Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved issues

The following issues have been fixed in version 6.2.6. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

560044

Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series.

Data Leak Prevention

Bug ID

Description

616918

DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS.

DNS Filter

Bug ID

Description

649985

Random SDNS rating timeout events on 6K/7K SLBC with FGSP.

Endpoint Control

Bug ID

Description

637454

Cloud-based EMS FSSO connector in FortiGate failed to connected with FortiClient EMS proxy in public cloud.

Explicit Proxy

Bug ID

Description

599637

Web proxy does not work properly to redirect Chrome browser to websites when disclaimer is enabled in proxy policy.

617934

FortiGate web proxy should support forward server on TLS 1.3 certificate inspection connection.

630434

WAD crashed at wad_ssl_port_p2s_supported_versions with signal 11.

634515

HTTP 1.1 host header is lost in FortiGuard web proxy requests.

644121

Explicit proxy error 504, DNS fails for a specific domain.

Firewall

Bug ID

Description

586764

Abnormal prolonged CPU spike with cmdbsvr and WAD processes when making change to large policy list (10 000+ policies).

586995

Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary.

595949

Any changes to the security policy table causes the hit count to reset.

628841

Internet service entry not detected due to some IP ranges being duplicated.

633856

Sessions are marked dirty when IPsec dialup client connects/disconnects and policy routes are used.

644225

Challenge ACK is being dropped.

644638

Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor.

644865

Query string parameters omitted (HTTP redirect, SSL offloading).

647410

append command allows mixing VIP and firewall address as destination objects in a firewall policy.

648951

External threat feed entry 0.0.0.0/0 shows as invalid but it blocks traffic.

653828

When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds.

660461

Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU.

FortiView

Bug ID

Description

643198

Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data.

660753

In FortiView Sources dashboard, after filtering by subnet, drilling down will always show the first entry.

GUI

Bug ID

Description

598222

After upgrading to 6.4.x from 6.2.5 and earlier, users must clear the browser cache for the best user experience with the new firmware.

612236

RADIUS test fails from the GUI as it does not use the configured Authentication method, and authentication fails; test passes on the CLI.

638752

FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface.

650307

GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt list.

651711

Unable to select an address group when configuring Source IP Pools for an SSL VPN portal.

653726

Filtering log results with a regular expression incorrectly yields no results.

660165

When creating SD-WAN rules in the GUI, the destination interface preference is not saved when the strategy is manual.

663351

Connectivity test for RADIUS server using CHAP authentication always returns failure.

666545

After upgrading to 6.2.5, log queries from HA cluster to FortiAnalyzer may take a long time and not return any results.

HA

Bug ID

Description

615001

LAG does not come up after link failed signal is triggered.

626715

Out-of-sync issue caused by firewall address group member is either duplicated or out of order.

630070

HA is failing over due to cmdbsvr crashes.

634604

SCTP sessions are not fully synchronized between primary and secondary devices in version 5.6.11 on FG-3240C.

637711

CSR on cluster primary is generating out-of-sync alerts on secondary and tertiary units.

639307

Both primary and secondary consoles keep printing get_ha_sync_obj_sig_4dir: stat /etc/cert/ca/5c44d531.0 error 2.

640428

SSL VPN related auth login user event logs do not require HA to be in sync.

643958

Inconsistent data from FFDB caused several confsyncd crashes.

647679

Inconsistent values for HA cluster inside the SNMP.

648073

HA cluster uses physical port MAC address at the time of HA failover.

651674

Long sessions lost on new primary after HA failover.

654341

The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM.

Intrusion Prevention

Bug ID

Description

655371

Logging is intermittent for FortiGate IDS passive in one-armed sniffer mode.

IPsec VPN

Bug ID

Description

592361

Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.

611451

ADVPN spoke one behind NAT shortcut cannot connect to another spoke that is not behind NAT.

639806

User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject.

646012

DHCP over IPsec randomly works when net-device is disabled.

