Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved issues

The following issues have been fixed in version 6.4.0. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

557998

Quarantined CDR files cannot be downloaded. Encountered 404 error when clicking Archived File.

563250

Shared memory does not empty out properly under /tmp.

575177

Advanced threat protection statistics widget clean file count is incorrect.

590092

Cannot clear scanunit vdom-stats to reset the statistics on ATP widget.

594696

Sample file eicar.exe cannot pass through SMTPS, POP3S, or IMAPS with deep inspection and flow enabled on IPv6 policy.

Data Leak Prevention

Bug ID

Description

522472 DLP logs have a wrong reference link to archived file.

540317

DLP cannot detect attached zip files when receiving emails via MAPI over HTTP.

546964

DLP sensors and DLP options in firewall policy and profile groups are removed.

563447

Cannot download DLP archived file from GUI for HTTPS, FTPS, SMTP and SMTPS.

571171

Excessive false positives for credit card DLP profiles.

574722

DLP blocks Gmail with deep inspection.

586689

Downloading a file with an FTP client in EPSV mode will hang.

591178

WAD fails to determine the correct file name when downloading a file from Nextcloud.

591676

Enable file filter password protected blocked for 7Z, RAR, PDF, MSOffice, and MSOfficeX.

DNS Filter

Bug ID

Description

561297

DNS filtering does not perform well on the zone transfer when a large DNS zone's AXFR response consists of one or more messages.

563441

7K DNS filter breaking DNS zone transfer.

574980

DNS translation is not working when request is checked against the local FortiGate.

578267

DNS request to a second DNS server with same Transaction ID is discarded when DNS Filter is enabled on a policy.

581778

Cannot re-order DNS domain filter list.

582374

License shows expiry date of 0000-00-00.

583449

DNS filter explicit block all (wildcard FQDN) not working in 6.2 firmware.

586178

In domain threat feed, some URLs cannot be fetched due to SSL error.

586526

Unable to change DNS filter profile category action after upgrading from 6.0.5 to 6.2.0.

586834

With option error-allow DNS attempts fail when FortiGuard servers are unavailable.

Endpoint Control

Bug ID

Description

599826 Replace FSSO with REST API for EMS connector.

608301

EMS serial number format should be flexible.

618757

Add dynamic firewall address to include all FortiGuard destinations required for FortiClient.

Explicit Proxy

Bug ID

Description

504011

FortiGate does not generate traffic logs for SOCKS proxy.

540091

Cannot access explicit FTP proxy via VIP.

571034 Using disclaimer causes incorrect redirection.

576205

App traffic cannot be blocked in a proxy policy with certificate inspection while it works in a firewall policy.

577372 WAD has signal 11 crash at wad_ssl_cert_get_auth_status.

578098

Unwanted traffic log generated for firewall policy with web filter profile as MonitorAll.

585310

Block page is not displayed for a URL in the frames of an allowed web page.

588211

WAD cannot learn policy if multiple policies use the same FQDN address.

589065

FSSO-based NTLM sessions from explicit proxy do not respect timeout duration and type.

589166

EPSV does not work when using an FTP proxy.

589811

urfilter process does not started when adding a category as dstaddr in a proxy policy with the deny action.

590942

AV does not forward reply when GET for FTP over HTTP is used.

590959

FortiGate returns 500 internal error instead of 521 Not logged in - Secure authentication required.

591012

WAD crashed at wad_disclaimer_get with signal 11 when disclaimer is enabled in proxy policy and the browser is Chrome.

594580

FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message.

594598

Enabling proxy policies (+400) increases memory by 30% and up to 80% total.

603707

The specified port configurations of https-incoming-port for config web-proxy explicit disappeared after rebooting.

605209

LDAP ignores source-ip with web proxy Kerberos authentication.

610298

Compare and sync the VSD change in V5.6 to WAD VS.

Firewall

Bug ID

Description

508015

Editing a policy in the GUI changes the FSSO setting to disable.

530907

GTP-authorized SGSNs and authorized GGSNs are not functioning properly.

545121

Should not be allow to change address type that is used in an excluded group.

558996

FortiGate sends type-3 code-1 IP unreachable for VIP.

560011

Fabric device object does not work in NGFW policy.

561170

Traffic is blocked by NGFW policy when SDN connector firewall address is configured in policy.

570507

Application control causing NAT hairpin traffic to be dropped.

Workaround: Create a new firewall policy from scratch and the default application control can be applied again.

574012

Session created by RPC session helper does not honor delay-tcp-npu-session.

577752

Policy with a VIP with a destination interface of a zone is dropping packets.

583173

Policy push from FortiManager failed, issue caused by abandoned ISDB entr.y

584451

NGFW default block page partially loads.

585073

Adding too many address objects to a local-in policy causes all blocking to fail.

585122

Should not be allowed to rename VIP or address with the same name as an existing VIP group or address group object.

590039

Samsung OEM internet browser cannot connect to FortiGate VS/VIP.

593103

When a policy denies traffic for a VIP and send-deny-packet is enabled, ICMP unreachable message references the mapped address, not the external.

595044

Get new CLI signal 11 crash log when performing execute internet-service refresh.

595364

Some NetFlows have an active-flow-timeout when the session does not have any packets and the session cache in NetFlow expires and clears.

596218

ISDB ID is missing when configuring internet service group objects.

596744

Firewall policy hit count is incorrect.

597110

When creating a firewall address with the associated-interface setting, CMD gets stuck if there is a large nested address group.

598000

When SCTP is in closing state and there is traffic passing through to keep it from timing out, even when an INIT is received, the traffic still passes through the old session.

598559

ISDB matches all objects and chooses the best one based on their weight values and the firewall policy.

599253

GUI traffic shaper Bandwidth Utilization should use KBps units.

600051

Cannot establish the connection to the real servers using VIP server load-balancing after upgrading to FortiOS 6.2.2.

600644

IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies.

601331

Virtual load-balance VIP and intermittent HTTP health check failures.

603263

Increase the maximum limit for the optional parameters in SCTP INIT packet. After the fix, the maximum limit is 10 instead of 4 parameters.

603927

Multiple entries do not take effect for internet-service-addition after refreshing.

604885

Cannot use the same real server for multiple HTTP host information (server load-balancing).

604886

Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.

606834

Adding more than one dynamic FSSO firewall address results in GUI and CLI errors.

610557

FortiGate VIP object offers weak elliptic curves since VS implementation in WAD for FortiOS 6.0 and above.

611584

FTP and Telnet do not work with IPv6 when application control is enabled.

611840

Firewall policy search with decimal in the name fails in GUI.

612515

Cannot add multicast-policy6, adding it causes CLI to crash.

615073

FTP session helper does not work when there is reflected (auxiliary) session.

FortiView

Bug ID

Description

527540

On multiple FortiView sub-menus, the Quarantine Host option is no longer available.

537819

FortiView All Sessions page tooltip for geography IP shows as undefined.

582341

On Policies page, consolidated policies are without names and tooltips; tooltips not working for security policies.

GUI

Bug ID

Description

282160

GUI does not show byte information for aggregate and VLAN interfaces.

303651

Should hide Override internal DNS option if vdom-dns is set to disable.

354464

Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made.

438298

When VDOM is enabled, the interface faceplate should only show data for interfaces managed by the admin.

445074

The MMS profiles pages have been removed from the FortiOS Carrier GUI.

Workaround: You can configure MMS profiles from the CLI using the config firewall mms-profile command.

451306

Add a tooltip for IPS Rate Based Signatures.

460698

There is no uptime information in the HA Status widget for the secondary unit's GUI.

467495

A message stating that all source interfaces have no members is erroneously displayed for the explicit proxy policy list when a user enables a policy immediately after pasting or inserting it into the list.

478472

Options 150, 15, and 51 for the DHCP server should not be shown after removing them and having no related configuration in the backend.

480731

Interface filter gets incorrect result (EMAC VLAN, VLAN ID, etc.) when entries are collapsed.

482437

SD-WAN member number is not correct in Interfaces page.

486230

GUI on FG-3800D with 5.6.3 is very slow for configurations with numerous policies.

493527

Compliance events GUI page does not load when redirected from the advanced compliance page.

493704

While accessing the FortiGate page, PC browser memory usage keeps spiking and finally PC hangs.

498892

GUI shows wrong relationship between VLAN and physical interface after adding them to a zone.

499658

Editing system interface via the GUI causes the explicit web proxy to be disabled.

502962

Get Fail to retrieve info for default VDOM link on Network > Interfaces page.

504829

GUI should not log out if there is a 401 error on the downstream device.

505066

Not possible to select value for DN field in LDAP GUI browser.

510685

Hardware Switch row is shown indicating a number of interfaces but without any interfaces below.

514027

Cannot disable CORS setting on GUI.

514632

Inconsistent reference count when using ports in HA session-sync-dev.

519102

GUI navigation menu notification should match with issue in the dialog box.

525535

OK button grayed out when editing an interface that has DHCP option 224 in the list with FortiClient-On-Net Status enabled.

526254

Interface page keeps loading when VDOM admin have netgrp permission.

529094

When creating an antispam block/allow list entry, Mark as Reject should be grayed out.

531376

Get Internal Server Error when editing an aggregate link that has a name with a space in it.

534853

Suggest GUI Interfaces list includes SIT tunnels.

536718

Cannot change MAC address setting when configuring a reserved DHCP client.

536843

LACP aggregate interface flaps when adding/removing a member interface (first position in member list).

537307

Failed to retrieve info message appears for ha-mgmt-interface in Network > Interfaces.

538125

Hovering mouse over FortiExtender virtual interface shows incorrect information.

540098

GUI does not display the status for VLAN and loopback in the Network > Interfaces > Status column.

542544

In Log & Report, filtering for blank values (None) always shows no results.

543487 Collected Email Monitor page cannot list the wireless client if connected from captive-portal+email-collection.
543637 Not able to filter the policy by multiple ID.

544442

Virtual IPs page should not show port range dialog box when the protocol is ICMP.

547409

Admin with netgrp privilege unable to get interface page and got pyfcgid crash (signal 11 (Segmentation fault)).

552038

Routing monitor network filter does not filter subnets after upgrading.

552623

Policy list page should not show inline editing icon in column field when logged in as a read-only user.

552811

Scripts pushed from FortiCloud do not show up in System > Advanced Settings when FortiCloud remote access is used.

553290

The tooltip for VLAN interfaces displays as Failed to retrieve info.

555121

Context menu of AP group has unsupported actions enabled after change view on Managed FortiAPs page.

555687

Network mask of a VPN interface is changed to 255.255.255.255 without an actual configuration change.

559799 Webhook automation host header incorrect.

559866

When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via the management tunnel.

560206

Change/remove FortiCloud standalone reference.

563053 Warning message for third-party transceivers were removed for 6.2.1 to prevent excessive RMA or support tickets. 6.2.2 re-added the warning for third-party transceivers.

564201

After OSPF change via GUI, password for virtual-link will completely disappear and must be re-entered.

565109 Add Selected button does not appear under Application Control slide-in when VDOM is enabled.

565309

Application group improvements.

565748

New interface pair consolidated policy added via CLI is not displayed on GUI policy page.

566414

Application Name field shows vuln_id for custom signature, not its application name in logs.

566666

AP comments do not appear on the columns for Managed AP page.

567369

Cannot save DHCP Relay configuration when the Relay IP address list is separated by a comma.

567452

IPS sensor not configurable in GUI with Firefox.

568176

GUI response is very slow when accessing Route Monitor page in GUI.

569080 SD-WAN rule GUI page doesn't show red exclamation mark for DST-negate enabled, like firewall policy.

571909

SSL VPN Settings page shows undefined error.

573070 Interface widget not loading fully (keeps spinning) when a VDOM "prof_admin" is used.

573456

FortiGate without disk email alert settings page should remove Disk usage exceeds option.

573579

Editing policies inline can result in previously selected policies being changed.

573596

GUI shifts central management type to FortiManager after clicking Apply to enable FortiManager Cloud.

573862

Signature name should be shown when VDOM admin has WAF read/write permission only.

573869

Log search index files are never deleted when the log disk is out of space.

574101

Empty firmware version in managed FortiSwitch from FortiGate GUI.

575756

Port Link speed option is missing on the FortiGate GUI after upgrading the managed FortiSwitch to 6.2.1.

575844

Local category for g-default, g-wifi-default web filter profiles should not be displayed.

579259

Firewall User Monitor shows "Failed to retrieve info" and no entries if session-based proxy authentication is used.

