Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

Home FortiGate / FortiOS 6.4.10 FortiGate-6000 and FortiGate-7000 Release Notes

Resolved issues

6.4.10
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
Copy Link
Copy Doc ID 69ff2eb3-6ffa-11ed-8e6d-fa163e15d75b:94898
Download PDF

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.10 Build 1875. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.4.10 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.10 Build 1875.

Bug ID

Description

795313 771680

Configuring SSL VPN Web portals from the GUI now works correctly.

647254 802105 824224

Duplicate IPv4 ECMP routes no longer appear on FPCs or FPMs on the secondary FortiGate-6000 or 7000 in an FGCP cluster.
652140 Resolved an issue with CLI error checking when adding source and destination interfaces to an FGSP session sync filter.
654054 788959

Resolved an issue that could sometimes block incoming SSL VPN traffic terminated by the FortiGate-6000 or 7000.
667328 781548 849570 807476 850498 Resolve multiple issues that caused unregister_vf errors. These errors prevented administrators from changing the configuration and could also prevent configuration synchronization between FortiGate-6000s or 7000s in an FGCP HA cluster.

674979

The GUI now shows the correct amount of traffic on FortiGate-6000 HA interfaces.
682426 776795 806056 669211 The ha-direct FGCP HA option now works as expected on the FortiGate-6000 and 7000 to allow local out traffic (such as sending log messages out an HA dedicated management interface).

719609

Resolved an issue that blocked fragmented ICMP traffic from passing through EMAC VLAN interfaces.
731710 Resolved an issue with how console baud rate changes are synchronized to FPCs or FIMs and FPMs that caused the console to display unsupported characters after changing the console baud rate.

732009

Resolved an issue that could cause the quard process to crash with a signal 11 segmentation fault after adding and deleting multiple VDOMs.

734898

Resolved an issue that could cause the cmdbsvr process to crash with a signal 11 segmentation fault when a FortiGate-6000 or 7000 is very busy while making configuration changes.
752402 Resolved an issue that sometimes blocked traffic from passing through a FortiGate-7000F because FortiOS assigned an incorrect MAC address to a VLAN interface.

752558

Resolved an issue that added DNS Safe Search Enforced to DNS filter log messages when DNS safe search was not enabled in the DNS filtering profile.
764386 If FortGate-7000F management interfaces are not configured to be FGCP HA heartbeat interfaces or FGSP session synchronization interfaces, you can now assign them IPv6 addresses.

765407

Resolved an issue that prevented using management interfaces on the secondary FIM in a FortiGate-7000F for FGSP heartbeat traffic.

777336

Resolved a FortiGate-7000 issue that could cause local out traffic from FIMs and FPMs to have overlapping SNAT port ranges.
777415 780296 814330 821710 823335 819962 Resolved a number of issues with synchronizing SDN connector information among components within a FortiGate-6000 or 7000 or between FortiGate-6000s or 7000s in an FGCP HA configuration.
778260 DP session monitoring no longer incorrectly refreshes DP IPSec sessions.
779078 Resolved an issue that caused some synchronized sessions to stay in the CLOSE_WAIT state on the secondary FortiGate-6000 or 7000 in an FGCP cluster.
779839 Resolved a memory use issue that could cause deep proxy inspection to use excessive amounts of CPU time.
782338

A single SSL VPN user can no longer tie up multiple client IP addresses, resulting in fewer SSL VPN users being able to get IP addresses than expected.

783689

Resolved an issue that caused FortiGate-6000F DC models with only one DC PSU connected to power to become unstable, causing some FPCs to restart.
784653 827567 Resolved an issue with FortiGate-7000F signature handling that resulted in Fail to append signature error messages and caused the GUI and CLI to indicate that the firmware is not certified.
785815 FPMs no longer display an incorrect checksum message on the console while restarting.

786659

Resolved an issue that caused the confsyncd process running on the primary FIM of the primary FortiGate-7121F to crash, preventing configuration changes from synchronizing to the FPMs in the primary FortiGate-7121F.
789847 The CLI no longer allows you to split the FIM-7921F P1 and P2 interfaces. Splitting these interfaces is not supported by the FIM-7921F hardware.

