Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.2.9 FortiOS Release Notes

Known issues

6.2.9
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
Copy Link
Copy Doc ID ab3e19b6-c328-11eb-92d0-00505692583a:236526
Download PDF

Known issues

The following issues have been identified in version 6.2.9. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

DNS Filter

Bug ID

Description

582374

License shows expiry date of 0000-00-00.

Explicit Proxy

Bug ID

Description

540091

Cannot access explicit FTP proxy via VIP.

Firewall

Bug ID

Description

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

FortiView

Bug ID

Description

635309

When FortiAnalyzer logging is configured using an FQDN domain, the GUI displays a 500 error message on the FortiView Compromised Hosts page.

673225

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

GUI

Bug ID

Description

354464

Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made.

514632

Inconsistent reference count when using ports in HA session-sync-dev.

529094

When creating an antispam block/allowlist entry, Mark as Reject should be grayed out.

541042

Log viewer forwarded traffic does not support multiple filters for one field.

584915

OK button missing from many pages when viewed in Chrome on an Android device.

584939

VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-".

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

621254

When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error.

664007

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

682440

On Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated.

688994

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

Hyperscale

Bug ID

Description

734305

In the GUI, an FQDN or ISDB can be selected for a DoS policy, which is not supported (an error message appears). The CLI shows the correct options.

737782

FG-4400F in hyperscale mode has A-P failover while under a heavy load, and takes over 30 seconds to recover bandwidth/CPS.

Intrusion Prevention

Bug ID

Description

565747

IPS engine 5.00027 has signal 11 crash.

586544

IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668

IPS engine 5.00035 has signal 11 crash.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

Log & Report

Bug ID

Description

606533

User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI.

713014

Cannot perform disk scan after enabling disk raid.

Proxy

Bug ID

Description

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description
584631 REST API administrator with token unable to configure HA setting (via login session works).

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

748733

Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

666242

Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.

SSL VPN

Bug ID

Description
505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

887674

FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs.

Switch Controller

Bug ID

Description

588584

GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.

605864

If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface loses its CAPWAP setting.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

578031

FortiManager Cloud cannot be removed once the FortiGate has trouble with contract.

595244

There is duplicate information when checking interface references in global.

600032

SNMP does not provide routing table for non-management VDOM.

607565

Interface emac-vlan feature does not work on SoC4 platform.

669645

VXLAN VNI interface cannot be used with a hardware switch.

694202

stpforward does not work with LAG interfaces on a transparent VDOM.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

Workaround: set the auto-asic-offload option to disable in the firewall policy.

740403

Initiating 100 IPv4 multicast streams at the same time causes the FortiGate to stop forwarding data.

Upgrade

Bug ID

Description

658664

FortiExtender status becomes discovered after upgrading from 6.0.10 (build 0365).

Workaround: change the admin from discovered to enable after upgrading.

config extender-controller extender
    edit <id>
        set admin enable
    next
end

User & Device

Bug ID

Description

595583

Device identification via LLDP on an aggregate interface does not work.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end
config system global
    set admin-server-cert <scep_certificate>
end

750551

DST_Root_CA_X3 certificate is expired.

Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information.

VM

Bug ID

Description

587757

FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type.

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

605511

FG-VM-GCP reboots a couple of times due to kernel panic.

608881

IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

640436

FortiGate AWS bootstrapped from configuration does not read SAML settings.

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

685782

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

WiFi Controller

Bug ID

Description

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.
Previous
Next

Known issues

The following issues have been identified in version 6.2.9. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

DNS Filter

Bug ID

Description

582374

License shows expiry date of 0000-00-00.

Explicit Proxy

Bug ID

Description

540091

Cannot access explicit FTP proxy via VIP.

Firewall

Bug ID

Description

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

FortiView

Bug ID

Description

635309

When FortiAnalyzer logging is configured using an FQDN domain, the GUI displays a 500 error message on the FortiView Compromised Hosts page.

673225

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

GUI

Bug ID

Description

354464

Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made.

514632

Inconsistent reference count when using ports in HA session-sync-dev.

529094

When creating an antispam block/allowlist entry, Mark as Reject should be grayed out.

541042

Log viewer forwarded traffic does not support multiple filters for one field.

584915

OK button missing from many pages when viewed in Chrome on an Android device.

584939

VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-".

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

621254

When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error.

664007

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

682440

On Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated.

688994

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

Hyperscale

Bug ID

Description

734305

In the GUI, an FQDN or ISDB can be selected for a DoS policy, which is not supported (an error message appears). The CLI shows the correct options.

737782

FG-4400F in hyperscale mode has A-P failover while under a heavy load, and takes over 30 seconds to recover bandwidth/CPS.

Intrusion Prevention

Bug ID

Description

565747

IPS engine 5.00027 has signal 11 crash.

586544

IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668

IPS engine 5.00035 has signal 11 crash.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

Log & Report

Bug ID

Description

606533

User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI.

713014

Cannot perform disk scan after enabling disk raid.

Proxy

Bug ID

Description

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description
584631 REST API administrator with token unable to configure HA setting (via login session works).

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

748733

Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

666242

Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.

SSL VPN

Bug ID

Description
505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

887674

FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs.

Switch Controller

Bug ID

Description

588584

GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.

605864

If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface loses its CAPWAP setting.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

578031

FortiManager Cloud cannot be removed once the FortiGate has trouble with contract.

595244

There is duplicate information when checking interface references in global.

600032

SNMP does not provide routing table for non-management VDOM.

607565

Interface emac-vlan feature does not work on SoC4 platform.

669645

VXLAN VNI interface cannot be used with a hardware switch.

694202

stpforward does not work with LAG interfaces on a transparent VDOM.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

Workaround: set the auto-asic-offload option to disable in the firewall policy.

740403

Initiating 100 IPv4 multicast streams at the same time causes the FortiGate to stop forwarding data.

Upgrade

Bug ID

Description

658664

FortiExtender status becomes discovered after upgrading from 6.0.10 (build 0365).

Workaround: change the admin from discovered to enable after upgrading.

config extender-controller extender
    edit <id>
        set admin enable
    next
end

User & Device

Bug ID

Description

595583

Device identification via LLDP on an aggregate interface does not work.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end
config system global
    set admin-server-cert <scep_certificate>
end

750551

DST_Root_CA_X3 certificate is expired.

Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information.

VM

Bug ID

Description

587757

FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type.

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

605511

FG-VM-GCP reboots a couple of times due to kernel panic.

608881

IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

640436

FortiGate AWS bootstrapped from configuration does not read SAML settings.

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

685782

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

WiFi Controller

Bug ID

Description

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.
Previous
Next