with the new firmware. |
612236 |
RADIUS test fails from the GUI as it does not use the configured Authentication method, and authentication fails; test passes on the CLI. |
638752 |
FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface. |
650307 |
GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt list. |
651711 |
Unable to select an address group when configuring Source IP Pools for an SSL VPN portal. |
653726 |
Filtering log results with a regular expression incorrectly yields no results. |
660165 |
When creating SD-WAN rules in the GUI, the destination interface preference is not saved when the strategy is manual. |
663351 |
Connectivity test for RADIUS server using CHAP authentication always returns failure. |
666545 |
After upgrading to 6.2.5, log queries from HA cluster to FortiAnalyzer may take a long time and not return any results. |
HA
Bug ID |
Description |
---|---|
615001 |
LAG does not come up after link failed signal is triggered. |
626715 |
Out-of-sync issue caused by firewall address group member is either duplicated or out of order. |
630070 |
HA is failing over due to cmdbsvr crashes. |
634604 |
SCTP sessions are not fully synchronized between primary and secondary devices in version 5.6.11 on FG-3240C. |
637711 |
CSR on cluster primary is generating out-of-sync alerts on secondary and tertiary units. |
639307 |
Both primary and secondary consoles keep printing |
640428 |
SSL VPN related auth login user event logs do not require HA to be in sync. |
643958 |
Inconsistent data from FFDB caused several confsyncd crashes. |
647679 |
Inconsistent values for HA cluster inside the SNMP. |
648073 |
HA cluster uses physical port MAC address at the time of HA failover. |
651674 |
Long sessions lost on new primary after HA failover. |
654341 |
The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM. |
Intrusion Prevention
Bug ID |
Description |
---|---|
655371 |
Logging is intermittent for FortiGate IDS passive in one-armed sniffer mode. |
IPsec VPN
Bug ID |
Description |
---|---|
592361 |
Cannot pass traffic over ADVPN if: |
611451 |
ADVPN spoke one behind NAT shortcut cannot connect to another spoke that is not behind NAT. |
639806 |
User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject. |
646012 |
DHCP over IPsec randomly works when |
647285 |
After HA failover, not all tunnels come up; unknown SPI. |
655739 |
|
659535 |
Setting same |
Log & Report
Bug ID |
Description |
---|---|
555161 |
Application miglogd crashes when numerous DLP logs are generated, where DLP archive files use up system inodes. |
583499 |
Improve local log search logic from aggressive to passive mode to save resources and CPU. |
634947 |
rlogd signal 11 crashes. |
641450 |
The miglogd processes is bound to busy CPUs, even though there are other completely idle CPUs available. |
647741 |
On FG-60F, logging and FortiCloud reporting incorrect IPv6 bandwidth usage for sessions with NPU offload. |
650325 |
The miglogd process crashes with signal 11 (segmentation fault). |
Proxy
Bug ID |
Description |
---|---|
550350 |
Should not be able to set |
578850 |
Application WAD crash several times due to signal alarm. |
582475 |
WAD is crashing with signal 6 in |
608387 |
WAD virtual server with HTTP multiplexing enabled causes crash after server is detached because the HTTP server object is detached from the HTTP session. |
617322 |
DLP FTP proxy with splice option sends delete command to server before data transfer completes. |
619707 |
WAD memory leak with explicit proxy and more than 30 users. |
621787 |
On some smaller models, WAD watchdog times out when there is a lot of SSL traffic. |
629504 |
SSH status in SSL profile changes to |
638039 |
Delete validation is not working for Protecting SSL Server profile. |
647923 |
WAD has multiple signal 11 crashes at |
648831 |
WAD memory leak caused by Kerberos proxy authentication. |
653099 |
Wildcard URL filter in proxy mode with |
656830 |
FortiGate should be in SSL bypass mode for TLS 1.2 certificate inspection with client certificate request. |
658654 |
Cannot access the specific website using proxy-based UTM with certification inspection. |
666522 |
Proxy mode is blocking web browsing for some websites due to certificate inspection. |
666686 |
Websites loading slowly with web filter applied in proxy mode. |
