Known issues
The following issues have been identified in version 6.2.7. To inquire about a particular bug or report a bug, please contact Customer Service & Support.
DNS Filter
Bug ID |
Description |
---|---|
511729 |
Domain filter entries whose action is set to allow should not be logged. |
582374 |
License shows expiry date of 0000-00-00 . |
Explicit Proxy
Bug ID |
Description |
---|---|
540091 |
Cannot access explicit FTP proxy via VIP. |
624513 |
IP pool address in proxy policy is not used sometimes when enabling a security profile. |
662931 |
Browsers change default |
664548 |
When the FortiGate is configured as an explicit proxy and AV is enabled on the proxy policy, users cannot access certain FTP sites. |
681054 |
Web proxy users are disconnected due to external resource update flushing the user even if they do not have an authentication rule using the related proxy address or IP list. |
689002 |
Proxy traffic failed after modifying resource setting in external connector. |
697566 |
Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7. |
Firewall
Bug ID |
Description |
---|---|
611781 |
Search option on IPv4 policy page not working; after typing in the search bar, no results are displayed. |
632507 |
Internet service matching logic does not work as expected when the entry is configured in a policy for the first time. |
643446 |
Fragmented UDP traffic is silently dropped when fragments have different ECN values. |
654356 |
In NGFW policy mode, sessions are not re-validated when security policies are changed. Workaround: clear the session after policy change. |
661014 |
FortiCarrier has GTP dropped packet log after configuring GTP allow list. |
675353 |
Security policy (NGFW mode) flow-based UTM logs are still generated when policy traffic log is disabled. |
682956 |
ISDB is empty/crashes after upgrading from 6.2.4/6.2.5 to 6.2.6. |
683426 |
No hit counts on policy for DHCP broadcast packets in transparent mode. |
699785 |
Firewall performance may degrade when thousands of VIPs are configured. |
FortiView
Bug ID |
Description |
---|---|
628225 |
Compromised Hosts dashboard cannot show data if FortiAnalyzer is configured using the FQDN address in the log setting. FortiAnalyzer configured with an IP address does not have this issue. |
635309 |
When FortiAnalyzer logging is configured using an FQDN domain, the GUI displays a 500 error message on the FortiView Compromised Hosts page. |
673225 |
FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined. |
GUI
Bug ID |
Description |
---|---|
354464 |
Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made. |
514632 |
Inconsistent reference count when using ports in HA |
529094 |
When creating an antispam block/allowlist entry, Mark as Reject should be grayed out. |
541042 |
Log viewer forwarded traffic does not support multiple filters for one field. |
584915 |
OK button missing from many pages when viewed in Chrome on an Android device. |
584939 |
VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-". |
592854 |
An address created by the VPN wizard cannot save changes due to an incorrect validation check for parentheses, (), in the Comments field. |
593860 |
When central management is enabled, users can bypass GUI read-only restrictions and apply policy changes. |
601879 |
When logging in to the dashboard after a factory reset, the dashboard displays The web page cannot be found. |
602102 |
Warning message is not displayed when a user configures an interface with a static IP address that is already in use. |
602397 |
Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA. |
621254 |
When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error. |
631041 |
Adding an RSSO group to the firewall policy does not enable RSSO on the policy. |
639617 |
On Explicit Web Proxy Policy page, unable to change Outgoing Source IP option from IP Pools to Proxy Default or Original Source IP. CLI does not have this issue. |
650708 |
When the client browser is in a different time zone from the FortiGate, the Guest Management page displays an incorrect expiry time for guest users. The CLI returns the correct expiry. |
655255 |
FortiGuard resource retrieval delay causes GUI pages to respond slowly. Affected pages include: Firewall Policy, Settings (log and system), Explicit Proxy (web and FTP), System Global, and System CSF. |
656668 |
On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows the connecting IP address instead of the configured IP address. |
661703 |
High latency accessing Security Fabric > Physical Topology/Logical Topology pages in Firefox. |
662640 |
Some GUI pages (dashboard, topology, policy list, interface list) are slow to load on low-end platforms when there are many concurrent HTTPSD requests. |
664007 |
GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration. |
665597 |
When |
666500 |
The Confirm version downgrade warning message is not displayed when a user downgrades firmware between minor patch release versions using the manual upload option. Firmware downgrades from FortiGuard do not have this issue. |
667863 |
GUI does not display FortiSwitch ports when multiple FortiLink interfaces are configured. FortiOS 6.4.0 and later supports multiple FortiLink configurations via the GUI. |
672599 |
After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly. |
672906 |
GUI does not redirect to the system reboot progress page after successfully restoring a configuration. |
682440 |
On Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated. |
688994 |