647285

After HA failover, not all tunnels come up; unknown SPI.

655739

local-gw is replaced with primary IP on a secondary device when the secondary IP is used as a local-gw.

659535

Setting same phase1-interface in SD-WAN member and SD-WAN zone causes iked watchdog timeout.

Log & Report

Bug ID

Description

555161

Application miglogd crashes when numerous DLP logs are generated, where DLP archive files use up system inodes.

583499

Improve local log search logic from aggressive to passive mode to save resources and CPU.

634947

rlogd signal 11 crashes.

641450

The miglogd processes is bound to busy CPUs, even though there are other completely idle CPUs available.

647741

On FG-60F, logging and FortiCloud reporting incorrect IPv6 bandwidth usage for sessions with NPU offload.

650325

The miglogd process crashes with signal 11 (segmentation fault).

Proxy

Bug ID

Description

550350

Should not be able to set inspection-mode proxy with IPS-enabled only policy.

578850

Application WAD crash several times due to signal alarm.

582475

WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

608387

WAD virtual server with HTTP multiplexing enabled causes crash after server is detached because the HTTP server object is detached from the HTTP session.

617322

DLP FTP proxy with splice option sends delete command to server before data transfer completes.

619707

WAD memory leak with explicit proxy and more than 30 users.

621787

On some smaller models, WAD watchdog times out when there is a lot of SSL traffic.

629504

SSH status in SSL profile changes to deep-inspection from disable after upgrading.

638039

Delete validation is not working for Protecting SSL Server profile.

647923

WAD has multiple signal 11 crashes at wad_ssl_cert_get_auth_status.

648831

WAD memory leak caused by Kerberos proxy authentication.

653099

Wildcard URL filter in proxy mode with ? and * not always handled properly.

656830

FortiGate should be in SSL bypass mode for TLS 1.2 certificate inspection with client certificate request.

658654

Cannot access the specific website using proxy-based UTM with certification inspection.

666522

Proxy mode is blocking web browsing for some websites due to certificate inspection.

666686

Websites loading slowly with web filter applied in proxy mode.

Routing

Bug ID

Description

624621

Log traffic to remote servers does not follow SD-WAN rules.

627901

set dscp-forward option is missing when using maximize bandwidth strategy in SD-WAN rule.

632285

Health check SLA status log shows configured bandwidth value instead of used bandwidth value.

641022

Kernel does not remove duplicate routes generated by SD-WAN health checks when hostname IP changes.

641050

Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route.

646418

SD-WAN information available in session list is confusing.

654482

SD-WAN route tag is removed with multiple BGP paths in place.

662845

HA secondary also sends SD-WAN sla-fail-log-period to FortiAnalyzer.

666829

The bfdd process crashes.

Security Fabric

Bug ID

Description

619696

Automation stitch traffic is sent via mgmt with ha-direct to AWS Lambda after upgrading from 6.0.9 to 6.2.3.

629723

SDN dynamic address import is too slow, and HA sync may miss endpoints in high scale and stress conditions.

SSL VPN

Bug ID

Description

548599

SSL VPN crashes on parsing some special URLs.

573853

TX packet drops on SSL root interface.

611498

SMB/CIFS traffic via SSL VPN web mode not using correct SNAT IP (IP pool).

620793

A page inside a bookmark not opening in SSL VPN web mode.

624288

After SSL VPN proxy, one JS file of http://www.cm***-rm***.ca runs with an error.

627456

Traffic cannot pass when SAML user logs in to SSL VPN portal with group match.

630432

Slides on https://re***.nz website are displayed in SSL VPN web mode.

631082

FortiManager tabs/page do not load when accessed via SSL VPN web mode.

634210

SSL VPN daemon crash due to limit-user-login.

635814

FortiGate GUI cannot be rendered and displayed via SSL VPN portal.

636332

With SSL VPN proxy JIRA web application, get one wrong URL without proxy path.

639431

Three of the internal applications/portal bookmarks do not load/partially work with SSL VPN web mode.