Routing
Bug ID |
Description |
---|---|
624621 |
Log traffic to remote servers does not follow SD-WAN rules. |
627901 |
|
632285 |
Health check SLA status log shows configured bandwidth value instead of used bandwidth value. |
641022 |
Kernel does not remove duplicate routes generated by SD-WAN health checks when hostname IP changes. |
641050 |
Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route. |
646418 |
SD-WAN information available in session list is confusing. |
654482 |
SD-WAN route tag is removed with multiple BGP paths in place. |
662845 |
HA secondary also sends SD-WAN |
666829 |
The bfdd process crashes. |
Security Fabric
Bug ID |
Description |
---|---|
619696 |
Automation stitch traffic is sent via |
629723 |
SDN dynamic address import is too slow, and HA sync may miss endpoints in high scale and stress conditions. |
SSL VPN
Bug ID |
Description |
---|---|
548599 |
SSL VPN crashes on parsing some special URLs. |
573853 |
TX packet drops on SSL root interface. |
611498 |
SMB/CIFS traffic via SSL VPN web mode not using correct SNAT IP (IP pool). |
620793 |
A page inside a bookmark not opening in SSL VPN web mode. |
624288 |
After SSL VPN proxy, one JS file of http://www.cm***-rm***.ca runs with an error. |
627456 |
Traffic cannot pass when SAML user logs in to SSL VPN portal with group match. |
630432 |
Slides on https://re***.nz website are displayed in SSL VPN web mode. |
631082 |
FortiManager tabs/page do not load when accessed via SSL VPN web mode. |
634210 |
SSL VPN daemon crash due to |
635814 |
FortiGate GUI cannot be rendered and displayed via SSL VPN portal. |
636332 |
With SSL VPN proxy JIRA web application, get one wrong URL without proxy path. |
639431 |
Three of the internal applications/portal bookmarks do not load/partially work with SSL VPN web mode. |
641379 |
Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal. |
643749 |
SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters the wrong password. |
644506 |
Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password. |
645368 |
FortiClient randomly fails to connect to SSL VPN tunnel mode stuck at 98% with two-factor authentication token. |
648192 |
DTLS tunnel performance improvements by allowing multiple packets to be read from the kernel driver, and redistributing the UDP packets to several worker processes in the kernel. |
648433 |
Internal website loading issue in SSL VPN web portal. |
649130 |
SSL VPN log entries display users from other VDOMs. |
652880 |
SSL VPN crashes around the same time that LDAP connection errors are logged. |
657689 |
The system allows enabling split tunnel when the SSL VPN policy is configured with destination |
662042 |
The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal. |
663532 |
Get |
665879 |
When SSL VPN processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML. |
Switch Controller
Bug ID |
Description |
---|---|
649913 |
HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager. |
652745 |
Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber. |
System
Bug ID |
Description |
---|---|
574716 |
The ospfNbrState OID takes too long to update. |
582536 |
Link monitor behavior is different between FGCP and SLBC clusters. |
583472 |
When system is in an extremely high memory usage state (~90%), a power supply status |
585882 |
Error in log, |
594264 |
NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session TTL expiry. |
594931 |
FG-60F/61F memory usage causes conserve mode by enabling/disabling UTM. |
597893 |
FortiExtender interface admin status changes cannot be detected by FortiManager because the FortiGate checksum does not change. |
598464 |
Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side. |
598928 |
FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN. |
602643 |
Interface gets removed from SD-WAN after rebooting when the interface is defined in both SD-WAN and zone. |
605723 |
FG-600E stops sending out packets on its SPF and copper port on NP6. |
606360 |
HQIP loopback test failed with configured software switch. |
607754 |
FortiGuard push update is not working properly from override (FortiManager) |
609112 |
IPv6 push update fails. |
609783 |
SNMP failed to retrieve HA cluster secondary information from secondary serial number in TP mode. |
619023 |