579711

Cannot run Security Rating (Fabric device error).

580168

Connected routes in the routing monitor are showing up with 1969/12/31 18:59:59 for Up Since times.

582658

Email filter page keeps loading and cannot create a new profile when the VDOM admin only has

emailfilter permission.

582716

Filtering service availability check always fails once anycast is enabled and override server is set.

583049

Internal server error while trying to create a new interface.

583760

After adding few web rating overrides via GUI to an already existing long list of URIs, Web Rating Overrides page does not load and keeps spinning.

584304

IpSec Monitor window Bring Up function does not work.

584314

NGFW mode should have a link to show all applications in the list.

584419

Issue with application and filter overrides.

584426

Add Selected button does not show up under FSSO Fabric Connector with custom admin profile.

584560

GUI does not have the option to disable the interface when creating a VLAN interface.

584939

VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-".

584949

When the link status is up, the aggregate interface status icon is incorrectly displayed in red.

585055

High CPU utilization by httpsd daemon if there are too many API connections

585924

Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages.

586604

No matching IPS signatures are found when Severity or Target filter is applied.

586749

Enable/disable Disarm and Reconstruction in the GUI only affects the SMTP protocol in AV profiles.

587091

When logged in as administrator with web filter read/write only privilege, the Web Rating Overrides GUI page cannot load.

587673

The Interface Pair View option is always unavailable for the Proxy Policy list.

587686

Wrong warning message, All source interface(s) has no members, appears in Proxy Policy page.

588028

If the Endpoint Control feature is disabled, the exempt options for captive portal are not shown in the GUI.

588222

WAN Opt. Monitor displays Total Savings as negative integers during file transfers.

588665

Option to reset statistics from Monitor > WAN Opt. Monitor in GUI does not clear the counters.

589085

Web filter profile warning message when logged in with read/write admin on VDOM environment.

592244

VIPs dialog page should be able to create VIP with the same extip/extport but different source IP address.

593175

FortiGate with no anti-spam license is showing incorrect information under FortiGuard > Filtering Services Availability.

593433

DHCP offset option 2 has to be removed before changing the address range for the DHCP server in the GUI.

593624

GUI behavior is different with local user using super admin profile and TACACS user using super admin profile.

593899

Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error.

594162

Interface hierarchy is not respected in the GUI when a LAG interface belongs to SD-WAN and its VLANs belong to a zone.

594565

Wrong Sub-Category appears in the Edit Web Rating Override page.

598247

One-minute memory; CPU and Sessions widgets stopped updating after system entered and exited conserve mode.

598725

Login page shows random characters when system language is not English.

599245

Nessus vulnerability scan tool reports more medium level vulnerabilities for 6.2.3 (B1056) compared with the 6.2.2 result.

599284

Pyfcgid crashed with signal 11 (Segmentation fault) received.

599401

FortiGuard quota category details displays No matching entries found for local category.

599612

GUI should allow user to create redundant IPsec tunnel over different interface to the same remote gateway.

600120

Reduce the number of core used by httpsd for low-end platforms.

601653

When deleting an AV profile in the GUI, there is no confirmation message prompt.

602637

Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3.

602692

Security Rating result for SSL VPN certificate fails when using a 384-bit elliptic curve certificate.

603583

Data source is missing in child table entries in a complex type property.

603913

GUI should add interface value check when creating a new zone.

605493

Admin cannot log in to FortiGate GUI.

605677

System goes into conserve mode when editing ISDB entries through GUI.

606074

Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3.

606295

Cannot activate or log out of FortiGate Cloud from widget.

606394

DPD setting in GUI cannot be reflected correctly when Dialup User and On Demand are set by the IPsec wizard.

606428

GUI does not allow multiple IPsec tunnels with the same destination IP bound to the same interface but sourced from a different IP.

606668

Physical and logical topology pages do not load when admin has read-only permission in Security Fabric.

607972

FortiGate enters conserve mode when accessing Amazon AWS ISDB object.

607982

Edit DNS Filter Profile page cannot be displayed if botnet domain is enabled.

609064

Revoke Token in GUI reports URL not found on server.

610181

FG-OPC-ONDEMAND (FGVMPG license) shows FortiCare is not supported even though the license was registered in FortiCare.

610573

When saving configuration under global interface, explicit proxy settings are removed.

611388

Firewall Policy page does not show destination when using external block address.

611436

FortiGate displays a hacked web page after selecting an IPS log.

611804

Policy historical view shows policies from other VDOMs.

601345

No warning is shown in GUI when FortiGuard filtering protocol/port setting is not saved.

614802

Get [__svr_d_commit:1508] Update table index error: type=4 when changing the feature set to flow-based with FortiSandbox enabled.

617364

GUI does not list AliCoud SDN address filter.

639756

Monitor > SD-WAN Monitor keeps loading after disabling VPN member.

HA

Bug ID

Description

530215

Application hasync might crash several times due to accessing some memory out of bound when processing hastat data.

540632

In HA, management-ip that is set on a hardware switch interface does not respond to ping after executing reboot.

543602 Unnecessary syncing process started during upgrade when it takes longer.

566108

Some long VDOM name configurations are changed and failed to be in sync after rebooting.

568553

Read-only admin account can failover a HA.

569629

HA A-A local FQDN not resolving on secondary unit.

574564 In an HA configuration with HA uninterruptible upgrade enabled, some signature database files may fail to synchronize upon upgrading from 5.6.9 and earlier to 5.6.10.

575020

HA failing config sync on VM01 with error (secondary and primary units have different hdisk status) when primary unit is pre-configured.

575715

Unable to sync the local gateway in FGSP.

576638 HA cluster GUI change does not send logs to the secondary device immediately.
577115 Primary unit console keeps showing message [ha_auth_set_logon_msg:228] buffer overflow.
578475 FortiGate HA reports not synced if firewall policy of primary and secondary device does not contain the same VIP.

579610

Crash occurs when changing the standalone mode for A-A and A-P in config system ha.

581906

HA secondary device sending out GARP packets in 16-20 seconds after HA monitored interface failed.

584551

hatalk keeps exchanging heartbeat packet incorrectly with FortiManager.

585348

default-gateway injected by dynamic-gateway on PPP interface deleted by other interface down.

585675

exe backup disk alllogs ftp command causes FortiGate to enter conserve mode.

586004

Moving VDOM via GUI between virtual clusters causes cluster to go out of sync and VDOM state work/standby does not change.

586835

HA secondary device unable to get checksum from primary device. HA sync in Z state.

588291

SIP HA message could overwhelm HA secondary box and drive the secondary box to conserve mode.

588908

FG-3400E hasync reports the network is unreachable.

590632

Heartbeat device (interface) up messages not triggered.

590931

Multiple PPPoE connections on a single interface does not sync PPPoE dynamic assigned IP and cannot start re-negotiation.

596837

Deleting tunnel on primary unit via API call will not delete it from the secondary unit.

596575

HA active-active primary unit attempts to steer HTTP and SMTP sessions to secondary unit over NPU-VLINK interfaces.

598937

Local user creation causes HA to be out of sync for several minutes.

601550

Application hasync might crash several times due to accessing some memory out of bound when processing hastat data.

602266

The configuration of the SD-WAN interface gateway IP should not sync.

602406

In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the secondary unit.

613714

HA failover takes over one minute when monitored aggregate interface goes down on primary unit.

616345

Secondary device failed to sync with primary device when FGSP peer is configured, but hasync fails to bind socket.

ICAP

Bug ID

Description

598320

New constraint added in config icap server entries in FortiOS ICAP client feature.

600235

ICAP preview and response-req-hdr coexistence issue.

Intrusion Prevention

Bug ID

Description

540718

Signal 14 alarm crashes were observed on DFA rebuild.

561623

IPS engine 5.009 crashes when updated new FFDB has different size from the old one.

579018

IPS engine 5.030 signal 14 alarm clock crash at nturbo_on_event.

586608

The CPU consumption of ipsengine gets high with customer configuration file.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

605610

Security Policy page is slow to load due to empty security firewall statistic returning from IPS engine.

608501

IPS forwards attacks that are previously identified as dropped.

IPsec VPN

Bug ID

Description

449212 New dialup IPsec tunnel in policy mode/mode-cfg overwrites previously established tunnel.

516029

Remove the IPsec global lock.

539636

Traffic will not pass through VXLAN over dynamic IPsec tunnel.

557812

IPsec does not support the new interface-subnet type in its phase2-interface and ipv4-split-include settings for dialup VPN.

574115

PKI certificates with OU and/or DC as subject fail for PKI user filters.

575238 Redirected traffic on the same interface (ingress and egress interface are the same) is dropped.
575477 IKED memory leak.

576096

mode-cfg IP is missing from the routing table.

577502

OCVPN cannot register, status is undefined.

582251

IKEv2 with EAP peer ID authentication validation does not work.

582876

ADVPN connections from the hub disconnects one-by-one and IKE gets stuck.

584982

The customer is unable to log in to VPN with RADIUS intermittently.

589096

In IPsec after HA failover, performance regression and IKESAs is lost.

589141

Dialup IPsec tunnel DPD discrepancy.

590633

Packet loss observed after ADVPN shortcut is created.

594962

IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a non-FortiGate in a remote peer gateway.

595810

Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection.

596429

Traffic unable to pass through for certain phase 2 selectors when there is double SA.

597246

When disabling and re-enabling OCVPN after HA failover, cannot establish IPsec tunnel.

597435

Problem establishing ADVPN shortcuts between spokes when the spoke has an additional VPN running.

597748

L2TP/IPsec VPN disconnects frequently.

597845

IPsec VPN over IPv6 ISAKMP SA negotiation failure when setting is IPv4 DHCP mode.

599471

IKEv2 responder can delete static selectors when local narrowing occurs.

602240

IKEv2 EAP-TLS handshake detected retransmit of client, but FortiGate does not retransmit its response.

603090

The OCVPN log file was not closed or properly trimmed due to the incorrect state_refcnt. The OCVPN log file stayed open, grew extremely large, and was never trimmed.

604334

L2TP disconnection when transferring large files.

604923

IKE memory leak when IKEv2 certificate subject alternative name/peer ID matching occurs.

606129

iked crashes when proposal is AES-GCM.

607212

IKEv2 DPD is not triggered if network overlay network ID was mismatched when first configured.

609033

After two HA failovers, one VPN interface member of SD-WAN cannot forward packets.

610390

IKEv2 EAP certificate authentication failings after upgrading from to 6.2.1 to 6.2.3.

611148

L2TP/IPsec does not send framed IP address in RADIUS accounting updates.

617419

FortiGate does not assign correct system DNS value to the client connected to dialup VPN.

Log & Report

Bug ID

Description

555161

Application miglogd crashes when numerous DLP logs are generated, where DLP archive files use up system inodes.

562303

miglogd has signal 11 crash.

568795 Specific traffic type is not logged on FortiAnalyzer/memory.

576024

Set sniffer policy to only log logtraffic=utm but many traffic log stats are still generated in disk or FortiAnalyzer.

578057

Action field in traffic log cannot record security policy action—it shows the consolidated policy action.

580887

No traffic log after reducing miglogd child to 1.

583499

Improve local log search logic from aggressive to passive mode to save resources and CPU.

586038

FortiOS 6.0.6 reports too long VPN tunnel durations in local report.

586854

FortiGate sends change notice for global REST APIs once a minute.

590210

vwlservice traffic log has wrong internet-service name when internet-service is enabled in the SD-WAN rule.

590598

Log viewer application control cannot show any logs (page is stuck loading).

590852

Log filter can return empty result when there are too many logs, but the filter result is small.

591152

IPS logs set srcintf(role)/dstinf(role) reversely at the time of IPS signature reverse pattern.

591523

When refreshing logs in GUI, some log_se processes are running extremely long and consuming CPU.

593363

Total sum of vdom log-disk-quota can be set to surpass total HD logging space.

593557

Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address.

593907

Miglogd still uses the daylight savings time after daylight savings ends.

594053

Proxy policy forward traffic log should have "timeout" action for no-reply or timeout case.

599860

When logtraffic is set to all, existing sessions cannot change the egress interfaces when the routing table is updated with a new outgoing interface.

602459

GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion.

605174

Incorrect sentdelta/rcvddelta in traffic log statistics.

606533

User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI.

608565

FortiGate sends incorrect long session logs to FortiGate Cloud.

615631

radvd records daemon started log when daemon-log is disabled.

616835

Logs from HA secondary device cannot be uploaded to FortiCloud.