641379

Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal.

643749

SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters the wrong password.

644506

Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password.

645368

FortiClient randomly fails to connect to SSL VPN tunnel mode stuck at 98% with two-factor authentication token.

648192

DTLS tunnel performance improvements by allowing multiple packets to be read from the kernel driver, and redistributing the UDP packets to several worker processes in the kernel.

648433

Internal website loading issue in SSL VPN web portal.

649130

SSL VPN log entries display users from other VDOMs.

652880

SSL VPN crashes around the same time that LDAP connection errors are logged.

657689

The system allows enabling split tunnel when the SSL VPN policy is configured with destination all. It is not consistent with 5.6.x and 6.0.x.

662042

The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.

663532

Get no more IP address available error when users connect to SSL VPN after upgrading to 6.2.5.

665879

When SSL VPN processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML.

Switch Controller

Bug ID

Description

649913

HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager.

652745

Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber.

System

Bug ID

Description

574716

The ospfNbrState OID takes too long to update.

582536

Link monitor behavior is different between FGCP and SLBC clusters.

583472

When system is in an extremely high memory usage state (~90%), a power supply status Power supply 1 AC is lost might be mistakenly logged.

585882

Error in log, msg="Interface 12345678001-ext:64 not found in the list!", while creating a long name VDOM in FG-SVM.

594264

NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session TTL expiry.

594931

FG-60F/61F memory usage causes conserve mode by enabling/disabling UTM.

597893

FortiExtender interface admin status changes cannot be detected by FortiManager because the FortiGate checksum does not change.

598464

Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.

598928

FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN.

602643

Interface gets removed from SD-WAN after rebooting when the interface is defined in both SD-WAN and zone.

605723

FG-600E stops sending out packets on its SPF and copper port on NP6.

606360

HQIP loopback test failed with configured software switch.

607754

FortiGuard push update is not working properly from override (FortiManager)

609112

IPv6 push update fails.

609783

SNMP failed to retrieve HA cluster secondary information from secondary serial number in TP mode.

619023

Proxy ARP configuration not loaded after interface shut/not shut.

627269

Wildcard FQDN not resolved on the secondary unit.

628642

Issue when packets from same session are forwarded to each LACP member when NPx offload is enabled.

630146

FG-100F memory configuration check.

630861

Support FortiManager when private-data-encryption is enabled in FortiOS.

631296

Forward or local bi-directional traffic from NPU inter-VDOM links through separate VDOMs is subject to high latency.

631689

FG-100F cannot forward fragmented packets between hardware switch ports.

633298

10G ports x1/x2 cannot be set as interfaces in firewall acl/acl6 policies.

633827

Errors during fuzzy tests on FG-1500D.

634929

NP6 SSE drops after a couple of hours in a stability test.

636999

LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models.

637983

FG-100F memory configuration check fails because of wrong threshold.

641419

FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632).

642327

FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant interface with non-NPU port.

643188

Interface forward-error-correction setting not honored after reboot.

644380

FG-40F/60F kernel panic: failure at mm/vmalloc.c:1341/__get_vm_area_node()!.

644427

Interface forward-error-correction setting not honored after reboot. Affected platforms: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3400E, and FG-3600E.

645363

SNMP monitoring does not provide the SD-WAN member interface name.

645848

FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection.

647151

Unable to configure aggregate interface type on FG-30E-3G4G.

647593

After reboot, forward-error-correction value is not maintained as it should be.

647777

FortiGate not responding to DHCP relay requests from clients behind a DHCP relay.

654159

NP6Xlite traffic not sent over the tunnel when NPU is enabled.

658933

Under some circumstances, it was possible for Update D to create zombie processes.

661503

Existing ffdb_map_res package was not automatically removed after upgrading on small storage FortiGates, even though their creation was removed in 6.2.4.

662681

Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes.

662989

FG-40F/41F aggregate interface gets removed after upgrading to 6.2.5 from 6.2.4 firmware version.

