Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 6.2.9. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

665173

Crash logs are sometimes truncated/incomplete.

DNS Filter

Bug ID

Description

582374

License shows expiry date of 0000-00-00.

682060

DNS proxy is holding 60% memory caused by retransmitted DNS messages sent from DNS clients, which causes the FortiGate to enter conserve mode.

Explicit Proxy

Bug ID

Description

540091

Cannot access explicit FTP proxy via VIP.

654455

Proxy policy destination address set to none allows all traffic.

681969

FSSO explicit proxy authentication appears as basic instead of FSSO.

Firewall

Bug ID

Description

561170

Traffic is blocked by NGFW policy when SDN connector firewall address is configured in policy.

644225

Challenge ACK is being dropped.

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

716317

IPS user quarantine ban event is marking the sessions as dirty.

719925

Load balancing is not allowed with a flow-based policy, even if the server type is configured as IP or TCP.

730803

Applying a traffic shaping profile and outbound bandwidth above 200000 blocks the traffic.

FortiView

Bug ID

Description

635309

When FortiAnalyzer logging is configured using an FQDN domain, the GUI displays a 500 error message on the FortiView Compromised Hosts page.

673225

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

GUI

Bug ID

Description

354464

Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made.

514632

Inconsistent reference count when using ports in HA session-sync-dev.

529094

When creating an antispam block/allowlist entry, Mark as Reject should be grayed out.

535099

The SSID dialog page does not have support for the new MAC address filter.

541042

Log viewer forwarded traffic does not support multiple filters for one field.

584915

OK button missing from many pages when viewed in Chrome on an Android device.

584939

VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-".

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

Workaround: click Cancel instead of OK to close the dialog.

621254

When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error.

664007

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

682440

On Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated.

688994

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

720613

The event log sometimes contains duplicated lines when downloaded from the GUI.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

HA

Bug ID

Description

669301

When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory.

693178

Sessions timeout after traffic failover goes back and forth on a transparent FGSP cluster.

695067

When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.

Workaround: do not use the HA interface as a heartbeat interface.

709518

Secondary device is unable to connect to FortiCloud with secondary IP as the source IP.

710236

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group |memory> after HA hbdev configuration changes.

715939

Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of intf_vd_changed events and recheck the MAC every time, which blocks hatalk from sending heartbeat packets for a long time and the peer loses it.

722284

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

723130

diagnose sys ha reset-uptime on the secondary devices triggers a failover on a cluster with more than two members.

744826

API key (token) on the secondary device is not synchronized to the primary when standalone-config-sync is enabled.

746008

DNS may not resolve correctly in a virtual cluster environment. It also impacts the FortiGate 6000F and 7000E/F series where DNS may not resolve on the correct blades (FPC/FPM).

Intrusion Prevention

Bug ID

Description

565747

IPS engine 5.00027 has signal 11 crash.

586544

IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668

IPS engine 5.00035 has signal 11 crash.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

680501

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

689259

Flow-based AV scanning does not send specific extension files to FortiSandbox.

693800

IPS memory spike on 6.2.7 running version: 5.00229.

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

578879, 676728

IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading.

714400

Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector.

717082

FortiGate keeps initiating DHCP SA rekey after lifetime expires.

752947

The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.

Log & Report

Bug ID

Description

606533

User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI.

703738

Log upload through user proxy is randomly terminated.

713014

Cannot perform disk scan after enabling disk raid.

722315

System might generate garbage administrator log events upon session timeout.

724827

Syslogd is using the wrong source IP when configured with interface-select-method auto.

Proxy

Bug ID

Description

520176

Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds.

568905

WAD crashes due to RCX having a null value.

582464

WAD SSL crash due to wrong cipher options chosen.

586281

WAD memory corruption.

615391

Reusing the buffer region causes frequent WAD crashes.

663088

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

670339

Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination.

675343

WAD crashes with transparent web proxy when connecting to a forward server.

691468

WAD IPS crashes because task is scheduled after closing.

714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

719681

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

726999

WAD crash on wad_hash_map_del.

727349

Traffic is stuck if HTTP POST does not have an end of boundary.

733760

Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

584631 REST API admin with token unable to configure HA setting (via login session works).

663441

REST API unable to change status of interface when VDOMs are enabled.

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

611708

Make SNMP get BGP peer state timely once BGP neighbor enters or exits established state.

655447

BGP prefix lifetime resets every 60 seconds when scanning BGP RIB.

661270

OSPF is stuck in loading state when there is a large amount of OSPF interfaces.

662655

The OSPF neighborship cannot be established; get MD5 authentication error when the wrong MD5 key is deleted after modifying the key.

693396

hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel.