Proxy

Bug ID

Description

519861

FortiGate does not bypass the forward server if upstream proxy is down and server-down-option is set to pass.

525328

External resource does not support no content length.

549660

WAD crash with signal 11.

550056

When SNI is exempt in an SSL profile, and the SNI does not match the CN, the FortiGate closes the session and does not perform deep inspection.

551119

Certificate blocklist not working correctly in proxy mode.

560893

When strict SNI check is enabled, FortiGate with certificate inspection cannot block session if SNI does not match CN.

561552

WAD crashed with signal 6 (MAPI/RPC).

566859

In WAD conserve mode 5.6.8, max_blocks value is high on some workers.

567711

SSL mirroring is not working under proxy inspection mode.

567942 FortiGate cannot block blacklist certificate against TLS 1.3 if the blacklist certificate server address is exempt.
572489 SSL handshake sometimes fail due to FortiGate replying back FIN to client.

573028

WAD crash causing traffic interruption.

573721

For FortiGate with client certificate inspect mode, traffic will trigger WAD crash.

573917 Certain web pages time out.

574171

Fail to connect https://drive.google.com by TLS 1.3.

574730 Wildcard URL filter stops working after upgrade.
576852 WAD process crashes in internet_svc_entry_cmp.

579225

FTP proxy traffic is blocked for FSSO guest users.

579400

High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.

580592

Policy in proxy-based mode with AV and WAF profile denies access to Nginx with enabled gzip compression.

580770

SSL decryption breaks App store and Google Play store traffic even though both sites are exempted in the decryption profile.

580943

FortiGate blocklist certificate info is not shown in replace message on certificate inspect case in TLS 1.3.

580952

Improve scanunit to support multiple content encodings.

581865

In Proxy inspection with Application control and certificate inspection, TLS error for certain web pages, in EDGE browser only.

582475

WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

582714

WAD might leak memory during SSL session ticket resumption.

583736

WAD application crashing in 6.2.1.

584719

WAD reads ftp over-limit multi-line response incorrectly.

586909

When CIFS profile is loaded, using MacOS to access Windows Share causes WAD to crash.

587214

WAD crash for wad_ssl_port_on_ocsp_notify.

587987

In case of TLS 1.3 with certificate inspection and a certificate with an empty CN name, WAD workers would locate a random size for CN name and then cause unexpected high memory usage in WAD workers.

589065

FSSO-based NTLM sessions from explicit proxy do not respect timeout duration and type.

592153

Potential memory leak that will be triggered by certificate inspection CIC connection in WAD.

593365

WAD crash due to user learned from proxy not purged from the kernel when user is deleted from proxy or zone with empty interface member.

594725

WAD memory leak detected on cert_hash in wad_ssl_cert.

594829

FTP connection is not working with AV profile in proxy inspection mode when FTP user name contains an "@".

596012

Receive SSL fatal alert with source IP 0.0.0.0.

608387

WAD virtual server with http-multiplex enabled causes crash after server is detached because the http_server object is detached from http_session.

610466

Multiple WAD crash on FG-500D after upgrading from 6.2.3 (wad_url_filter_user_cat_load_entry.constprop.7).

617322

DLP FTP proxy with splice option sends delete command to server before data transfer completes.

REST API

Bug ID

Description

450175

Cannot modify ge and le attributes for router prefix-list table without plugin flag.

553382

REST API to support transaction operation.

587470 REST API to support revision flag.

599516

When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access.

601613

CMDB plugin should be called when saving data through CMDB REST API.

Routing

Bug ID

Description

371453

OSPF translated type 5 LSA not flushed according to RFC-3101.

524229

SD-WAN health-check keep records useless logs under some circumstances.

537354

BFD/BGP dropping when outbandwidth is set on interface.

570686

FortiOS 6.2.1 introduces asymmetric return path on the hub in SD-WAN after the link change due to SLA on the spoke.

571714 DHCPv6 relay shows no route to host when there are multiple paths to reach it.

576930

Time stamps missing in routing debugs.

578623

Gradual memory increase with full BGP table.

579884

VRF configuration in WWAN interface has no effect after rebooting.

581488

BGP confederation router sending incorrect AS to neighbor group routers.

582078

ISDB ID is changed after restoring the configuration under the situation where the FortiGate has a previous ISDB version.

584095

SD-WAN option of set gateway enable/set default enable override available on connected routes.

584394

VRRP on LAG cannot forward packet after vrrp-virtual-mac is enabled.

584477

In transparent mode with asymmetric routing, packet in the reply direction does not use asymmetric route.

585027

There is no indication in proute if the SD-WAN service is default or not.

585325

IPv6 route cannot be inactive after link-monitor is down when link-monitor are set with ipv4 and ipv6.

587198

After failover/recovery of link, E2 route with non-zero forward address recurses to itself as a next hope.

587700

Routing monitor policy view cannot show source and destination data for SD-WAN route and wildcard destination.

587970

SD-WAN rules route-tag still used in service rule but not in diagnose sys virtual-wan-link route-tag-list.

589620

Link monitor with tunnel as srcintf cannot recover after remote server down/up.

592599

FortiGate sends malformed OSPFv3 LSAReq/LSAck packets on interfaces with MTU = 9k.

593375

OSPF NSSA with multiple ASBR losing valid external OSPF routes in upstream neighbors as different ASBRs are power cycled.

593864

Routing table is not always updated when BGP gets an update with changed next hop.

593951

Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based.

594685

Unable to create the IPsec VPN directly in Network > SD-WAN.

595937

PPPoE interface bandwidth is mistakenly calculated as 0 in SD-WAN.

597733

IPv6 ECMP routes cannot be synchronized correctly to HA secondary unit.

598665

BGP route is in routing table but not in FIB (kernel routing table).

599667

OSPF over ADVPN flapping after shortcut tunnel established.

599884

Traffic not following SD-WAN rules when one of the interfaces is VLAN.

600332

SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.

600598

SSH packets marked as CS0.

600830

SD-WAN health check reports have packet loss if response time is longer than the check interval.

600995

Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2.

602223

SD-WAN route is not added in routing table when the SD-WAN interface members are IPv4 over IPv6 IPsec.

602679

Prevent BGP daemon crashing when peer breaks TCP connection.

602826

BGP route is not added in to kernel during ADVPN test.

603063

Locally originated traffic on non-default VRF may follow route on VRF 0 when there are routes with the same prefix on both VRFs.

608106

BGP daemon crashes when TCP connection is broken by peer.

611539

Editing/adding any address object that is referenced in policy is generating false positive SD-WAN alert messages.

611708

Make SNMP get BGP peer state timely once BGP neighbor enters or exits established state.

Security Fabric

Bug ID

Description

575495

FGCP dynamic objects are not populated in the secondary unit.

586024

Automation stitch cannot execute shutdown command when FortiGate enters kernel conserve mode.

586587

Security Fabric widget keeps loading when FortiSwitches are in a loop, or the FortiSwitch is in MCLAG mode.

587758

Invalid CIDR format shows as valid by the Security Fabric threat feed.

588262

IP address Threat Feed fabric connector not working.

589503

Threat Feeds show the URL is invalid if there is a special character in the URL.

591015

ACI SDN connector dynamic address cannot be resolved.

592344

CSF automation configuration cannot be synced to downstream from root.

597139

Crash happens due to segfault in CSF.

599474

FortiGate SDN connector not seeing all available tag name-value pairs.

604670

Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system's timezone configuration.

606003

On E model, get Failed to load Topology Report Result error after clicking Update Now button.

606714

auto-script returns failed to get SCSI info from /dev/mmcblk0 memory error.

SSL VPN

Bug ID

Description

476377 SSL VPN FortiClient login with FAC user FTM two-factor fail because it times out too fast.

478957

SSL VPN web portal login history is not displayed if logs are stored in FortiAnalyzer.

491733 When SSL VPN receives multiple HTTPS post requests under web filter, read_request_data_f loops even when client is stopped, which causes the SSL VPN process to use 99% of CPU.

525342

In some special cases, SSL VPN main state machine reads function pointer is empty that will cause SSL VPN daemon crash.

537341

SSL bookmark is not loading SAP portal information.

549994 SSL VPN web mode logon page should not show Skip button for remote user with Force password change on next logon.
556657 Internal website not working through SSL VPN web mode.

557806

Cannot fully load a website through SSL VPN bookmark.

560438

interface subnet object not available in SSL VPN split-tunneling-routing-address.

561585 SSL VPN does not correctly show Windows Admin center application.

563022

SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy.

564871

SSL VPN users create multiple connections.

569711

Error for proxy SSH database through SSL VPN.

570171

When accessing ACT application through SSL VPN web mode, the embedded calendar request gets wrong response and redirects to login page.

570445

CMAT application through SSL VPN.

571721 Local portal ad***.ch needs more than 10 min. to load via SSL VPN bookmark.
572653 Unable to access Qlik Sense URL via SSL VPN web mode.

573787

SSL VPN web mode not displaying custom web application's JavaScript parts.

573853 TX packet drops on ssl.root interface.
574551 Subpages on internal websites are not working via SSL VPN web mode (tunnel mode is OK).
574724

In some lower-end FortiGates, the threshold of available memory is not calculated correctly for entering SSL VPN conserve mode. Threshold should be 10% of total memory when the memory is larger than 512 MB and less than 2 GB.

575259 SSL VPN connection is being dropped intermittently.

576013

The SSL VPN web mode webserver link is not rewritten correctly after login.

576288

FSSO groups set in rule with SSL VPN interface.

577522

SSL VPN daemon crashes when logging in several times with RADIUS user that is related to a framed IP address.

578581

SSL web mode VPN portal freezing when opening some websites using JavaScript.

578908

Fails to load bookmark site over SSL VPN portal.

580182 The EOASIS website is not displayed properly using SSL VPN web mode.

580377

Unable to access https://outlook.office365.com as bookmark in SSL VPN web mode.

580384

SSL VPN web mode not redirecting URL as expected after successful login.

581863

Accessing http://nlyte.ote.gr/nlyte/ configured with bookmark name 'NLYTE' not getting authentication page.

582115

Third-party (Ultimo) web app does not load over SSL VPN web portal.

582161

Internal web application is not accessible through web SSL VPN.

582265

RDP sessions are terminated (disconnect) unexpectedly.

583339

Support HSTS include SubDomains and preload option under SSL VPN settings.

584780

When the SSL VPN portal theme is set to red, the style is lost in the SSL VPN portal.

585754

A VPN SSL bookmark failed to load the Proxmox GUI interface.

586032

Unable to download report from an internal server via SSL VPN web mode connection.

586035

The policy "script-src 'self'" will block the SSL VPN proxy URL.

587075

SAML login is not stable for SSL VPN, it requires restarting sslvpnd to enable the function.

587117

SSL handshake failure with Server Architect in web mode.

587300

In web mode, third-party webpage stuck on loading animation; JavaScript error in console.

587732

The SSL VPN web mode SSH widget is not connecting to the SSH server.

588066

SSO for HTTPS fails when using "\" (backslash) with the domain\username format.

588119

There is no OS support for the latest macOS Catalina version (10.15) when using SSL VPN tunnel mode.

588587

Different portals of SIPLAN COMPESA do not show properly in web mode.

588720

SSL VPN web portal bookmarks cannot resolve hostname.

589015

SSO does not correctly URL-encode POST-ed credentials.

590643

href rewrite has some issues with the customer's JS file.

590663

Most charts and diagrams on the website could not be shown in SSL VPN web mode when using a special tool.

592318

After sslvpn proxy, some Kurim JS files run with an error.

592935

sslvpnd crashed on FortiGate.

593082

SSL VPN bookmark does not load Google Maps on internal server.

593367

SSL VPN bookmark does not load after clicking from the portal.

593621

Website not fully loading through web portal bookmark; loads correctly with iPad user agent.

593641

Cannot access HTTPS bookmark, get a blank page.

593850

SSL VPN logs out after some users click through the remote application.

594160

Screen shot feature is not working though SSL VPN portal.

594247

Cannot access https://cdn***.com through SSL VPN web portal.

595505

FortiGate does not send client IP address as a framed IP address to RADIUS server in RADIUS accounting request message.

595627

Cannot access some specific sites through SSL VPN web mode.

595920

SSL VPN web mode goes to 99% on a specific bookmark.

596273

sslvpnd worker process crashes, causing a zombie tunnel session.

596296

SSL VPN fails 90% when connecting with FortiClient.

596352

SAML user name is not correctly recorded in logs when logging in to SSL VPN portal via SSO entry, and history cannot be shown.