792617 786529

Resolved multiple issues that could cause the confsyncd process to crash.

792717 783153

Resolved an issue that caused large numbers of IPsec VPN clients with dead peer detection (DPD) enabled to temporarily block dialup IPsec VPN tunnel traffic.
803536 850974 849618 850924 823970 825031 Resolved multiple issues that could prevent a FortiGate-6000 or 7000 from correctly synchronizing routes after various failover scenarios.
803585 Resolved memory leak issues that could cause a FortiGate-6000 or 7000 to enter conserve mode and become unresponsive because of high memory utilization.
808859 The Security Fabric no longer sends CSF discovery packets when the log-unification Security Fabric option is disabled.
809019 Resolved an issue that prevented the secondary FortiGate-6000 or 7000 in an FGCP HA cluster from replying to SNMP queries sent to one of the secondary FortiGate's in-band management IP addresses.
811615 Resolved an issue that prevented GTP tunnels from being synchronized to the secondary FortiGate-7000 in an FGCP HA cluster running FortiOS Carrier after the secondary FortiGate-7000 restarts.
813646 Time zone changes are now successfully synchronized to all FPCs or all FIMs and FPMs.
814698 852406 Multiple improvements to FGSP session synchronization.
816012 The FortiGate-6000 no longer indicates that interfaces configured for 1G speed are always up when the interface socket contains a CR transceiver.
817282 Fixed some cmdb and configuration synchronization memory leaks that could cause the FortiGate-6000 management board to experience high memory usage.

819329

Resolved an issue that prevented administrators from pinging the remote interface of a GRE tunnel from the FortiGate-6000 or 7000 CLI.
819521 818058

Resolved an issue that prevented the miglogdisk_info file from being updated correctly when a FortiGate-7121F starts up or restarts.The miglogdisk_info file that is present on all FIMs and FPMs should be updated by reading current log disk information every time a FortiGate-7121F chassis restarts. This problem also caused FPMs to be out of synchronization.
821125 Resolved an issue with IPsec tunnel synchronization that caused IPsec tunnels to block traffic if the firewall policy included one or more user groups. Traffic would be blocked because the user group id was not being synchronized correctly.
822791 807725 653092 811240 811279 When a FortiGate-6000 and 7000 management interface is configured to be an HA reserved management interface (using the ha-mgmt-interface HA option), the interface now correctly reverts to using its own permanent MAC address, instead of using the virtual MAC address assigned to the interface by the FGCP.
822976 Resolved an issue that caused some routes used by IPsec VPNs to be unexpectedly missing from the kernel routing table.
823129

The FortiGate-7121F now correctly forwards all ICMPv6 non-0x80/81 traffic to the primary FPM.
824205 Configuration synchronization problems no longer occur when an FPM completes starting up when no FIMs are running or all FIMs are in the process of starting up.
824789 IPsec tunnels now support authenticating users added to the FortiGate configuration as local users.
826344 Resolved an issue that created duplicate IPsec VPN event log messages.
828072 Resolved an issue that would sometimes mean that UTM security events are not linked to forward traffic logs.
830454 Changing the FPC or FPM that an IPsec tunnel is using can cause traffic in the tunnel to be blocked. The problem is a timing issue, so sometimes traffic will be unaffected when making this configuration change and other times it may be blocked.
830531 The SNMP sysName field no longer includes a serial number. The sysName field now just returns the host name.
831227 829767 Resolved an issue that could cause a FortiGate-6000 or 7000 to be out of synchronization after deleting or importing certificates.

832121

Resolved an issue that caused IPv6 link-local addresses to not be updated to use HA virtual MAC addresses after enabling FGCP HA.

833488 Resolved a CMDB issue that can cause the fcnacd process to add a VDOM during stress testing.

835699

Resolved an issue that caused configuration synchronization looping because incorrect checksums were generated for certificates. As a result, the system would incorrectly determine that certificates were not synchronized and attempt to re-synchronize them.
835847 Resolved an issue that prevented automation stitches from updating the password policy.