693496

SD-WAN rules not working for FortiAnalyzer settings because the interface-select-method is implemented on a remote device FortiAnalyzer/FDS but not added to FortiView/log viewing API.

697658

FortiCloud activation does not honor the set interface-select-method command under config system fortiguard.

723726

TCP session drops between virtual wire pair with auto-asic-offload enabled in policy.

725322

Improve the help text for distance to indicate that 255 means unreachable.

748733

Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

635183

ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector.

666242

Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.

735717

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

SSL VPN

Bug ID

Description

505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.

646295

When DNS domain is configured, requests with NTLM of hostname only bookmark could not get response from server.

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

677548

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

677668

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

695404

WALLIX personal bookmark issue in SSL VPN portal.

695763

FortiClient iOS 6.4.5. has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

697637

FortiToken Cloud user not working when in a user group.

706646

SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

718170

SSL VPN web portal does not show thumbnails of videos for an internal JS-based web server.

726576

Internal webpage with JavaScript is not loading in SSL VPN web mode.

731278

Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode.

745499

In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak.

Switch Controller

Bug ID

Description

588584

GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.

605864

If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface loses its CAPWAP setting.

689403

Unable to add FSW-448E using serial number on FortiGate.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

578031

FortiManager Cloud cannot be removed once the FortiGate has trouble with contract.

595244

There is duplicate information when checking interface references in global.

600032

SNMP does not provide routing table for non-management VDOM.

607565

Interface emac-vlan feature does not work on SoC4 platform.

627236

TCP traffic disruption when traffic shaper takes effect with NP offloading enabled.

627645

When upgrading FG-100D, several processes randomly go into D state, which generates cluster and service issues.

641708

FTLF8536P4BCV shows This transceiver is not certified by Fortinet, corrupt part number and serial number after HA cluster sync.

648014

FortiDDNS is unable to update the renewed public IP address to FortiGuard server in some error conditions.

675418

FortiManager CLI script for 2FA FortiToken mobile push does not trigger activation code email.

681791

Install preview does not show all changes performed on the FortiGate.

682227

DSL creates a default route to 240.0.0.1 after changing any configuration on a DSL interface.

687519

Bulk changes through the CLI are very slow with 24000 existing policies.

689317, 698927

After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0.

691729

WWAN interface on FG-40F- 3G4G eventually goes offline until a reboot or configuration change occurs.

692490

When an <entry name> is on the same line as config <setting> <setting> <entry name>, it is not handled properly to send to FortiManager.

694202

stpforward does not work with LAG interfaces on a transparent VDOM.

696556

Support gtp-enhance-mode (GTP-U) on FG-3815D.

699902

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

702135

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

702932

FG-1500D reboots suddenly after COMLog reported kernel panic and voipd is tainted.

702966

There was a memory leak in the administrator login debug that caused the getty daemon to be killed.

704981

LLDP transmission fails if there are nested software switches.

713324

Command fail when running execute private-encryption-key <xxx>.

714805

FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev.

715978

NTurbo does not work with EMAC VLAN interface.

721733

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

722273

SA is freed while its timer is still pending, which leads to a kernel crash.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected.

740649

FortiGate sends CSR configuration without double quote (") to FortiManager.

Upgrade

Bug ID

Description

658664

FortiExtender status becomes discovered after upgrading from 6.0.10 (build 0365).

Workaround: change the admin from discovered to enable after upgrading.

config extender-controller extender
    edit <id>
        set admin enable
    next
end

User & Device

Bug ID

Description

595583

Device identification via LLDP on an aggregate interface does not work.

688989

Two-factor authentication can be bypassed with some configurations.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end
config system global
    set admin-server-cert <scep_certificate>
end

710212

RADIUS accounting port is occasionally missing.

725056

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

750551

DST_Root_CA_X3 certificate is expired.

Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information.

VM

Bug ID

Description

587757

FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type.

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

605511

FG-VM-GCP reboots a couple of times due to kernel panic.

608881

IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

640436

FortiGate AWS bootstrapped from configuration does not read SAML settings.

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

685782

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

Web Filter

Bug ID

Description

672994

Web filter warning message does not contain certification chain.

717619

Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category.

739349

Web filter local rating configuration check might strip the URL, and the URL filter daemon does not start when utm-status is disabled.

WiFi Controller

Bug ID

Description

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

739793

VM license file generated by FortiCare lacks new line at the end and causes cw_acd process to constantly restart.

Workaround: import a certificate called cw_ac_cert or ask Fortinet customer support to regenerate the VM license file.

Known issues

The following issues have been identified in version 6.2.9. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

665173

Crash logs are sometimes truncated/incomplete.

DNS Filter

Bug ID

Description

582374

License shows expiry date of 0000-00-00.