596412

Not possible to download PDF file after connecting to portal through SSL VPN bookmark.

596441

FortiOS does not correctly re-write the Exchange OWA logoff URL when accessed via SSL VPN bookmark.

596757

SSL VPN connection stuck at 95% or 98%.

596843

Internal website not working in SSL VPN web mode.

596846

Unable to deauthenticate FSSO user in GUI, but it works in CLI.

597282

The latest FortiOS GUI does not render when accessing it by the SSL VPN portal.

597336

Webpage does not load properly through SSL VPN web mode (fails to show CAPTCHA).

597566

Add SSL VPN SSO user logged in from SAML response.

597634

In SSL VPN web mode, internal web services not working and tunnel mode is working fine.

597658

Internal custom web application page running on Apache Tomcat is not displaying in SSL VPN web mode.

598659

SSL VPN daemon crash.

598660

Internal website is not accessible from SSL VPN as the URL is being modified.

598850

SAML authentication group match does not work for SSL VPN; mismatched SAML user can also log in.

599394

SSL VPN web portal bookmarks are not full loading for Vivendi SelfService application.

599658

GUI is not rendered well by SSL VPN portal when using domain and user to log in.

599668

In SSL VPN web mode, page keeps loading after user authenticates into internal application.

599671

In SSL VPN web mode, cannot display complete content on page, and cannot paste or type in the comments section.

599777

Problem with rat***.com portal accessed via SSL VPN web mode.

599960

RADIUS user and local token push cannot log in to SSL VPN portal/tunnel when the password needs to be changed.

600029

Sending RADIUS accounting interim update messages with SSL VPN client framed IP are delayed.

600098

Unable to access internal web URL via web mode in Safari browser.

600103

sslvpnd crashes when trying to query a DNS host name without a period (.).

601084

Site in .NET framework 4.6 or 4.7 not loading in SSL VPN web mode.

601867

SSL VPN web mode cannot open DFS share subdirectories, gives invalid HTTP request message.

602392

Cannot access remote site using SSL VPN web mode after upgrading to FOS 6.2.2.

602645

SSL VPN synology NAS web bookmark log in page does not work after upgrading to 6.2.3.

603518

Internal website not working in SSL VPN web mode; cannot load ESS/MSS page.

603524

Download progress is not shown for the FTP files of the SSL portal.

603779

Chinese characters are garbled when downloading from SMB/CIFS in SSL VPN web mode.

603817

Internal website is not shown properly in SSL VPN web mode.

603957

SSL VPN LDAP authentication does not work in multiple user group configurations after upgrading the firewall to 6.0.7.

604882

Internal SAP website not working in SSL VPN web mode.

604910

Remedy application website is not accessible from SSL VPN as the URL is being modified.

605110

Mobile token is not required when LDAP user and LDAP group are set in SSL VPN policy together.

605699

Internal HRIS website dropdown list box not loading in SSL VPN web mode.

606094

SSL VPN web mode is not working; SSL VPN portal cannot be accessed.

606271

Double redirection through SSL web mode not working.

607687

RDP connection via SSL VPN web portal does not work with UserPrincipalName (UPN) and NLA security.

608195

AngularJS web application cannot load via SSL VPN web mode.

609351

SSL VPN will renew local user password, even though use is not related to SSL VPN. The remote LDAP user password should renew.

610247

SSL VPN access top*** -- Any*** website problem with SSL VPN web bookmark.

610366

Webpage keep loading using through SSL VPN and bookmark.

610579

Videos from live cameras via SSL VPN web mode not working.

613641

SSL VPN web mode custom FortiClient download URL with %s causing sslvpnd to crash.

614528

Customer unable to load website through SSL VPN web mode.

Switch Controller

Bug ID

Description

517663

On a managed FortiSwitch already running the latest GA image, Upgrade Available is shown.

527695

On a network running FortiSwitch prior to 6.0.0, a syn-error occurs. The network will still function normally.

Workaround: Users with 6.0.x should upgrade to remove the sync-error or disable vlan-optimization. On a network with switch-controller.global.vlan-all-mode all configured, the setting will revert to the default value of defined. Users who wish to maintain the vlan-all-mode all behavior may restore it after upgrading.

557280 Need to add FortiSwitch port information on Security Fabric and device inventory the same as before 6.0.4.

581370

FortiSwitch managed by FortiGate not updating the RADIUS settings and user group in the FortiSwitch.

586299

Adding factory-reset device to HA fails with switch-controller.qos settings in root.

592111

FortiSwitch shows offline CAPWAP response packet getting dropped/failed after upgrading from 6.2.2.

595671

set key-outbound and set key-inbound parameters are missing for GRE tunnel in config system gre-tunnel.

601547

Unable to push user group configuration from FortiGate to FortiSwitch, and user.group configuration is deleted.

607707

Unable to push configuration changes from FortiGate to FortiSwitch.

608231

LLDP policy did not download completely to the managed FortiSwitch 108Es.

613323

FortiSwitch trunk configuration sync issue after FortiGate failover.

System

Bug ID

Description

398024

Some error padding formats of SHA-256 SSL encrypted packets can stop the output function of command queue in CP8.

436904

Get fgt140d_i2c_write_byte_data:874 i2c_write_byte_data(0, 0x73, 0x00, 0x04) error! message by detecting transceiver. Affected platforms: FG-140D and FGT-140D-POE.

444611

Firewall policy is deleted after a hard power cycle and subsequent file system check and reboot.

470875 OID seems to be COUNTER32 instead of GAUGE32.

484749

TCP traffic with tcp_ecn tag cannot go through ipip ipv6 tunnel with NP6 offload enabled.

511790

Router info does not update after plugging out/plugging in USB modem.

519209

diagnose command on VDOM disclose other VDOM information.

527459

SDN address filter unable to handle space character.

527599

Internal prioritization of OSPF/BGP/BFD packets in conjunction with HPE feature to ensure these routing packets are handled in time. It affects all NP6 platforms.

528052

FortiGuard filtering services show as unavailable for read-only admin.

534806

FGR-30D cannot add ports SFP1 and SFP2 on a virtual hardware switch.

544570

Primary unit does not send SNMP trap for all SNMP servers if the cable is plugged out from the interface configured as LAG.

547712

HPE does not protect against DDoS attacks like flood on IKE and BGP destination ports.

550206

Memory (SKB) which is no longer needed is not released in NP6 and NP6lite drivers (FG-100E, FG-140E, FG-3600D, FG-3800D).

556408 Aggregate link does not work for LACP mode active for FG-60E internal ports but works for wan1 and wan2 combination.

567487

CPU goes to 100% when modifying members of an addrgrp object.

568451

Add support for # character in SNMP community name.

570227 FortiGate is not selecting an NTP server that has a clock time in the majority clique of other NTP servers.

570575

PoE ports no longer deliver power.

570759

RX/TX counters for VLAN interfaces based on LACP interface are 0.

570834 STP (spanning tree) flapping.

572003

There was a hardware defect in an earlier revision of SSD used for FG-61E. When powering off then powering on in a very short time, the SSD may jump into ROM mode and cannot recover until a power circle.

572763 softirq causing high CPU when session increase in an acceptable way.

573090

Making a change to a policy through inline editing is very slow with large table sizes.

573177

GUI cannot save edits made on replacement messages in a VDOM. When using CLI, user gets logged out while editing.

573238

Session TTL expiry timer is not reset for VLAN traffic when offloading is enabled.

573973

ASIC offloading sessions sticking to interfaces after SD-WAN SLA interface selection.

574086 Kernel panic occurs after upgrading from 6.2.0 to 6.2.1.
574110 When adding admin down interface as a member of aggregate interface, it shows up and process the traffic.

574327

FortiGate CSR traffic to SCEP server generated from the root VDOM instead of the VDOM createf for the CSR.

574716

ospfNbrState OID takes too long to update.

574991

FortiGate can't extract the user principal name UPN from user certificate when certificate contains UPN and additional names.

576054

Missing mpsk-schedules option when restoring configuration via VDOM.

576337

SNMP polling stopped when FortiManager API script executed onto FortiGate.

576389

Cannot see the IP in diag ip address list if the secondary IP is deleted, set as the primary IP, and secondary-IP is disabled.

577047

FortiGate takes a long time to reboot when it has many firewall addresses used in many policies.

577302 Virtual WAN Link process (vwl) memory usage keeps increasing after upgrading to 6.2.1.

577423

FG-80D and FG-92D kernel error in CLI during FortiGate boot up.

578259

FG-3980E VLANs over LAG interface show no TX/RX statistics.

578269

Mismatch between number of lists with CPU usage OID and number of CPU threads.

578531

forticldd deamon resolved mgrctrl1.fortinet.com to wrong IP address.

578608

High CPU usage due to dnsproxy process as high at 99%.

578746

FortiGate does not accept FortiManager created country code and causes address install fails.

579168

The status of port in aggregate is not correct after changing its status.

579524 DHCP lease is not stable and dhcpd process crashes.

580038

Problems with cmdbsvr while handling a large number of FSSO address groups and security policies.

580185

authd4 crashes when deleting a VDOM or rebooting the FortiGate.

580883

DNS servers acquired via PPPoE in non-management VDOMs are used for DHCP DNS server option 6.

581496

FG-201E stops sending out packets and NP6lite is stuck.

581528

SSH/RDP sessions are terminated unexpectedly.

581998

Session clash event log found on FG-6500F when passing a lot of the same source IP ICMP traffic over load-balance VIP.

582498

Traffic cannot be offloaded to both NTurbo and NP6 when DOS policy is applied on ingress/egress interface in a policy with IPS.

582520

Enabling offloading drops fragmented packets.

582547

fgfmsd crash makes connection to FortiManager go down.

583199

fgfmsd crashed with signal 11 when some code accesses a VDOM that has been deleted, but does not check the return value from CMDB query.

583602

Script to purge and re-create a local-in-policy ran against the remote FortiGate directly (in the CLI) is causing auto-update issues.

584622

SNMP trap cannot display FortiGate model in OSPF trap information.

585841

Console outputs unregister_netdevice error on UoM setup.

586042

NTPD does not requery the DNS server unless it restarts.

586301

GUI cannot show default Fortinet logo for replacement messages.

586551

When an SD-WAN member is disabled or VWL is disabled, snmpwalk shows "No Such Object available on this agent at this OID" message.

587498

FortiGate sends ICMP type 3 code 3 (port unreachable) for UDP 500 and UDP 520 against vulnerability scan.

587521

VIP server load-balancing persistence HTTP cookie not refreshed after the timer.

587540

NetFlow traffic records sent with wrong interface index 0 (inputint = 0 and outputint = 0)

587952

get system inter transceiver reports error for some transceivers.

587995

Packet loss happened in FTP traffic for some cases.

588035

Kernel crashes when sniffing packets on interfaces that are related to EMAC VLAN.

588202

FortiGate returns invalid configuration during FortiManager retrieving configuration.

589027

EMAC VLAN drops traffic when asymmetric roue enabled on internet VDOM.

589079

QSFP interface goes down when the get system interface transceiver command is interrupted.

589234

Local system DNS setting instead of DNS setting acquired from upstream DHCP server was assigned to client under management VDOM.

589517

Dedicated management CPU running on high CPU (soft IRQ).

589723

Wrong source IP is bound for config system fortiguard.

589978

alertemail username length cannot go beyond 35 characters.

590021

Enabling auto-asic-offload results in keeping action=deny in traffic log with an accept entry.

590295

OID for the IPsec VPN phase 2 selector only displays the first one on the list.

590423

FortiManager needs patch and minor number to update global database when FortiGate firmware upgrade does not trigger an auto-retrieve configuration.

591078

Get zip conf file failed -1 error message when doing cfg-save.

591466

Cannot change the mask for an existing secondary IP on interfaces.

592148

Issue with TCP packets when traversing the virtual wire pair in transparent mode.

592570

VLAN switch does not work on FG-100E.

592787

FortiGate got rebooted automatically due to kernel crash.

592827

FortiGate is not sending DHCP request after receiving offer.

593426

Remove DST for Brazil.

593606

diagnose hardware test suite all fails due to FortiLink loopback test.

594018

Update daemon is locked to one resolved update server.

594499

Communication over PPPoE fails after installing PPPoE configuration from FortiManager.

594596

Crash caused by JSON filter because a null check is not done.

594865

diagnose internet-service match does not return the IP value of the IP reputation database object.

595244

There is duplicate information when checking interface references in global.