665000

HA LED off issue on FG-1100E/1101E models in 6.0.x.

666030

Empty firewall objects after pushing several policy deletes.

670838

It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%.

Upgrade

Bug ID

Description

656869

FG-100F/101F may continuously boot upon upgrading from FortiOS 6.4.0.

Workaround: back up the 6.4.0 configuration, perform a clean install via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration.

662452

SSH status in ssl-ssh-profile changes to deep-inspection from disable after upgrade.

User & Device

Bug ID

Description

546794

De-authentication of RSSO user does not clear the login from the motherboard.

580155

fnbamd crash.

591461

FortiGate does not send user IP to TACACS server during authentication.

620097

Persistent sessions for de-authenticated users.

659456

REST API authentication fails for API user with PKI group enabled due to fnbamd crash.

663399

interface-select-method not working for RADIUS configuration.

VM

Bug ID

Description

587180

FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.

603100

Autoscale not syncing certificate among the cluster members.

606527

GUI and CLI interface dropdown lists are inconsistent.

634245

Dynamic address objects are not resolved to all addresses using Azure SDN connector.

652416

AWS Fabric connector always uses root VDOM even though it is not a management VDOM.

659333

Slow route change for HA failover in GCP cloud.

663276

After cloning the OCI instance, the OCID does not refresh to the new OCID.

668131

EIP is not updating properly on FG-VM Azure.

670166

FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5 to 6.4.2.

Web Filter

Bug ID

Description

587018

Add URL flow filter counters to SNMP.

610553

User browser gets URL block page instead of warning page when using HTTPS IP URL.

620803

Group name missing on web filter warning page in proxy-based inspection.

629005

foauthd has signal 11 crashes when FortiGate authenticates a web filter category.

659372

Inconsistent behavior between external list and FortiGuard categories/local override.

WiFi Controller

Bug ID

Description

618456

High cw_acd usage upon polling a large number of wireless clients with REST API.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

633089

FortiOS 6.2.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-15937

Resolved issues

The following issues have been fixed in version 6.2.6. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

560044

Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series.

Data Leak Prevention

Bug ID

Description

616918

DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS.

DNS Filter

Bug ID

Description

649985

Random SDNS rating timeout events on 6K/7K SLBC with FGSP.

Endpoint Control

Bug ID

Description

637454

Cloud-based EMS FSSO connector in FortiGate failed to connected with FortiClient EMS proxy in public cloud.

Explicit Proxy

Bug ID

Description

599637

Web proxy does not work properly to redirect Chrome browser to websites when disclaimer is enabled in proxy policy.

617934

FortiGate web proxy should support forward server on TLS 1.3 certificate inspection connection.

630434

WAD crashed at wad_ssl_port_p2s_supported_versions with signal 11.

634515

HTTP 1.1 host header is lost in FortiGuard web proxy requests.

644121

Explicit proxy error 504, DNS fails for a specific domain.

Firewall

Bug ID

Description

586764

Abnormal prolonged CPU spike with cmdbsvr and WAD processes when making change to large policy list (10 000+ policies).

586995

Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary.

595949

Any changes to the security policy table causes the hit count to reset.

628841

Internet service entry not detected due to some IP ranges being duplicated.

633856

Sessions are marked dirty when IPsec dialup client connects/disconnects and policy routes are used.

644225

Challenge ACK is being dropped.

644638

Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor.

644865

Query string parameters omitted (HTTP redirect, SSL offloading).

647410

append command allows mixing VIP and firewall address as destination objects in a firewall policy.

648951

External threat feed entry 0.0.0.0/0 shows as invalid but it blocks traffic.

653828

When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds.

660461

Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU.

FortiView

Bug ID

Description

643198

Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data.

660753

In FortiView Sources dashboard, after filtering by subnet, drilling down will always show the first entry.

GUI

Bug ID

Description

598222

After upgrading to 6.4.x from 6.2.5 and earlier, users must clear the browser cache for the best user experience with the new firmware.

