Improved handling of NAT46 traffic to prevent problems caused by the frame size increase resulting from converting an IPv4 packet to an IPv6 packet.

Resolved an issue that prevented being able to change the order of DoS firewall policies from the GUI or CLI.

Resolved an issue that would periodically cause the snmpd process to use excessive amounts of CPU time.

Resolved an issue that could cause inaccurate statistics reporting when the FortiGate is processing a large number of sessions.

Resolved an issue that prevented IPS from scanning traffic in a CAPWAP tunnel when DTLS and nTurbo is enabled.

Resolved an issue that caused SSH management sessions to disconnect after entering the command diagnose traffictest set_pair aggregateInt.

Adjusted the CPU/Memory Performance Test threshold so that the test can find meaningful results, which are then displayed by the diagnose hardware test info command.

Resolved an issue with how IPS re-directs NP7 offloaded sessions that can cause excess latency in transparent mode VDOMs. This issue could also block network backup traffic using port 1867.

Resolved an issue that caused NPD process timeouts on the secondary FortiGate in an FGCP cluster after editing a hyperscale firewall policy and changing the CGN IP pool used in the policy.

Changing the configuration of a hardware log server group assigned to a hyperscale firewall policy that is processing traffic no longer causes sessions accepted by the firewall policy to be dropped.

Resolved an issue that prevented the FortiGate-2600F and 2601F from displaying the default fortilink interface on the GUI or CLI.

Resolved an issue that could disrupt traffic when enabling per-IP traffic shaping and max-concurrent-session for a firewall policy with NP7 offloading enabled.

SPF interfaces with speed set to 1000full no longer remain down after the system restarts.

Configuring an interface to drop fragmented packets (drop-fragment set to enable) now works as expected.

When the SIP session helper is enabled, SIP traffic is offloaded to NP7 processors.

Resolved an issue that could prevent the IP Pool option from appearing in a hyperscale firewall policy.

Resolved an issue that caused session helper sessions to be offloaded to NP7 processors after changing the IP pool in a hyperscale firewall policy.

Resolved an issue that caused hardware sessions to expire on the secondary FortiGate in an FGCP HA cluster.

Resolved an issue that caused IPsec VPN sessions between VDOMs to timeout while they are processing traffic.

Resolved an issue that could cause a WiFi client to disconnect after connecting to a WiFi interface with a tunnel SSID.

Resolved an issue that prevented the diagnose npu np7 gtp-stats-all and diagnose npu np7 gtp-stats <np#> commands from displaying output on the primary FortiGate in an FGCP cluster when GTP enhanced mode is enabled.

Improved fragmented packet handling to prevent dropped packets when fragment SKB size is relatively small.

Resolved an issue that could prevent TFTP ALG sessions from being offloaded to NP7 processors.

IPsec traffic can now be offloaded when being sent over an EMAC VLAN interface.

Messages similar to NPD vd=x get tmo id=xxxx fail! no longer appear after restoring the configuration.

Sync session count information has been added to the output of the get system ha status command.

The GUI will no longer display an error message when you edit the first port number in a port number range in a CGN resource allocation IP pool.

The log rate is no longer displayed as a negative value after changing hardware logging to host logging mode.

Resolved an issue that was keeping software sessions in the session table after traffic has stopped.

Resolved an issue that caused PBA leaks with the FortiGate is configured with a large number of VLANs (for example, 1000 VLANs).

For optimal performance, the following option should be set to disable if your configuration includes 256 or more VLANs:

config system npu

set vlan-lookup-cache {disable | enable}

end

Enabling or disabling vlan-lookup-cache requires a system restart. So you should only change this setting during a maintenance window. This option is disabled by default.

Resolved an issue that caused both FortiGates in an FGSP cluster to create duplicate log messages for the same hardware session. The resolution prevents sessions on the secondary FortiGate from creating log messages. This means that if a failover occurs, the session will continue on the secondary FortiGate but when the sessions ends, it will not create a session end log message.

Resolved an issue that could cause the npd process to crash when editing CGN IP pools. This issue can also cause packets to be stuck. You can use the diagnose npu np7 setreg command to enable a watch dog and adjust the threshold for releasing stuck packets.

Resolved an issue that caused the reverse deny policy to block all traffic and also helped improve performance and reduce processing errors.

Resolved an issue that caused inaccurate session counts to be displayed on the GUI for individual VDOMs.

Changes to session-ttl are now successfully applied to all sessions.

Resolve an issue with how FortiOS handles hyperscale firewall policy changes that could cause traffic to continue to be accepted by a hyperscale firewall policy when the Action is changed to Deny All while the FortiGate is processing traffic.

Resolved an issue that caused synchronization errors after creating 249 VDOMs.

Resolved and issue that prevented deleting multiple VDOMs when CPU or host hardware logging is enabled.