595338

Unable to execute ping6 when configuring execute ping6-options tos, except for

default.

595467

Invalid multicast policy created after transparent VDOM restored.

596180

Constant DHCPD crashes.

596421

FG-3400E/FG-3600E link is up on 25G ports only when the FEC is disabled on the Ixia tester.

598527

ISDB may cause crashes after downgrading FortiGate firmware.

600032

SNMP does not provide routing table for non-management VDOM.

601454

For 32-bit system, there is no bandwidth-unit option in traffic-shaper, but the guaranteed-bandwidth/maximum-bandwidth help text still says Units depend on the bandwidth-unit setting.

601866

nTurbo set IRQ affinity as failed when platform has quite a few PCIe devices and many interrupts are requested during system bootup.

602523

DDNS monitor-interface uses the monitored interface if DDNS services other than FortiGuard DDNS are used.

602548

Some of the clients are not getting their IP through DHCP intermittently.

602643

Interfaces get removed from SD-WAN after rebooting when interface is defined in both SD-WAN and zone.

603551

DHCPv6 relay does not work on FG-2200E.

603693

GCM ciphers should be supported on SSH management.

604462

xcvrd crashed with signal 11.

604550

Locally-originated DHCP relay traffic on non-default VRF may follow route on VRF 0.

604613

sentbyte of NTP on local traffic log shows as 0 bytes, even though NTP client receives the packet.

604699

Header line that is not freed might cause system to enter conserve mode in a transparent mode deployment.

606597

When changing time zone on FG-101E, get Failed to set SMC timezone message.

607015

More than usual NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens quite often on some global NTP servers.

607357

High CPU usage issue caused by high depth expectation sessions in the same hash table slot.

607452

Automatically logged out of CLI when trying to configure STP due to /bin/newcli crash.

607836

Failed to set ping-option source to Auto.

608185

Number of resource records is limited to 16384 on DSN server.

608442

After a reboot of the PPPoE server, the FortiGate (PPPoE clients, 35 clients) keeps flapping (connection down and up) for a long time before connecting successfully.

608648

FortiCarrier 3000D kernel panic when establishing GTP tunnel.

609112

IPv6 push update fails.

609783

SNMP failed to retrieve HA cluster secondary information from secondary serial number in TP mode.

610470

A single IP existing in IP range format may cause some issues in other daemons.

610903

SMC NTP functions are enabled on some of the models that do not support the feature.

610976

Get kernel panic when creating VLAN on GENEVE interface.

612113

xcvrd attaches shared memory multiple times causing huge memory consumption.

612302

FortiOS is not sending out IPv6 router advertisements from the link-local addresses added on the fly.

612351

Many no session matched logs while managing FortiGate.

613017

ip6-extra-addr does not perform router advertisement after reboot in HA.

613410

Host header has been added to the HTTP 1.0 request for CRL file.

616022

Long delay and cmdbsvr at 100% CPU consumption when modifying address objects and address groups via GUI or REST API.

620479

FG-3600E interface speed setting is changed from 1000full to 10000full after upgrading from 6.2.3.

Upgrade

Bug ID

Description

580450

Policies were removed after an upgrade in NGFW policy mode. Error message that Maximum number of entries has been reached.

586123

Service group lost default members when restoring a configuration file via VDOM.

586793

Address objects have reference to old firewall policy after upgrading from 6.0.6 > 6.2.x NGFW policies.

User & Authentication

Bug ID

Description

466651

The FortiToken Mobile push functionality on the FortiGate lacks the ability to map to a custom SSL certificate.

546794

De-authentication of RSSO user does not clear the login from the motherboard.

557947

Non-RSSO RADIUS server shows in FSSO GUI, which should only show RSSO RADIUS servers.

567831

Local FSSO poller regularly missing logon events.

573317

SSO admin with a user name over 35 characters cannot log in after the first login.

581519

Creating SCEP enrollment in context global no longer seems to work if VDOM is configured as the management VDOM.

583745

Wrong categorization of OS from device detection.

586334

Brief connectivity loss on shared service when RDP session is logged in to from local device.

586394

Authentication list entry is not created/updated after changing the client PC with another user in FSSO polling mode.

587293

The session to the SQL database is closed as timeout when a new user logs in to terminal server.

587519

fnbamd takes high CPU usage and user not able to authenticate.

587666

Mobile token authentication does not work for SSL VPN on SOC3 platforms.

Affected models include: FG-60E, FG-60E-POE, FG-61E, FG-80E, FG-80E-POE, FG-81E, FG-81E-POE, FG-100E, FG-100EF, FG-101E, FG-140E, FWF-60E, FWF-61E.

591461

FortiGate does not send user IP to TACACS server during authentication.

592047

GUI RADIUS test fails with vdom-dns configuration.

592241

Gmail POP3 authentication fails with certificate error since version 6.0.5.

592253

RADIUS state attribute truncated in access request when using third-party MFA (ping ID).

593116

Client PC matching multiple authentication methods (firewall, FSSO, RSSO, WSSO) may not be matched to NGFW policies correctly.

593361

No source IP option available for OCSP certificate checking.

593949

Two-factor LDAP and token authentication silently fails for users with many memberships.

594863

UPN extraction does not work for particular PKI.

595583

Device identification of LLDP on an aggregate does not work.

596844

Admin GUI login makes the FortiGate unstable when there are lots of devices detected by device identification.

597118

URL redirection is not supported when making up a certificate chain list.

597496

Guest user log in expires after first log in and no longer works; user is not removed from the firewall authentication list after the set time.

602407

Deny log messages do not contain the username and group information.

603457

Guest user groups cannot be deleted.

604844

auth-concurrent setting in user group is not working as expected.

605206

FortiClient server certificate in FSSO CA uses weak public key strength of 1024 bits and certificate expiring in May 2020.

605404

FortiGate does not respond to disclaimer page request when traffic hits a disclaimer-enabled policy with thousands of address objects.

615513, 697304

The scep-url option is truncated to 64 characters, despite the maximum length being 255 characters.

VM

Bug ID

Description

524052

Application cloudinitd has signal 11 crash on FortiGate-VM64-GCP.

561909

Azure SDN connector tries querying invalid FQDN when using Azure Stack integrated systems.

571212

Only one CPU core in AWS is being used for traffic processing.

575346

gui-wanopt cache missing under system settings after upgrading a FortiGate VM with two disks.

575400

In Azure SDN, the firewall address filter cannot fetch the secondary public and private IP addresses of the NICs.

577653

vMotion tasks cause connections to be dropped as sessions related to vMotion VMs do not appear on the destination VMX.

577856

Add missing AWS HA failover error log and set firewall.vip/vip46/vip6/vip64 not syncing when cross zone HA is configured.

578727

FG-VM-OPC unable to failover the route properly during failover.

578966

OpenStack PCI pass through sub-interface VLAN cannot receive traffic.

579708

Should replace GUI option to register to FortiCare from AWS PAYG with link to portal for registration.

579948

New FGCP primary device is not updated in AWS route tables to reference the correct ENI.

580738

In the cluster setup, secondary unit can have different fingerprint for the OCI SDN connector, which can cause unit to fail to connect to the OCI metatdata server properly.

580911

EIP assigned to the secondary IP address on the OCI does not fail over during HA failover.

582123

EIP does not failover if the primary FortiGate is rebooted or stopped from the Alibaba Cloud console.

586954

FGCP cluster member reboots in infinite loop and hatalk daemon dumps the core with segmentation fault.

587757

FG-VM image unable to be deployed on AWS with additional HDD (st1) disk type.

588436

Azure SDN connector unable to connect to Azure Kubneretes integrated with AAD.

589445

VM deployed in ESX platform with VMXNET3 does not show the correct speed and duplex settings.

590140

FG-VM-LENC unable to validate new license.

590149

Azure FortiGate crashing frequently when MLX4 driver RX jumbo.

590253

VLAN not working on FortiGate in a Hyper-V deployment.

590555

Allow PAYG AWS VM to bootstrap the configuration first before acquiring FortiCare license.

590780

Azure FortiGate-VM (BYOL) unable to boot up when loading a lower vCPU license than the instance's vCPU.

591563

Azure autoscale not syncing after upgrading to 6.2.2.

592000

In Alibaba Cloud, multiple VPC route entries fail to switch when HA fails over.

592611

HA not fully failing over when using OCI.

593797

FG-VM64-AWS not responding to ICMP6 request when destination IPv6 address is in the neighbor cache entry.

594248

Enabling or disabling SR-IOV under vNIC creates duplicate MAC addresses and extra interfaces on the FortiGate.

596430

If central-management server is set to FortiManager IP address and FortiGuard update-server-location is set to usa, the FOS-VM is able to get web filter license and server list from FortiManager, but the GUI shows the service availability as down.

597003

Unable to bypass self-signed certificates on Chrome in macOS Catalina.

598419

Static routes are not in sync on FortiGate Azure.

599430

FG-VM-AZURE fails to bootup due to rtnl_lock deadlock.

600975

Race condition may prevent FG-VM-Azure from booting up because of deadlock when processing NETVSC offering and vPCI offering at the same time.

601357

FortiGate VM Azure in HA has unsuccessful failover.

601528

License validation failure log message missing when using FortiManager to validate a VM.

603365

HA secondary member instance shuts down due to RAM difference after stopping/starting the cluster instances.

603426

AWS-PAYG in HA setup can lose its VM license after rebooting with certain setup.

603599

VIP in autoscale on GCP not syncing to other nodes.

605103

E1000 network adapter will be deleted if there is a VMXNET3 network adapter.

605435

API call to associate elastic IP is triggered only when the unit becomes the primary device.

606439

License validation failure log message missing when using FortiManager to validate a VM.

609283

IP pools are synchronized in FortiGate Azure HA.

612611

Very hard to download image for FG-AWSONDEMAND from FDS.

614038

VMotion causing sessions to be disconnected as sessions are considered stateless.

VoIP

Bug ID

Description

570430

SIP ALG generates a VoIP session with wrong direction.

580588

SDP information fields are not being NATted in multipart media encapsulation traffic.

582271

Add support for Cisco IP Phone keepalive packet.

599117

voipd process crash.

601275

MGCP session helper does not NAT the MGCP body.

Web Filter

Bug ID

Description

551956

Proxy web filtering blocks innocent sites due to urlsource="FortiSandBox Block".

560904

In NGFW mode, Security Profiles GUI is missing Web Rating Overrides page.

581523

Wrong web filter category when using flow-based inspection.

587120

Administrator logged in with web filter read/write privilege cannot create or edit web filter profiles in the GUI.

593203

Cannot enter a name for a web rating override and save—error message appears when entering the name.

606965

Unable to allow specific YouTube channel when all other YouTube channels or videos are blocked.

617225

URL is not exempted when the URL matches an exempt entry in urlfilter as well as a block entry in the FortiGuard category.

WiFi Controller

Bug ID

Description

520677

When editing a FortiAP profile on the FortiGate web UI, the previously selected SSID group(s) cannot be displayed.

540027

FortiWiFi working as client mode cannot see and connect to the hotspot SSID from iOS devices.

555659

When FortiAP is managed with cross VDOM links, the WiFi client cannot join to SSID when auto-asic-offload is enabled.

559370

darrp-optimize-schedules configurations move to the global settings instead of VDOM.

563630

Kernel panic observed on FWF-60E.

566054

Errors pop up while creating or editing as SSID.

567011

WPA2-Enterprise SSID should support acct-all-servers setting in RADIUS to send accounting messages to all servers.

567933

FortiAP unable to connect to FortiGate via IPsec VPN tunnel with dtls-policy clear-text.

572350

FortiOS GUI cannot support FAP-U431F and FAP-U433F profiles.

Workaround: Edit wtp-profile of FAP-U431F and FAP-U433F in the CLI.

577394

hostapd (wpad_ac) crashed while removing RADIUS accounting servers.

579908

Tunnel mode SSID packet loss seen from FAP-U24JEV and 800 connected APs.

580169

Captive portal (disclaimer) redirect not working for Android phones.

580793

Auto-generated consolidated policy should skip saving in configuartion file/CMDB.

587586

cw_acd crashes multiple times.

594170

FortiAPs not shown in the GUI.

595653

FortiGate in transparent mode cannot manage FortiAP devices successfully.

599690

Unable to perform COA with device MAC address for 802.1x wireless connection when use-management-vdom is enabled.

601012

When upgrading from 5.6.9 to 6.0.8, channels 120, 124, and 128 are no longer there for NZ country code.

607045

Interim accounting update message was not sent after acct-interim-interval was set from 0 if the RADIUS server was used.