612236

RADIUS test fails from the GUI as it does not use the configured Authentication method, and authentication fails; test passes on the CLI.

638752

FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface.

650307

GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt list.

651711

Unable to select an address group when configuring Source IP Pools for an SSL VPN portal.

653726

Filtering log results with a regular expression incorrectly yields no results.

660165

When creating SD-WAN rules in the GUI, the destination interface preference is not saved when the strategy is manual.

663351

Connectivity test for RADIUS server using CHAP authentication always returns failure.

666545

After upgrading to 6.2.5, log queries from HA cluster to FortiAnalyzer may take a long time and not return any results.

HA

Bug ID

Description

615001

LAG does not come up after link failed signal is triggered.

626715

Out-of-sync issue caused by firewall address group member is either duplicated or out of order.

630070

HA is failing over due to cmdbsvr crashes.

634604

SCTP sessions are not fully synchronized between primary and secondary devices in version 5.6.11 on FG-3240C.

637711

CSR on cluster primary is generating out-of-sync alerts on secondary and tertiary units.

639307

Both primary and secondary consoles keep printing get_ha_sync_obj_sig_4dir: stat /etc/cert/ca/5c44d531.0 error 2.

640428

SSL VPN related auth login user event logs do not require HA to be in sync.

643958

Inconsistent data from FFDB caused several confsyncd crashes.

647679

Inconsistent values for HA cluster inside the SNMP.

648073

HA cluster uses physical port MAC address at the time of HA failover.

651674

Long sessions lost on new primary after HA failover.

654341

The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM.

Intrusion Prevention

Bug ID

Description

655371

Logging is intermittent for FortiGate IDS passive in one-armed sniffer mode.

IPsec VPN

Bug ID

Description

592361

Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.

611451

ADVPN spoke one behind NAT shortcut cannot connect to another spoke that is not behind NAT.

639806

User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject.

646012

DHCP over IPsec randomly works when net-device is disabled.

647285

After HA failover, not all tunnels come up; unknown SPI.

655739

local-gw is replaced with primary IP on a secondary device when the secondary IP is used as a local-gw.

659535

Setting same phase1-interface in SD-WAN member and SD-WAN zone causes iked watchdog timeout.

Log & Report

Bug ID

Description

555161

Application miglogd crashes when numerous DLP logs are generated, where DLP archive files use up system inodes.

583499

Improve local log search logic from aggressive to passive mode to save resources and CPU.

634947

rlogd signal 11 crashes.

641450

The miglogd processes is bound to busy CPUs, even though there are other completely idle CPUs available.

647741

On FG-60F, logging and FortiCloud reporting incorrect IPv6 bandwidth usage for sessions with NPU offload.

650325

The miglogd process crashes with signal 11 (segmentation fault).

Proxy

Bug ID

Description

550350

Should not be able to set inspection-mode proxy with IPS-enabled only policy.

578850

Application WAD crash several times due to signal alarm.

582475

WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

608387

WAD virtual server with HTTP multiplexing enabled causes crash after server is detached because the HTTP server object is detached from the HTTP session.

617322

DLP FTP proxy with splice option sends delete command to server before data transfer completes.

619707

WAD memory leak with explicit proxy and more than 30 users.

621787

On some smaller models, WAD watchdog times out when there is a lot of SSL traffic.

629504

SSH status in SSL profile changes to deep-inspection from disable after upgrading.

638039

Delete validation is not working for Protecting SSL Server profile.

647923

WAD has multiple signal 11 crashes at wad_ssl_cert_get_auth_status.

648831

WAD memory leak caused by Kerberos proxy authentication.

653099

Wildcard URL filter in proxy mode with ? and * not always handled properly.

656830

FortiGate should be in SSL bypass mode for TLS 1.2 certificate inspection with client certificate request.

658654

Cannot access the specific website using proxy-based UTM with certification inspection.

666522

Proxy mode is blocking web browsing for some websites due to certificate inspection.