The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI. |
689605 |
On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0. |
691277 |
When logs are retrieved from FortiAnalyzer, the GUI displays the same traffic logs for primary and secondary HA devices. |
695163 |
When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range. Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs. |
713023 |
In FortiView > Policies, drilling down to View Sessions fails to load for the Web Sites and Web Categories tabs. |
HA
Bug ID |
Description |
---|---|
540600 |
The HA |
609631 |
Both nodes in HA simultaneous reboot when |
627851 |
After the HA peer node has been replaced, there needs to be a way to reset the HA health status back to OK. |
652507 |
Sessions with |
653095 |
Inband management IP connection breaks when failover occurs (only in virtual cluster setup). |
657376 |
VLAN interfaces are created on a different virtual cluster primary instead of the root primary do not sync. |
678309 |
Cluster is out of sync because of |
690248 |
Malicious certificate database is not getting updated on the secondary unit. |
693223 |
hasync crashes with signal 11 in |
703047 |
|
Intrusion Prevention
Bug ID |
Description |
---|---|
565747 |
IPS engine 5.00027 has signal 11 crash. |
590087 |
When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit. |
657541 |
On FG-80D, the IPS engine daemon count drops to 0 when the CPU number is 4. |
686301 |
ipshelper CPU spikes when configuration changes are made. |
689259 |
Flow-based AV scanning does not send specific extension files to FortiSandbox. |
689590 |
IP quarantine is not working on FG-80D. |
691395 |
Signature false positives causing outage after IPS database update. |
IPsec VPN
Bug ID |
Description |
---|---|
566076 |
IKED process signal 11 crash in an ADVPN and BGP scenario. |
631804 |
OCVPN errors showing in logs when OCVPN is disabled. |
642543 |
IPsec did not rekey when keylife expired after back-to-back HA failover. |
650599 |
IKE HA sync truncates phase 2 options flags after the first eight bits. |
655895 |
Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6). |
666693 |
If NAT-T IP changes, the dynamic IPsec spoke add route entry is stuck on the hub. |
678800 |
Kernel may crash on link event update with |
687749 |
iked HA sync crashed on secondary with authenticated user group in firewall policy. Affected models: all except NP7 platforms (FG-180xF, FG-260xF, FG-420xF, FG-440xF). |
684133 |
Site-to-site IPsec VPN cannot establish in asymmetric routing scenario where the IPsec VPN bound interface is a loopback interface. |
694992 |
Issue establishing IPsec and L2TP tunnel with Chromebook behind NAT. |
710961 |
Hub is dropping packets due to |
Log & Report
Bug ID |
Description |
---|---|
606533 |
User observes |
623471 |
FortiGate did not change the time after daylight saving time. |
654363 |
Traffic log shows Policy violation for traffic hitting the allow policy in NGFW policy mode. |
667274 |
FortiGate does not have log disk auto scan failure status log. |
675347 |
When searching for some rarely-found logs within a large volume of logs, there is a long period of time before the results are returned. During the waiting period, if any new requests arrive, the old search session cannot be cleared. There is then a risk that multiple processes exist together, which may cause performance issues. |
677540 |
First TCP connection to syslog server is not stable. |
682444 |
No event log generated when log disk needs format. |
694296 |
Memory leak issue in miglogd when log daemon has connection issue or FortiAnalyzer setting changes. |
710344 |
Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode. |
Proxy
Bug ID |
Description |
---|---|
603195 |
Multiple WAD crashes with signal 11. |
633108 |
When FOH server is disconnected from a HTTP session, the HTTP session client port peer is not cleared. After this, the HTTP client port shutdown causes a crash because the peer port is freed. |
655356 |
Proxy deep inspection fails if server uses TLS 1.3 cookies or record padding. |
661063 |
If a client sends an RST to a WAD proxy, the proxy can close the connection to the server. In this case, the relatively long session expiration (which is usually 120 seconds by default) could lead to session number spikes in some tests. |
675525 |
No WAD sessions displayed when running |
680651 |
Memory leak when retrieving the thumbnailPhoto information from the LDAP server. |
681134 |
Proxy-based SSL certification inspection session might hang if there are no routes for the outbound connection. |
693951 |
Cannot access Java-based application in proxy mode. |
REST API
Bug ID |
Description |
---|---|
584631 | REST API admin with token unable to configure HA setting (via login session works). |
Routing
Bug ID |
Description |
---|---|
537354 |
BFD/BGP dropping when |
687034 |
bgpd memory leak if running BGP on 6.2.7 and 6.4.4. Workaround: enable SD-WAN to avoid BGP memory leaking. In 6.4: config system sdwan set status enable end In 6.2: config system virtual-wan-link set status enable end |
692241 |
BGP daemon consumes high CPU in ADVPN setup when disconnecting after socket writing error. |
Security Fabric
Bug ID |
Description |
---|---|
614691 |
Slow GUI performance in large Fabric topology with over 50 downstream devices. |
649556 |
FortiNAC requests to FortiGate can timeout on low-end models when there are many concurrent requests. |
660624 |
FortiAnalyzer Cloud should be taken into consideration when doing CLI check for CSF setting. |
SSL VPN
Bug ID |
Description |