608717

Packet loss over CAPWAP tunneled SSID.

615219

FortiGate cannot create WTP entry for FortiAP in transparent mode.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

558685

FortiOS 6.4.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-12812

577643

FortiOS 6.4.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-15706

606237

FortiOS6.4.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-6648

618757, 623460

FortiOS6.4.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-12818

Resolved issues

The following issues have been fixed in version 6.4.0. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

557998

Quarantined CDR files cannot be downloaded. Encountered 404 error when clicking Archived File.

563250

Shared memory does not empty out properly under /tmp.

575177

Advanced threat protection statistics widget clean file count is incorrect.

590092

Cannot clear scanunit vdom-stats to reset the statistics on ATP widget.

594696

Sample file eicar.exe cannot pass through SMTPS, POP3S, or IMAPS with deep inspection and flow enabled on IPv6 policy.

Data Leak Prevention

Bug ID

Description

522472 DLP logs have a wrong reference link to archived file.

540317

DLP cannot detect attached zip files when receiving emails via MAPI over HTTP.

546964

DLP sensors and DLP options in firewall policy and profile groups are removed.

563447

Cannot download DLP archived file from GUI for HTTPS, FTPS, SMTP and SMTPS.

571171

Excessive false positives for credit card DLP profiles.

574722

DLP blocks Gmail with deep inspection.

586689

Downloading a file with an FTP client in EPSV mode will hang.

591178

WAD fails to determine the correct file name when downloading a file from Nextcloud.

591676

Enable file filter password protected blocked for 7Z, RAR, PDF, MSOffice, and MSOfficeX.

DNS Filter

Bug ID

Description

561297

DNS filtering does not perform well on the zone transfer when a large DNS zone's AXFR response consists of one or more messages.

563441

7K DNS filter breaking DNS zone transfer.

574980

DNS translation is not working when request is checked against the local FortiGate.

578267

DNS request to a second DNS server with same Transaction ID is discarded when DNS Filter is enabled on a policy.

581778

Cannot re-order DNS domain filter list.

582374

License shows expiry date of 0000-00-00.

583449

DNS filter explicit block all (wildcard FQDN) not working in 6.2 firmware.

586178

In domain threat feed, some URLs cannot be fetched due to SSL error.

586526

Unable to change DNS filter profile category action after upgrading from 6.0.5 to 6.2.0.

586834

With option error-allow DNS attempts fail when FortiGuard servers are unavailable.

Endpoint Control

Bug ID

Description

599826 Replace FSSO with REST API for EMS connector.

608301

EMS serial number format should be flexible.

618757

Add dynamic firewall address to include all FortiGuard destinations required for FortiClient.

Explicit Proxy

Bug ID

Description

504011

FortiGate does not generate traffic logs for SOCKS proxy.

540091

Cannot access explicit FTP proxy via VIP.

571034 Using disclaimer causes incorrect redirection.

576205

App traffic cannot be blocked in a proxy policy with certificate inspection while it works in a firewall policy.

577372 WAD has signal 11 crash at wad_ssl_cert_get_auth_status.

578098

Unwanted traffic log generated for firewall policy with web filter profile as MonitorAll.

585310

Block page is not displayed for a URL in the frames of an allowed web page.

588211

WAD cannot learn policy if multiple policies use the same FQDN address.

589065

FSSO-based NTLM sessions from explicit proxy do not respect timeout duration and type.

589166

EPSV does not work when using an FTP proxy.

589811

urfilter process does not started when adding a category as dstaddr in a proxy policy with the deny action.

590942

AV does not forward reply when GET for FTP over HTTP is used.

590959

FortiGate returns 500 internal error instead of 521 Not logged in - Secure authentication required.

591012

WAD crashed at wad_disclaimer_get with signal 11 when disclaimer is enabled in proxy policy and the browser is Chrome.

594580

FTP traffic over HTTP explicit proxy does not generate traffic logs once receiving error message.

594598

Enabling proxy policies (+400) increases memory by 30% and up to 80% total.

603707

The specified port configurations of https-incoming-port for config web-proxy explicit disappeared after rebooting.

605209

LDAP ignores source-ip with web proxy Kerberos authentication.

610298

Compare and sync the VSD change in V5.6 to WAD VS.

Firewall

Bug ID

Description

508015

Editing a policy in the GUI changes the FSSO setting to disable.

530907

GTP-authorized SGSNs and authorized GGSNs are not functioning properly.

545121

Should not be allow to change address type that is used in an excluded group.

558996

FortiGate sends type-3 code-1 IP unreachable for VIP.

560011

Fabric device object does not work in NGFW policy.

561170

Traffic is blocked by NGFW policy when SDN connector firewall address is configured in policy.

570507

Application control causing NAT hairpin traffic to be dropped.

Workaround: Create a new firewall policy from scratch and the default application control can be applied again.

574012

Session created by RPC session helper does not honor delay-tcp-npu-session.

577752

Policy with a VIP with a destination interface of a zone is dropping packets.

583173

Policy push from FortiManager failed, issue caused by abandoned ISDB entr.y

584451

NGFW default block page partially loads.

585073

Adding too many address objects to a local-in policy causes all blocking to fail.

585122

Should not be allowed to rename VIP or address with the same name as an existing VIP group or address group object.

590039

Samsung OEM internet browser cannot connect to FortiGate VS/VIP.

593103

When a policy denies traffic for a VIP and send-deny-packet is enabled, ICMP unreachable message references the mapped address, not the external.

595044

Get new CLI signal 11 crash log when performing execute internet-service refresh.

595364

Some NetFlows have an active-flow-timeout when the session does not have any packets and the session cache in NetFlow expires and clears.

596218

ISDB ID is missing when configuring internet service group objects.

596744

Firewall policy hit count is incorrect.

597110

When creating a firewall address with the associated-interface setting, CMD gets stuck if there is a large nested address group.

598000

When SCTP is in closing state and there is traffic passing through to keep it from timing out, even when an INIT is received, the traffic still passes through the old session.

598559

ISDB matches all objects and chooses the best one based on their weight values and the firewall policy.

599253

GUI traffic shaper Bandwidth Utilization should use KBps units.

600051

Cannot establish the connection to the real servers using VIP server load-balancing after upgrading to FortiOS 6.2.2.

600644

IPS engine did not resolve nested address groups when parsing the address group table for NGFW security policies.

601331

Virtual load-balance VIP and intermittent HTTP health check failures.

603263

Increase the maximum limit for the optional parameters in SCTP INIT packet. After the fix, the maximum limit is 10 instead of 4 parameters.

603927

Multiple entries do not take effect for internet-service-addition after refreshing.

604885

Cannot use the same real server for multiple HTTP host information (server load-balancing).

604886

Session stuck in proto_state=61 only when flow-based AV is enabled in the policy.

606834

Adding more than one dynamic FSSO firewall address results in GUI and CLI errors.

610557

FortiGate VIP object offers weak elliptic curves since VS implementation in WAD for FortiOS 6.0 and above.

611584

FTP and Telnet do not work with IPv6 when application control is enabled.

611840

Firewall policy search with decimal in the name fails in GUI.

612515

Cannot add multicast-policy6, adding it causes CLI to crash.

615073

FTP session helper does not work when there is reflected (auxiliary) session.

FortiView

Bug ID

Description

527540

On multiple FortiView sub-menus, the Quarantine Host option is no longer available.

537819

FortiView All Sessions page tooltip for geography IP shows as undefined.

582341

On Policies page, consolidated policies are without names and tooltips; tooltips not working for security policies.

GUI

Bug ID

Description

282160

GUI does not show byte information for aggregate and VLAN interfaces.

303651

Should hide Override internal DNS option if vdom-dns is set to disable.

354464

Antivirus archive logging enabled from the CLI will be disabled by editing the antivirus profile in the GUI, even if no changes are made.

438298

When VDOM is enabled, the interface faceplate should only show data for interfaces managed by the admin.

445074

The MMS profiles pages have been removed from the FortiOS Carrier GUI.

Workaround: You can configure MMS profiles from the CLI using the config firewall mms-profile command.

451306

Add a tooltip for IPS Rate Based Signatures.

460698

There is no uptime information in the HA Status widget for the secondary unit's GUI.

467495

A message stating that all source interfaces have no members is erroneously displayed for the explicit proxy policy list when a user enables a policy immediately after pasting or inserting it into the list.

478472

Options 150, 15, and 51 for the DHCP server should not be shown after removing them and having no related configuration in the backend.

480731

Interface filter gets incorrect result (EMAC VLAN, VLAN ID, etc.) when entries are collapsed.

482437

SD-WAN member number is not correct in Interfaces page.

486230

GUI on FG-3800D with 5.6.3 is very slow for configurations with numerous policies.

493527

Compliance events GUI page does not load when redirected from the advanced compliance page.

493704

While accessing the FortiGate page, PC browser memory usage keeps spiking and finally PC hangs.

498892

GUI shows wrong relationship between VLAN and physical interface after adding them to a zone.

499658

Editing system interface via the GUI causes the explicit web proxy to be disabled.

502962

Get Fail to retrieve info for default VDOM link on Network > Interfaces page.

504829

GUI should not log out if there is a 401 error on the downstream device.

505066

Not possible to select value for DN field in LDAP GUI browser.

510685

Hardware Switch row is shown indicating a number of interfaces but without any interfaces below.

514027

Cannot disable CORS setting on GUI.

514632

Inconsistent reference count when using ports in HA session-sync-dev.

519102

GUI navigation menu notification should match with issue in the dialog box.

525535

OK button grayed out when editing an interface that has DHCP option 224 in the list with FortiClient-On-Net Status enabled.

526254

Interface page keeps loading when VDOM admin have netgrp permission.

529094

When creating an antispam block/allow list entry, Mark as Reject should be grayed out.

531376

Get Internal Server Error when editing an aggregate link that has a name with a space in it.

534853

Suggest GUI Interfaces list includes SIT tunnels.

536718

Cannot change MAC address setting when configuring a reserved DHCP client.

536843

LACP aggregate interface flaps when adding/removing a member interface (first position in member list).

537307

Failed to retrieve info message appears for ha-mgmt-interface in Network > Interfaces.

538125

Hovering mouse over FortiExtender virtual interface shows incorrect information.

540098

GUI does not display the status for VLAN and loopback in the Network > Interfaces > Status column.

542544

In Log & Report, filtering for blank values (None) always shows no results.

543487 Collected Email Monitor page cannot list the wireless client if connected from captive-portal+email-collection.
543637 Not able to filter the policy by multiple ID.

544442

Virtual IPs page should not show port range dialog box when the protocol is ICMP.

547409

Admin with netgrp privilege unable to get interface page and got pyfcgid crash (signal 11 (Segmentation fault)).

552038

Routing monitor network filter does not filter subnets after upgrading.

552623

Policy list page should not show inline editing icon in column field when logged in as a read-only user.

552811

Scripts pushed from FortiCloud do not show up in System > Advanced Settings when FortiCloud remote access is used.

553290

The tooltip for VLAN interfaces displays as Failed to retrieve info.

555121

Context menu of AP group has unsupported actions enabled after change view on Managed FortiAPs page.

555687

Network mask of a VPN interface is changed to 255.255.255.255 without an actual configuration change.

559799 Webhook automation host header incorrect.

559866

When sending CSF proxied request, segfault happens (httpsd crashes) if FortiExplorer accesses root FortiGate via the management tunnel.

560206

Change/remove FortiCloud standalone reference.

563053 Warning message for third-party transceivers were removed for 6.2.1 to prevent excessive RMA or support tickets. 6.2.2 re-added the warning for third-party transceivers.

564201

After OSPF change via GUI, password for virtual-link will completely disappear and must be re-entered.

565109 Add Selected button does not appear under Application Control slide-in when VDOM is enabled.

565309

Application group improvements.

565748

New interface pair consolidated policy added via CLI is not displayed on GUI policy page.

566414

Application Name field shows vuln_id for custom signature, not its application name in logs.

566666

AP comments do not appear on the columns for Managed AP page.

567369

Cannot save DHCP Relay configuration when the Relay IP address list is separated by a comma.

567452

IPS sensor not configurable in GUI with Firefox.

568176

GUI response is very slow when accessing Route Monitor page in GUI.

569080 SD-WAN rule GUI page doesn't show red exclamation mark for DST-negate enabled, like firewall policy.

571909

SSL VPN Settings page shows undefined error.