666686

Websites loading slowly with web filter applied in proxy mode.

Routing

Bug ID

Description

624621

Log traffic to remote servers does not follow SD-WAN rules.

627901

set dscp-forward option is missing when using maximize bandwidth strategy in SD-WAN rule.

632285

Health check SLA status log shows configured bandwidth value instead of used bandwidth value.

641022

Kernel does not remove duplicate routes generated by SD-WAN health checks when hostname IP changes.

641050

Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route.

646418

SD-WAN information available in session list is confusing.

654482

SD-WAN route tag is removed with multiple BGP paths in place.

662845

HA secondary also sends SD-WAN sla-fail-log-period to FortiAnalyzer.

666829

The bfdd process crashes.

Security Fabric

Bug ID

Description

619696

Automation stitch traffic is sent via mgmt with ha-direct to AWS Lambda after upgrading from 6.0.9 to 6.2.3.

629723

SDN dynamic address import is too slow, and HA sync may miss endpoints in high scale and stress conditions.

SSL VPN

Bug ID

Description

548599

SSL VPN crashes on parsing some special URLs.

573853

TX packet drops on SSL root interface.

611498

SMB/CIFS traffic via SSL VPN web mode not using correct SNAT IP (IP pool).

620793

A page inside a bookmark not opening in SSL VPN web mode.

624288

After SSL VPN proxy, one JS file of http://www.cm***-rm***.ca runs with an error.

627456

Traffic cannot pass when SAML user logs in to SSL VPN portal with group match.

630432

Slides on https://re***.nz website are displayed in SSL VPN web mode.

631082

FortiManager tabs/page do not load when accessed via SSL VPN web mode.

634210

SSL VPN daemon crash due to limit-user-login.

635814

FortiGate GUI cannot be rendered and displayed via SSL VPN portal.

636332

With SSL VPN proxy JIRA web application, get one wrong URL without proxy path.

639431

Three of the internal applications/portal bookmarks do not load/partially work with SSL VPN web mode.

641379

Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal.

643749

SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters the wrong password.

644506

Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password.

645368

FortiClient randomly fails to connect to SSL VPN tunnel mode stuck at 98% with two-factor authentication token.

648192

DTLS tunnel performance improvements by allowing multiple packets to be read from the kernel driver, and redistributing the UDP packets to several worker processes in the kernel.

648433

Internal website loading issue in SSL VPN web portal.

649130

SSL VPN log entries display users from other VDOMs.

652880

SSL VPN crashes around the same time that LDAP connection errors are logged.

657689

The system allows enabling split tunnel when the SSL VPN policy is configured with destination all. It is not consistent with 5.6.x and 6.0.x.

662042

The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.

663532

Get no more IP address available error when users connect to SSL VPN after upgrading to 6.2.5.

665879

When SSL VPN processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML.

Switch Controller

Bug ID

Description

649913

HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager.

652745

Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber.

System

Bug ID

Description

574716

The ospfNbrState OID takes too long to update.

582536

Link monitor behavior is different between FGCP and SLBC clusters.

583472

When system is in an extremely high memory usage state (~90%), a power supply status Power supply 1 AC is lost might be mistakenly logged.

585882

Error in log, msg="Interface 12345678001-ext:64 not found in the list!", while creating a long name VDOM in FG-SVM.

594264

NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session TTL expiry.

594931

FG-60F/61F memory usage causes conserve mode by enabling/disabling UTM.

597893

FortiExtender interface admin status changes cannot be detected by FortiManager because the FortiGate checksum does not change.

598464

Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.

598928

FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN.

602643

Interface gets removed from SD-WAN after rebooting when the interface is defined in both SD-WAN and zone.

605723

FG-600E stops sending out packets on its SPF and copper port on NP6.

606360

HQIP loopback test failed with configured software switch.

607754

FortiGuard push update is not working properly from override (FortiManager)

609112

IPv6 push update fails.

609783

SNMP failed to retrieve HA cluster secondary information from secondary serial number in TP mode.