Proxy ARP configuration not loaded after interface shut/not shut. |
627269 |
Wildcard FQDN not resolved on the secondary unit. |
628642 |
Issue when packets from same session are forwarded to each LACP member when NPx offload is enabled. |
630146 |
FG-100F memory configuration check. |
630861 |
Support FortiManager when |
631296 |
Forward or local bi-directional traffic from NPU inter-VDOM links through separate VDOMs is subject to high latency. |
631689 |
FG-100F cannot forward fragmented packets between hardware switch ports. |
633298 |
10G ports x1/x2 cannot be set as interfaces in firewall |
633827 |
Errors during fuzzy tests on FG-1500D. |
634929 |
NP6 SSE drops after a couple of hours in a stability test. |
636999 |
LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models. |
637983 |
FG-100F memory configuration check fails because of wrong threshold. |
641419 |
FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632). |
642327 |
FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant interface with non-NPU port. |
643188 |
Interface |
644380 |
FG-40F/60F kernel panic: |
644427 |
Interface |
645363 |
SNMP monitoring does not provide the SD-WAN member interface name. |
645848 |
FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection. |
647151 |
Unable to configure aggregate interface type on FG-30E-3G4G. |
647593 |
After reboot, |
647777 |
FortiGate not responding to DHCP relay requests from clients behind a DHCP relay. |
654159 |
NP6Xlite traffic not sent over the tunnel when NPU is enabled. |
658933 |
Under some circumstances, it was possible for Update D to create zombie processes. |
661503 |
Existing ffdb_map_res package was not automatically removed after upgrading on small storage FortiGates, even though their creation was removed in 6.2.4. |
662681 |
Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes. |
662989 |
FG-40F/41F aggregate interface gets removed after upgrading to 6.2.5 from 6.2.4 firmware version. |
665000 |
HA LED off issue on FG-1100E/1101E models in 6.0.x. |
666030 |
Empty firewall objects after pushing several policy deletes. |
670838 |
It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%. |
Upgrade
Bug ID |
Description |
---|---|
656869 |
FG-100F/101F may continuously boot upon upgrading from FortiOS 6.4.0. Workaround: back up the 6.4.0 configuration, perform a clean install via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration. |
662452 |
SSH status in |
User & Device
Bug ID |
Description |
---|---|
546794 |
De-authentication of RSSO user does not clear the login from the motherboard. |
580155 |
fnbamd crash. |
591461 |
FortiGate does not send user IP to TACACS server during authentication. |
620097 |
Persistent sessions for de-authenticated users. |
659456 |
REST API authentication fails for API user with PKI group enabled due to fnbamd crash. |
663399 |
|
VM
Bug ID |
Description |
---|---|
587180 |
FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host. |
603100 |
Autoscale not syncing certificate among the cluster members. |
606527 |
GUI and CLI interface dropdown lists are inconsistent. |
634245 |
Dynamic address objects are not resolved to all addresses using Azure SDN connector. |
652416 |
AWS Fabric connector always uses root VDOM even though it is not a management VDOM. |
659333 |
Slow route change for HA failover in GCP cloud. |
663276 |
After cloning the OCI instance, the OCID does not refresh to the new OCID. |
668131 |
EIP is not updating properly on FG-VM Azure. |
670166 |
FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5 to 6.4.2. |
Web Filter
Bug ID |
Description |
---|---|
587018 |
Add URL flow filter counters to SNMP. |
610553 |
User browser gets URL block page instead of warning page when using HTTPS IP URL. |
620803 |
Group name missing on web filter warning page in proxy-based inspection. |
629005 |
foauthd has signal 11 crashes when FortiGate authenticates a web filter category. |
659372 |
Inconsistent behavior between external list and FortiGuard categories/local override. |
WiFi Controller
Bug ID |
Description |
---|---|
618456 |
High cw_acd usage upon polling a large number of wireless clients with REST API. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID |
CVE references |
---|---|
633089 |
FortiOS 6.2.6 is no longer vulnerable to the following CVE Reference:
|