573070 Interface widget not loading fully (keeps spinning) when a VDOM "prof_admin" is used.

573456

FortiGate without disk email alert settings page should remove Disk usage exceeds option.

573579

Editing policies inline can result in previously selected policies being changed.

573596

GUI shifts central management type to FortiManager after clicking Apply to enable FortiManager Cloud.

573862

Signature name should be shown when VDOM admin has WAF read/write permission only.

573869

Log search index files are never deleted when the log disk is out of space.

574101

Empty firmware version in managed FortiSwitch from FortiGate GUI.

575756

Port Link speed option is missing on the FortiGate GUI after upgrading the managed FortiSwitch to 6.2.1.

575844

Local category for g-default, g-wifi-default web filter profiles should not be displayed.

579259

Firewall User Monitor shows "Failed to retrieve info" and no entries if session-based proxy authentication is used.

579711

Cannot run Security Rating (Fabric device error).

580168

Connected routes in the routing monitor are showing up with 1969/12/31 18:59:59 for Up Since times.

582658

Email filter page keeps loading and cannot create a new profile when the VDOM admin only has

emailfilter permission.

582716

Filtering service availability check always fails once anycast is enabled and override server is set.

583049

Internal server error while trying to create a new interface.

583760

After adding few web rating overrides via GUI to an already existing long list of URIs, Web Rating Overrides page does not load and keeps spinning.

584304

IpSec Monitor window Bring Up function does not work.

584314

NGFW mode should have a link to show all applications in the list.

584419

Issue with application and filter overrides.

584426

Add Selected button does not show up under FSSO Fabric Connector with custom admin profile.

584560

GUI does not have the option to disable the interface when creating a VLAN interface.

584939

VPN event logs are incorrectly filtered when there are two Action filters and one of them contains "-".

584949

When the link status is up, the aggregate interface status icon is incorrectly displayed in red.

585055

High CPU utilization by httpsd daemon if there are too many API connections

585924

Wrong traffic shaper bandwidth unit on 32-bit platform GUI pages.

586604

No matching IPS signatures are found when Severity or Target filter is applied.

586749

Enable/disable Disarm and Reconstruction in the GUI only affects the SMTP protocol in AV profiles.

587091

When logged in as administrator with web filter read/write only privilege, the Web Rating Overrides GUI page cannot load.

587673

The Interface Pair View option is always unavailable for the Proxy Policy list.

587686

Wrong warning message, All source interface(s) has no members, appears in Proxy Policy page.

588028

If the Endpoint Control feature is disabled, the exempt options for captive portal are not shown in the GUI.

588222

WAN Opt. Monitor displays Total Savings as negative integers during file transfers.

588665

Option to reset statistics from Monitor > WAN Opt. Monitor in GUI does not clear the counters.

589085

Web filter profile warning message when logged in with read/write admin on VDOM environment.

592244

VIPs dialog page should be able to create VIP with the same extip/extport but different source IP address.

593175

FortiGate with no anti-spam license is showing incorrect information under FortiGuard > Filtering Services Availability.

593433

DHCP offset option 2 has to be removed before changing the address range for the DHCP server in the GUI.

593624

GUI behavior is different with local user using super admin profile and TACACS user using super admin profile.

593899

Upgrading from build 0932 to build 1010 displays Malware Hash Threat Feed is not found or enabled error.

594162

Interface hierarchy is not respected in the GUI when a LAG interface belongs to SD-WAN and its VLANs belong to a zone.

594565

Wrong Sub-Category appears in the Edit Web Rating Override page.

598247

One-minute memory; CPU and Sessions widgets stopped updating after system entered and exited conserve mode.

598725

Login page shows random characters when system language is not English.

599245

Nessus vulnerability scan tool reports more medium level vulnerabilities for 6.2.3 (B1056) compared with the 6.2.2 result.

599284

Pyfcgid crashed with signal 11 (Segmentation fault) received.

599401

FortiGuard quota category details displays No matching entries found for local category.

599612

GUI should allow user to create redundant IPsec tunnel over different interface to the same remote gateway.

600120

Reduce the number of core used by httpsd for low-end platforms.

601653

When deleting an AV profile in the GUI, there is no confirmation message prompt.

602637

Block intra-zone traffic toggle button function is inverted in FortiOS 6.2.3.

602692

Security Rating result for SSL VPN certificate fails when using a 384-bit elliptic curve certificate.

603583

Data source is missing in child table entries in a complex type property.

603913

GUI should add interface value check when creating a new zone.

605493

Admin cannot log in to FortiGate GUI.

605677

System goes into conserve mode when editing ISDB entries through GUI.

606074

Interfaces is missing in the GUI in sections for IPv4 Policy and SSL-VPN Settings after upgrading from 6.2.2 to 6.2.3.

606295

Cannot activate or log out of FortiGate Cloud from widget.

606394

DPD setting in GUI cannot be reflected correctly when Dialup User and On Demand are set by the IPsec wizard.

606428

GUI does not allow multiple IPsec tunnels with the same destination IP bound to the same interface but sourced from a different IP.

606668

Physical and logical topology pages do not load when admin has read-only permission in Security Fabric.

607972

FortiGate enters conserve mode when accessing Amazon AWS ISDB object.

607982

Edit DNS Filter Profile page cannot be displayed if botnet domain is enabled.

609064

Revoke Token in GUI reports URL not found on server.

610181

FG-OPC-ONDEMAND (FGVMPG license) shows FortiCare is not supported even though the license was registered in FortiCare.

610573

When saving configuration under global interface, explicit proxy settings are removed.

611388

Firewall Policy page does not show destination when using external block address.

611436

FortiGate displays a hacked web page after selecting an IPS log.

611804

Policy historical view shows policies from other VDOMs.

601345

No warning is shown in GUI when FortiGuard filtering protocol/port setting is not saved.

614802

Get [__svr_d_commit:1508] Update table index error: type=4 when changing the feature set to flow-based with FortiSandbox enabled.

617364

GUI does not list AliCoud SDN address filter.

639756

Monitor > SD-WAN Monitor keeps loading after disabling VPN member.

HA

Bug ID

Description

530215

Application hasync might crash several times due to accessing some memory out of bound when processing hastat data.

540632

In HA, management-ip that is set on a hardware switch interface does not respond to ping after executing reboot.

543602 Unnecessary syncing process started during upgrade when it takes longer.

566108

Some long VDOM name configurations are changed and failed to be in sync after rebooting.

568553

Read-only admin account can failover a HA.

569629

HA A-A local FQDN not resolving on secondary unit.

574564 In an HA configuration with HA uninterruptible upgrade enabled, some signature database files may fail to synchronize upon upgrading from 5.6.9 and earlier to 5.6.10.

575020

HA failing config sync on VM01 with error (secondary and primary units have different hdisk status) when primary unit is pre-configured.

575715

Unable to sync the local gateway in FGSP.

576638 HA cluster GUI change does not send logs to the secondary device immediately.
577115 Primary unit console keeps showing message [ha_auth_set_logon_msg:228] buffer overflow.
578475 FortiGate HA reports not synced if firewall policy of primary and secondary device does not contain the same VIP.

579610

Crash occurs when changing the standalone mode for A-A and A-P in config system ha.

581906

HA secondary device sending out GARP packets in 16-20 seconds after HA monitored interface failed.

584551

hatalk keeps exchanging heartbeat packet incorrectly with FortiManager.

585348

default-gateway injected by dynamic-gateway on PPP interface deleted by other interface down.

585675

exe backup disk alllogs ftp command causes FortiGate to enter conserve mode.

586004

Moving VDOM via GUI between virtual clusters causes cluster to go out of sync and VDOM state work/standby does not change.

586835

HA secondary device unable to get checksum from primary device. HA sync in Z state.

588291

SIP HA message could overwhelm HA secondary box and drive the secondary box to conserve mode.

588908

FG-3400E hasync reports the network is unreachable.

590632

Heartbeat device (interface) up messages not triggered.

590931

Multiple PPPoE connections on a single interface does not sync PPPoE dynamic assigned IP and cannot start re-negotiation.

596837

Deleting tunnel on primary unit via API call will not delete it from the secondary unit.

596575

HA active-active primary unit attempts to steer HTTP and SMTP sessions to secondary unit over NPU-VLINK interfaces.

598937

Local user creation causes HA to be out of sync for several minutes.

601550

Application hasync might crash several times due to accessing some memory out of bound when processing hastat data.

602266

The configuration of the SD-WAN interface gateway IP should not sync.

602406

In a FortiGate HA cluster, performance SLA (SD-WAN) information does not sync with the secondary unit.

613714

HA failover takes over one minute when monitored aggregate interface goes down on primary unit.

616345

Secondary device failed to sync with primary device when FGSP peer is configured, but hasync fails to bind socket.

ICAP

Bug ID

Description

598320

New constraint added in config icap server entries in FortiOS ICAP client feature.

600235

ICAP preview and response-req-hdr coexistence issue.

Intrusion Prevention

Bug ID

Description

540718

Signal 14 alarm crashes were observed on DFA rebuild.

561623

IPS engine 5.009 crashes when updated new FFDB has different size from the old one.

579018

IPS engine 5.030 signal 14 alarm clock crash at nturbo_on_event.

586608

The CPU consumption of ipsengine gets high with customer configuration file.

590087

When IPS pcap is enabled, traffic is intermittently disrupted after disk I/O reaches IOPS limit.

605610

Security Policy page is slow to load due to empty security firewall statistic returning from IPS engine.

608501

IPS forwards attacks that are previously identified as dropped.

IPsec VPN

Bug ID

Description

449212 New dialup IPsec tunnel in policy mode/mode-cfg overwrites previously established tunnel.

516029

Remove the IPsec global lock.

539636

Traffic will not pass through VXLAN over dynamic IPsec tunnel.

557812

IPsec does not support the new interface-subnet type in its phase2-interface and ipv4-split-include settings for dialup VPN.

574115

PKI certificates with OU and/or DC as subject fail for PKI user filters.

575238 Redirected traffic on the same interface (ingress and egress interface are the same) is dropped.
575477 IKED memory leak.

576096

mode-cfg IP is missing from the routing table.

577502

OCVPN cannot register, status is undefined.

582251

IKEv2 with EAP peer ID authentication validation does not work.

582876

ADVPN connections from the hub disconnects one-by-one and IKE gets stuck.

584982

The customer is unable to log in to VPN with RADIUS intermittently.

589096

In IPsec after HA failover, performance regression and IKESAs is lost.

589141

Dialup IPsec tunnel DPD discrepancy.

590633

Packet loss observed after ADVPN shortcut is created.

594962

IPsec VPN IKEv2 interoperability issue when the FortiGate uses a group as P2 selectors with a non-FortiGate in a remote peer gateway.

595810

Unable to reach network resources via L2TP over IPsec with WAN PPPoE connection.

596429

Traffic unable to pass through for certain phase 2 selectors when there is double SA.

597246

When disabling and re-enabling OCVPN after HA failover, cannot establish IPsec tunnel.

597435

Problem establishing ADVPN shortcuts between spokes when the spoke has an additional VPN running.

597748

L2TP/IPsec VPN disconnects frequently.

597845

IPsec VPN over IPv6 ISAKMP SA negotiation failure when setting is IPv4 DHCP mode.

599471

IKEv2 responder can delete static selectors when local narrowing occurs.

602240

IKEv2 EAP-TLS handshake detected retransmit of client, but FortiGate does not retransmit its response.

603090

The OCVPN log file was not closed or properly trimmed due to the incorrect state_refcnt. The OCVPN log file stayed open, grew extremely large, and was never trimmed.

604334

L2TP disconnection when transferring large files.

604923

IKE memory leak when IKEv2 certificate subject alternative name/peer ID matching occurs.

606129

iked crashes when proposal is AES-GCM.

607212

IKEv2 DPD is not triggered if network overlay network ID was mismatched when first configured.

609033

After two HA failovers, one VPN interface member of SD-WAN cannot forward packets.

610390

IKEv2 EAP certificate authentication failings after upgrading from to 6.2.1 to 6.2.3.

611148

L2TP/IPsec does not send framed IP address in RADIUS accounting updates.

617419

FortiGate does not assign correct system DNS value to the client connected to dialup VPN.

Log & Report

Bug ID

Description

555161

Application miglogd crashes when numerous DLP logs are generated, where DLP archive files use up system inodes.

562303

miglogd has signal 11 crash.

568795 Specific traffic type is not logged on FortiAnalyzer/memory.

576024

Set sniffer policy to only log logtraffic=utm but many traffic log stats are still generated in disk or FortiAnalyzer.