619023

Proxy ARP configuration not loaded after interface shut/not shut.

627269

Wildcard FQDN not resolved on the secondary unit.

628642

Issue when packets from same session are forwarded to each LACP member when NPx offload is enabled.

630146

FG-100F memory configuration check.

630861

Support FortiManager when private-data-encryption is enabled in FortiOS.

631296

Forward or local bi-directional traffic from NPU inter-VDOM links through separate VDOMs is subject to high latency.

631689

FG-100F cannot forward fragmented packets between hardware switch ports.

633298

10G ports x1/x2 cannot be set as interfaces in firewall acl/acl6 policies.

633827

Errors during fuzzy tests on FG-1500D.

634929

NP6 SSE drops after a couple of hours in a stability test.

636999

LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models.

637983

FG-100F memory configuration check fails because of wrong threshold.

641419

FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632).

642327

FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant interface with non-NPU port.

643188

Interface forward-error-correction setting not honored after reboot.

644380

FG-40F/60F kernel panic: failure at mm/vmalloc.c:1341/__get_vm_area_node()!.

644427

Interface forward-error-correction setting not honored after reboot. Affected platforms: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3400E, and FG-3600E.

645363

SNMP monitoring does not provide the SD-WAN member interface name.

645848

FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection.

647151

Unable to configure aggregate interface type on FG-30E-3G4G.

647593

After reboot, forward-error-correction value is not maintained as it should be.

647777

FortiGate not responding to DHCP relay requests from clients behind a DHCP relay.

654159

NP6Xlite traffic not sent over the tunnel when NPU is enabled.

658933

Under some circumstances, it was possible for Update D to create zombie processes.

661503

Existing ffdb_map_res package was not automatically removed after upgrading on small storage FortiGates, even though their creation was removed in 6.2.4.

662681

Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes.

662989

FG-40F/41F aggregate interface gets removed after upgrading to 6.2.5 from 6.2.4 firmware version.

665000

HA LED off issue on FG-1100E/1101E models in 6.0.x.

666030

Empty firewall objects after pushing several policy deletes.

670838

It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%.

Upgrade

Bug ID

Description

656869

FG-100F/101F may continuously boot upon upgrading from FortiOS 6.4.0.

Workaround: back up the 6.4.0 configuration, perform a clean install via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration.

662452

SSH status in ssl-ssh-profile changes to deep-inspection from disable after upgrade.

User & Device

Bug ID

Description

546794

De-authentication of RSSO user does not clear the login from the motherboard.

580155

fnbamd crash.

591461

FortiGate does not send user IP to TACACS server during authentication.

620097

Persistent sessions for de-authenticated users.

659456

REST API authentication fails for API user with PKI group enabled due to fnbamd crash.

663399

interface-select-method not working for RADIUS configuration.

VM

Bug ID

Description

587180

FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.

603100

Autoscale not syncing certificate among the cluster members.

606527

GUI and CLI interface dropdown lists are inconsistent.

634245

Dynamic address objects are not resolved to all addresses using Azure SDN connector.

652416

AWS Fabric connector always uses root VDOM even though it is not a management VDOM.

659333

Slow route change for HA failover in GCP cloud.

663276

After cloning the OCI instance, the OCID does not refresh to the new OCID.

668131

EIP is not updating properly on FG-VM Azure.

670166

FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5 to 6.4.2.

Web Filter

Bug ID

Description

587018

Add URL flow filter counters to SNMP.

610553

User browser gets URL block page instead of warning page when using HTTPS IP URL.

620803

Group name missing on web filter warning page in proxy-based inspection.

629005

foauthd has signal 11 crashes when FortiGate authenticates a web filter category.

659372

Inconsistent behavior between external list and FortiGuard categories/local override.

WiFi Controller

Bug ID

Description

618456

High cw_acd usage upon polling a large number of wireless clients with REST API.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

633089

FortiOS 6.2.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-15937