---|---|
505986 | On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication. |
608195 |
AngularJS web application cannot load via SSL VPN web mode. |
610905 |
SSL VPN bypassing logon count limit with different case in user name. |
610995 |
SSL VPN web mode gets error when accessing internal website at https://st***.st***.ca/. |
619296 |
FortiGate reverts default values of text on buttons in SSL VPN log on page. |
628597 |
Unable to load the SSL VPN bookmark internal website, https://fi***.co.nz. |
646339 |
SSL-SSH inspection profile changes to |
661290 |
https://mo***.be site is non-accessible in SSL VPN web mode. |
662871 |
SSL VPN web mode has problem accessing some pages on FortiAnalyzer 6.2. |
672743 |
sslvpnd segmentation fault crash due to old DNS entries in cache that cannot be released if the same results were added into the cache but in a different order. |
673320 |
Pop-up window does not load correctly when accessing internal application at https://re***.wo***.nl using SSL VPN web mode. |
678132 |
SSL VPN web portal SSO credentials for alternative option are not working. |
680711 |
Unable to access OWA web server on mobile device in SSL VPN web mode. |
681764 |
Video could not load for https://le***.sm***.ca in SSL VPN web mode. |
683601 |
Changing DNS or WINS server under VPN SSL settings logs off connected users. |
685269 |
SSL VPN web mode is not working properly for aw***.co***.com website. |
688023 |
SSL VPN bookmarked website shows empty page after logging in to SSL VPN gateway https://vd***.vi***.com |
696009 |
Tunnel IP pool leak when DTLS tunnel user session is deleted due to timeout (idle or authentication). |
Switch Controller
Bug ID |
Description |
---|---|
588584 |
GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM. |
605864 |
If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface looses its CAPWAP setting. |
700842 |
FortiSwitch MAC delete logs are not being generated. |
System
Bug ID |
Description |
---|---|
464340 |
EHP drops for units with no NP service module. |
578031 |
FortiManager Cloud cannot be removed once the FortiGate has trouble on contract. |
584622 |
SNMP trap cannot display FortiGate model in OSPF trap information. |
595244 |
There is duplicate information when checking interface references in global. |
600032 |
SNMP does not provide routing table for non-management VDOM. |
607565 |
Interface |
627629 |
DHCP client sent invalid DHCPREQUEST format during INIT state. |
642005 |
FortiGate does not send |
664279 |
snmpd crashes when sorting a list-based ARP table if it has about 50,000 or more entries. |
665332 |
When VDOM has large number of VIPs and policies, any firewall policy change causes cmdbsvr to become busy and use high CPU. |
666418 |
SFP interfaces on FG-330xE do not show link light. |
668856 |
Offloaded traffic passing through two VDOMs connected with EMAC-VLANs is sometimes dropped. |
669645 |
VXLAN VNI interface cannot be used with a hardware switch. |
669914 |
No statistics for TX and RX counters for VLAN interfaces. |
670897 |
Update GTP code to be compatible with newer versions (GTPv1 and GTPv2). |
673609 |
The auto-join FortiCloud re-try timer 600 second value is too large. |
675171 |
L2TP enabled status should be configured before EIP and SIP. |
677568 |
Failed to parse |
678809 |
dhcpd crashes with signal 6 because the timer is not canceled before calling the free release function. |
680881 |
Rebooting device causes interface mode to change from static to DHCP. |
686442 |
Traffic was stopped because PBA IP pool has the wrong relationship information. |
693757 |
Secondary FG-5001D blades in SLBC cluster do not show updated contract dates. |
694202 |
|
695803 |
Unable to reorder firewall DoS policy in GUI or CLI. |
698014 |
When running |
701839 |
CLI console shows |
Upgrade
Bug ID |
Description |
---|---|
658664 |
FortiExtender status becomes Workaround: change the config extender-controller extender edit <id> set admin enable next end |
User & Device
Bug ID |
Description |
---|---|
595583 |
Device identification via LLDP on an aggregate interface does not work. |
675226 |
The |
675539 |
FSSO collector status is down, despite that it is reported as connected by authd in a multi-VDOM environment. |
750551 |
DST_Root_CA_X3 certificate is expired. Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information. |
VM
Bug ID |
Description |
---|---|
587757 |
FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type. |
596742 |
Azure SDN connector replicates configuration from primary device to secondary device during configuration restore. |
605511 |
FG-VM-GCP reboots a couple of times due to kernel panic. |
608881 |
IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup. |
627106 |
FG-VM64 console shows |
640436 |
FortiGate AWS bootstrapped from configuration does not read SAML settings. |
668625 |
During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available. |
685782 |
HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite |
711525 |
FG-VM-AWS PAYG instance randomly loses license after reboot. |
Web Filter
Bug ID |
Description |
---|---|
668325 |
Hanging FortiGuard connection is not torn down in some situations. |
676403 |
Replacement message pictures (FortiGuard web filter) are not displayed in Chrome. |
678467 |
Safe search URL option is not working while the original query in Google Images has the same parameter name. |
WiFi Controller
Bug ID |
Description |
---|---|
707635 |
AP with MAC E0-23-FF not coming online through mesh with FortiWiFi radio set to root. |