682060

DNS proxy is holding 60% memory caused by retransmitted DNS messages sent from DNS clients, which causes the FortiGate to enter conserve mode.

Explicit Proxy

Bug ID

Description

540091

Cannot access explicit FTP proxy via VIP.

654455

Proxy policy destination address set to none allows all traffic.

681969

FSSO explicit proxy authentication appears as basic instead of FSSO.

Firewall

Bug ID

Description

561170

Traffic is blocked by NGFW policy when SDN connector firewall address is configured in policy.

644225

Challenge ACK is being dropped.

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

716317

IPS user quarantine ban event is marking the sessions as dirty.

719925

Load balancing is not allowed with a flow-based policy, even if the server type is configured as IP or TCP.

730803

Applying a traffic shaping profile and outbound bandwidth above 200000 blocks the traffic.

FortiView

Bug ID

Description

635309

When FortiAnalyzer logging is configured using an FQDN domain, the GUI displays a 500 error message on the FortiView Compromised Hosts page.

673225

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

GUI

Bug ID

Description

354464

Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made.

514632

Inconsistent reference count when using ports in HA session-sync-dev.

529094

When creating an antispam block/allowlist entry, Mark as Reject should be grayed out.

535099

The SSID dialog page does not have support for the new MAC address filter.

541042

Log viewer forwarded traffic does not support multiple filters for one field.

584915

OK button missing from many pages when viewed in Chrome on an Android device.

584939

VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-".

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

Workaround: click Cancel instead of OK to close the dialog.

621254

When creating or editing an IPv4 policy or address group, firewall address searching does not work if there is an empty wildcard address due to a configuration error.

664007

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

682440

On Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated.

688994

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

720613

The event log sometimes contains duplicated lines when downloaded from the GUI.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

HA

Bug ID

Description

669301

When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory.

693178

Sessions timeout after traffic failover goes back and forth on a transparent FGSP cluster.

695067

When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.

Workaround: do not use the HA interface as a heartbeat interface.

709518

Secondary device is unable to connect to FortiCloud with secondary IP as the source IP.

710236

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group |memory> after HA hbdev configuration changes.

715939

Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of intf_vd_changed events and recheck the MAC every time, which blocks hatalk from sending heartbeat packets for a long time and the peer loses it.

722284

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

723130

diagnose sys ha reset-uptime on the secondary devices triggers a failover on a cluster with more than two members.

744826

API key (token) on the secondary device is not synchronized to the primary when standalone-config-sync is enabled.

746008

DNS may not resolve correctly in a virtual cluster environment. It also impacts the FortiGate 6000F and 7000E/F series where DNS may not resolve on the correct blades (FPC/FPM).

Intrusion Prevention

Bug ID

Description

565747

IPS engine 5.00027 has signal 11 crash.

586544

IPS intelligent mode not working when reflect sessions are created on different physical interfaces.

587668

IPS engine 5.00035 has signal 11 crash.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

680501

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

689259

Flow-based AV scanning does not send specific extension files to FortiSandbox.

693800

IPS memory spike on 6.2.7 running version: 5.00229.

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

578879, 676728

IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading.

714400

Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector.

717082

FortiGate keeps initiating DHCP SA rekey after lifetime expires.

752947

The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.

Log & Report

Bug ID

Description

606533

User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI.

703738

Log upload through user proxy is randomly terminated.

713014

Cannot perform disk scan after enabling disk raid.

722315

System might generate garbage administrator log events upon session timeout.

724827

Syslogd is using the wrong source IP when configured with interface-select-method auto.

Proxy

Bug ID

Description

520176

Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds.

568905

WAD crashes due to RCX having a null value.

582464

WAD SSL crash due to wrong cipher options chosen.

586281

WAD memory corruption.

615391

Reusing the buffer region causes frequent WAD crashes.

663088

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

670339

Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination.

675343

WAD crashes with transparent web proxy when connecting to a forward server.

691468

WAD IPS crashes because task is scheduled after closing.

714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

719681

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

726999

WAD crash on wad_hash_map_del.

727349

Traffic is stuck if HTTP POST does not have an end of boundary.

733760

Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

584631 REST API admin with token unable to configure HA setting (via login session works).

663441

REST API unable to change status of interface when VDOMs are enabled.

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

611708

Make SNMP get BGP peer state timely once BGP neighbor enters or exits established state.

655447

BGP prefix lifetime resets every 60 seconds when scanning BGP RIB.

661270

OSPF is stuck in loading state when there is a large amount of OSPF interfaces.

662655

The OSPF neighborship cannot be established; get MD5 authentication error when the wrong MD5 key is deleted after modifying the key.

693396

hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel.

693496

SD-WAN rules not working for FortiAnalyzer settings because the interface-select-method is implemented on a remote device FortiAnalyzer/FDS but not added to FortiView/log viewing API.