578057

Action field in traffic log cannot record security policy action—it shows the consolidated policy action.

580887

No traffic log after reducing miglogd child to 1.

583499

Improve local log search logic from aggressive to passive mode to save resources and CPU.

586038

FortiOS 6.0.6 reports too long VPN tunnel durations in local report.

586854

FortiGate sends change notice for global REST APIs once a minute.

590210

vwlservice traffic log has wrong internet-service name when internet-service is enabled in the SD-WAN rule.

590598

Log viewer application control cannot show any logs (page is stuck loading).

590852

Log filter can return empty result when there are too many logs, but the filter result is small.

591152

IPS logs set srcintf(role)/dstinf(role) reversely at the time of IPS signature reverse pattern.

591523

When refreshing logs in GUI, some log_se processes are running extremely long and consuming CPU.

593363

Total sum of vdom log-disk-quota can be set to surpass total HD logging space.

593557

Logs to syslog server configured with FQDN addresses fail when the DNS entry gets updated for the FQDN address.

593907

Miglogd still uses the daylight savings time after daylight savings ends.

594053

Proxy policy forward traffic log should have "timeout" action for no-reply or timeout case.

599860

When logtraffic is set to all, existing sessions cannot change the egress interfaces when the routing table is updated with a new outgoing interface.

602459

GUI shows 401 Unauthorized error when downloading forward traffic logs with the time stamp as the filter criterion.

605174

Incorrect sentdelta/rcvddelta in traffic log statistics.

606533

User observes FGT internal error while trying to log in or activate FortiGate Cloud from the web UI.

608565

FortiGate sends incorrect long session logs to FortiGate Cloud.

615631

radvd records daemon started log when daemon-log is disabled.

616835

Logs from HA secondary device cannot be uploaded to FortiCloud.

Proxy

Bug ID

Description

519861

FortiGate does not bypass the forward server if upstream proxy is down and server-down-option is set to pass.

525328

External resource does not support no content length.

549660

WAD crash with signal 11.

550056

When SNI is exempt in an SSL profile, and the SNI does not match the CN, the FortiGate closes the session and does not perform deep inspection.

551119

Certificate blocklist not working correctly in proxy mode.

560893

When strict SNI check is enabled, FortiGate with certificate inspection cannot block session if SNI does not match CN.

561552

WAD crashed with signal 6 (MAPI/RPC).

566859

In WAD conserve mode 5.6.8, max_blocks value is high on some workers.

567711

SSL mirroring is not working under proxy inspection mode.

567942 FortiGate cannot block blacklist certificate against TLS 1.3 if the blacklist certificate server address is exempt.
572489 SSL handshake sometimes fail due to FortiGate replying back FIN to client.

573028

WAD crash causing traffic interruption.

573721

For FortiGate with client certificate inspect mode, traffic will trigger WAD crash.

573917 Certain web pages time out.

574171

Fail to connect https://drive.google.com by TLS 1.3.

574730 Wildcard URL filter stops working after upgrade.
576852 WAD process crashes in internet_svc_entry_cmp.

579225

FTP proxy traffic is blocked for FSSO guest users.

579400

High CPU with authd process caused by WAD paring multiple line content-encoding error and IPC broken between wad and authd.

580592

Policy in proxy-based mode with AV and WAF profile denies access to Nginx with enabled gzip compression.

580770

SSL decryption breaks App store and Google Play store traffic even though both sites are exempted in the decryption profile.

580943

FortiGate blocklist certificate info is not shown in replace message on certificate inspect case in TLS 1.3.

580952

Improve scanunit to support multiple content encodings.

581865

In Proxy inspection with Application control and certificate inspection, TLS error for certain web pages, in EDGE browser only.

582475

WAD is crashing with signal 6 in wad_fmem_free when processing SMB2/CIFS.

582714

WAD might leak memory during SSL session ticket resumption.

583736

WAD application crashing in 6.2.1.

584719

WAD reads ftp over-limit multi-line response incorrectly.

586909

When CIFS profile is loaded, using MacOS to access Windows Share causes WAD to crash.

587214

WAD crash for wad_ssl_port_on_ocsp_notify.

587987

In case of TLS 1.3 with certificate inspection and a certificate with an empty CN name, WAD workers would locate a random size for CN name and then cause unexpected high memory usage in WAD workers.

589065

FSSO-based NTLM sessions from explicit proxy do not respect timeout duration and type.

592153

Potential memory leak that will be triggered by certificate inspection CIC connection in WAD.

593365

WAD crash due to user learned from proxy not purged from the kernel when user is deleted from proxy or zone with empty interface member.

594725

WAD memory leak detected on cert_hash in wad_ssl_cert.

594829

FTP connection is not working with AV profile in proxy inspection mode when FTP user name contains an "@".

596012

Receive SSL fatal alert with source IP 0.0.0.0.

608387

WAD virtual server with http-multiplex enabled causes crash after server is detached because the http_server object is detached from http_session.

610466

Multiple WAD crash on FG-500D after upgrading from 6.2.3 (wad_url_filter_user_cat_load_entry.constprop.7).

617322

DLP FTP proxy with splice option sends delete command to server before data transfer completes.

REST API

Bug ID

Description

450175

Cannot modify ge and le attributes for router prefix-list table without plugin flag.

553382

REST API to support transaction operation.

587470 REST API to support revision flag.

599516

When managing FortiGate via FortiGate Cloud, sometimes user only gets read-only access.

601613

CMDB plugin should be called when saving data through CMDB REST API.

Routing

Bug ID

Description

371453

OSPF translated type 5 LSA not flushed according to RFC-3101.

524229

SD-WAN health-check keep records useless logs under some circumstances.

537354

BFD/BGP dropping when outbandwidth is set on interface.

570686

FortiOS 6.2.1 introduces asymmetric return path on the hub in SD-WAN after the link change due to SLA on the spoke.

571714 DHCPv6 relay shows no route to host when there are multiple paths to reach it.

576930

Time stamps missing in routing debugs.

578623

Gradual memory increase with full BGP table.

579884

VRF configuration in WWAN interface has no effect after rebooting.

581488

BGP confederation router sending incorrect AS to neighbor group routers.

582078

ISDB ID is changed after restoring the configuration under the situation where the FortiGate has a previous ISDB version.

584095

SD-WAN option of set gateway enable/set default enable override available on connected routes.

584394

VRRP on LAG cannot forward packet after vrrp-virtual-mac is enabled.

584477

In transparent mode with asymmetric routing, packet in the reply direction does not use asymmetric route.

585027

There is no indication in proute if the SD-WAN service is default or not.

585325

IPv6 route cannot be inactive after link-monitor is down when link-monitor are set with ipv4 and ipv6.

587198

After failover/recovery of link, E2 route with non-zero forward address recurses to itself as a next hope.

587700

Routing monitor policy view cannot show source and destination data for SD-WAN route and wildcard destination.

587970

SD-WAN rules route-tag still used in service rule but not in diagnose sys virtual-wan-link route-tag-list.

589620

Link monitor with tunnel as srcintf cannot recover after remote server down/up.

592599

FortiGate sends malformed OSPFv3 LSAReq/LSAck packets on interfaces with MTU = 9k.

593375

OSPF NSSA with multiple ASBR losing valid external OSPF routes in upstream neighbors as different ASBRs are power cycled.

593864

Routing table is not always updated when BGP gets an update with changed next hop.

593951

Improve algorithm to distribute ECMP traffic for source IP-based/destination IP-based.

594685

Unable to create the IPsec VPN directly in Network > SD-WAN.

595937

PPPoE interface bandwidth is mistakenly calculated as 0 in SD-WAN.

597733

IPv6 ECMP routes cannot be synchronized correctly to HA secondary unit.

598665

BGP route is in routing table but not in FIB (kernel routing table).

599667

OSPF over ADVPN flapping after shortcut tunnel established.

599884

Traffic not following SD-WAN rules when one of the interfaces is VLAN.

600332

SD-WAN GUI page bandwidth shows 0 issues when there is traffic running.

600598

SSH packets marked as CS0.

600830

SD-WAN health check reports have packet loss if response time is longer than the check interval.

600995

Policy routes with large address groups containing FQDNs no longer work after upgrading to 6.2.2.

602223

SD-WAN route is not added in routing table when the SD-WAN interface members are IPv4 over IPv6 IPsec.

602679

Prevent BGP daemon crashing when peer breaks TCP connection.

602826

BGP route is not added in to kernel during ADVPN test.

603063

Locally originated traffic on non-default VRF may follow route on VRF 0 when there are routes with the same prefix on both VRFs.

608106

BGP daemon crashes when TCP connection is broken by peer.

611539

Editing/adding any address object that is referenced in policy is generating false positive SD-WAN alert messages.

611708

Make SNMP get BGP peer state timely once BGP neighbor enters or exits established state.

Security Fabric

Bug ID

Description

575495

FGCP dynamic objects are not populated in the secondary unit.

586024

Automation stitch cannot execute shutdown command when FortiGate enters kernel conserve mode.

586587

Security Fabric widget keeps loading when FortiSwitches are in a loop, or the FortiSwitch is in MCLAG mode.

587758

Invalid CIDR format shows as valid by the Security Fabric threat feed.

588262

IP address Threat Feed fabric connector not working.

589503

Threat Feeds show the URL is invalid if there is a special character in the URL.

591015

ACI SDN connector dynamic address cannot be resolved.

592344

CSF automation configuration cannot be synced to downstream from root.

597139

Crash happens due to segfault in CSF.

599474

FortiGate SDN connector not seeing all available tag name-value pairs.

604670

Time zone of scheduled automation stitches will always be taken as GMT-08:00 regardless of the system's timezone configuration.

606003

On E model, get Failed to load Topology Report Result error after clicking Update Now button.

606714

auto-script returns failed to get SCSI info from /dev/mmcblk0 memory error.

SSL VPN

Bug ID

Description

476377 SSL VPN FortiClient login with FAC user FTM two-factor fail because it times out too fast.

478957

SSL VPN web portal login history is not displayed if logs are stored in FortiAnalyzer.

491733 When SSL VPN receives multiple HTTPS post requests under web filter, read_request_data_f loops even when client is stopped, which causes the SSL VPN process to use 99% of CPU.

525342

In some special cases, SSL VPN main state machine reads function pointer is empty that will cause SSL VPN daemon crash.

537341

SSL bookmark is not loading SAP portal information.

549994 SSL VPN web mode logon page should not show Skip button for remote user with Force password change on next logon.
556657 Internal website not working through SSL VPN web mode.

557806

Cannot fully load a website through SSL VPN bookmark.

560438

interface subnet object not available in SSL VPN split-tunneling-routing-address.

561585 SSL VPN does not correctly show Windows Admin center application.

563022

SSL VPN LDAP group object matching only matches the first policy; is not consistent with normal firewall policy.

564871

SSL VPN users create multiple connections.

569711

Error for proxy SSH database through SSL VPN.

570171

When accessing ACT application through SSL VPN web mode, the embedded calendar request gets wrong response and redirects to login page.

570445

CMAT application through SSL VPN.

571721 Local portal ad***.ch needs more than 10 min. to load via SSL VPN bookmark.
572653 Unable to access Qlik Sense URL via SSL VPN web mode.

573787

SSL VPN web mode not displaying custom web application's JavaScript parts.

573853 TX packet drops on ssl.root interface.
574551 Subpages on internal websites are not working via SSL VPN web mode (tunnel mode is OK).
574724

In some lower-end FortiGates, the threshold of available memory is not calculated correctly for entering SSL VPN conserve mode. Threshold should be 10% of total memory when the memory is larger than 512 MB and less than 2 GB.

575259 SSL VPN connection is being dropped intermittently.

576013

The SSL VPN web mode webserver link is not rewritten correctly after login.

576288

FSSO groups set in rule with SSL VPN interface.

577522

SSL VPN daemon crashes when logging in several times with RADIUS user that is related to a framed IP address.

578581

SSL web mode VPN portal freezing when opening some websites using JavaScript.

578908

Fails to load bookmark site over SSL VPN portal.

580182 The EOASIS website is not displayed properly using SSL VPN web mode.

580377

Unable to access https://outlook.office365.com as bookmark in SSL VPN web mode.

580384

SSL VPN web mode not redirecting URL as expected after successful login.

581863

Accessing http://nlyte.ote.gr/nlyte/ configured with bookmark name 'NLYTE' not getting authentication page.

582115

Third-party (Ultimo) web app does not load over SSL VPN web portal.