697658

FortiCloud activation does not honor the set interface-select-method command under config system fortiguard.

723726

TCP session drops between virtual wire pair with auto-asic-offload enabled in policy.

725322

Improve the help text for distance to indicate that 255 means unreachable.

748733

Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

635183

ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector.

666242

Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.

735717

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

SSL VPN

Bug ID

Description

505986 On IE 11, SSL VPN web portal displays blank page title {{::data.portal.heading}} after authentication.

646295

When DNS domain is configured, requests with NTLM of hostname only bookmark could not get response from server.

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

677548

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

677668

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

695404

WALLIX personal bookmark issue in SSL VPN portal.

695763

FortiClient iOS 6.4.5. has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

697637

FortiToken Cloud user not working when in a user group.

706646

SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

718170

SSL VPN web portal does not show thumbnails of videos for an internal JS-based web server.

726576

Internal webpage with JavaScript is not loading in SSL VPN web mode.

731278

Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode.

745499

In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak.

Switch Controller

Bug ID

Description

588584

GUI should add support to allow using switch VLAN interface under a tenant VDOM on a managed switch VDOM.

605864

If the firewall is downgraded from 6.2.3 to 6.2.2, the FortiLink interface loses its CAPWAP setting.

689403

Unable to add FSW-448E using serial number on FortiGate.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

578031

FortiManager Cloud cannot be removed once the FortiGate has trouble with contract.

595244

There is duplicate information when checking interface references in global.

600032

SNMP does not provide routing table for non-management VDOM.

607565

Interface emac-vlan feature does not work on SoC4 platform.

627236

TCP traffic disruption when traffic shaper takes effect with NP offloading enabled.

627645

When upgrading FG-100D, several processes randomly go into D state, which generates cluster and service issues.

641708

FTLF8536P4BCV shows This transceiver is not certified by Fortinet, corrupt part number and serial number after HA cluster sync.

648014

FortiDDNS is unable to update the renewed public IP address to FortiGuard server in some error conditions.

675418

FortiManager CLI script for 2FA FortiToken mobile push does not trigger activation code email.

681791

Install preview does not show all changes performed on the FortiGate.

682227

DSL creates a default route to 240.0.0.1 after changing any configuration on a DSL interface.

687519

Bulk changes through the CLI are very slow with 24000 existing policies.

689317, 698927

After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0.

691729

WWAN interface on FG-40F- 3G4G eventually goes offline until a reboot or configuration change occurs.

692490

When an <entry name> is on the same line as config <setting> <setting> <entry name>, it is not handled properly to send to FortiManager.

694202

stpforward does not work with LAG interfaces on a transparent VDOM.

696556

Support gtp-enhance-mode (GTP-U) on FG-3815D.

699902

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

702135

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

702932

FG-1500D reboots suddenly after COMLog reported kernel panic and voipd is tainted.

702966

There was a memory leak in the administrator login debug that caused the getty daemon to be killed.

704981

LLDP transmission fails if there are nested software switches.

713324

Command fail when running execute private-encryption-key <xxx>.

714805

FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev.

715978

NTurbo does not work with EMAC VLAN interface.

721733

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

722273

SA is freed while its timer is still pending, which leads to a kernel crash.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected.

740649

FortiGate sends CSR configuration without double quote (") to FortiManager.

Upgrade

Bug ID

Description

658664

FortiExtender status becomes discovered after upgrading from 6.0.10 (build 0365).

Workaround: change the admin from discovered to enable after upgrading.

config extender-controller extender
    edit <id>
        set admin enable
    next
end

User & Device

Bug ID

Description

595583

Device identification via LLDP on an aggregate interface does not work.

688989

Two-factor authentication can be bypassed with some configurations.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end
config system global
    set admin-server-cert <scep_certificate>
end

710212

RADIUS accounting port is occasionally missing.

725056

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

750551

DST_Root_CA_X3 certificate is expired.

Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information.

VM

Bug ID

Description

587757

FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type.

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

605511

FG-VM-GCP reboots a couple of times due to kernel panic.

608881

IPsec VPN tunnel not staying up after failing over with AWS A-P cross-AZ setup.

640436

FortiGate AWS bootstrapped from configuration does not read SAML settings.

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

685782

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

Web Filter

Bug ID

Description

672994

Web filter warning message does not contain certification chain.

717619

Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category.

739349

Web filter local rating configuration check might strip the URL, and the URL filter daemon does not start when utm-status is disabled.

WiFi Controller

Bug ID

Description

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

739793

VM license file generated by FortiCare lacks new line at the end and causes cw_acd process to constantly restart.

Workaround: import a certificate called cw_ac_cert or ask Fortinet customer support to regenerate the VM license file.