839987

Resolved an issue with FGCP HA status synchronization between the management board and FPCs or between FIMs and FPMs that could cause traffic to be blocked. The problem would usually occur after the FortiGate-6000s or 7000s in the cluster restarted (for example, after a firmware upgrade).
840459 The information displayed by the diagnose load-balance switch stats egress command is now correct.

841852

Resolved an issue that caused the confsyncd process to crash.

841785

Resolved an issue that could prevent FPMs from sending log messages to syslog servers.
843583 806401 Resolved an issue that caused FIM interfaces to have incorrect MAC addresses after reverting from FGCP HA to standalone mode.

844424

A Transceiver is not detected message is no longer displayed for FIM-7921F interfaces for some supported transceivers.

846164

Resolved an issue that caused the DP processor to send IPv6 traffic to the wrong FPC.
846382 FortiGate-7000F FPM front panel interfaces now operate as expected.

847464

Resolved an issue that caused the DNS proxy process running on a FortiGate-6000 management board and on FPCs to use excessive amounts of CPU time when synchronizing wildcard FQDNs.

848609

Resolved an issue that blocked IPv6 VIP traffic.

849022 849787

IPv6 router advertisement (RA) packets received by the management board or primary FIM are now broadcast to all FPCs or FPMs.

850284

Active FTP data sessions are no longer handled by different FPCs or FPMs in the FortiGate-6000s or 7000s in an FGSP cluster.

850831

Resolved an issue that could cause the firewall policy GUI to display statistics for the implicit deny firewall policy when editing any firewall policy.

852500

The FortiGate-6000F management board and FPCs now have the same default IPS socket size. FortiGate-7000 FIMs and FPMs now also all have the same default IPS socket size.

852770

Resolved an issue that could prevent the GUI or CLI from displaying correct information about the transceivers installed in management interfaces.

853079 849650 848879

Resolved multiple issues related to support for EMAC VLAN interfaces.

855552

Resolved an issue that could sometimes prevent administrators from removing quarantined IP addresses from the Quarantine Monitor.

860197

Resolved an issue that could cause users to see an incomplete webfilter override page.

Common vulnerabilities and exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references
853448

FortiOS 6.4.10 for FortiGate-6000 and 7000 is no longer vulnerable to the following CVE Reference:
Previous
Next

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.10 Build 1875. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.4.10 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.10 Build 1875.

Bug ID

Description

795313 771680

Configuring SSL VPN Web portals from the GUI now works correctly.

647254 802105 824224

Duplicate IPv4 ECMP routes no longer appear on FPCs or FPMs on the secondary FortiGate-6000 or 7000 in an FGCP cluster.
652140 Resolved an issue with CLI error checking when adding source and destination interfaces to an FGSP session sync filter.
654054 788959

Resolved an issue that could sometimes block incoming SSL VPN traffic terminated by the FortiGate-6000 or 7000.
667328 781548 849570 807476 850498 Resolve multiple issues that caused unregister_vf errors. These errors prevented administrators from changing the configuration and could also prevent configuration synchronization between FortiGate-6000s or 7000s in an FGCP HA cluster.

674979

The GUI now shows the correct amount of traffic on FortiGate-6000 HA interfaces.
682426 776795 806056 669211 The ha-direct FGCP HA option now works as expected on the FortiGate-6000 and 7000 to allow local out traffic (such as sending log messages out an HA dedicated management interface).

719609

Resolved an issue that blocked fragmented ICMP traffic from passing through EMAC VLAN interfaces.
731710 Resolved an issue with how console baud rate changes are synchronized to FPCs or FIMs and FPMs that caused the console to display unsupported characters after changing the console baud rate.

732009

Resolved an issue that could cause the quard process to crash with a signal 11 segmentation fault after adding and deleting multiple VDOMs.

734898

Resolved an issue that could cause the cmdbsvr process to crash with a signal 11 segmentation fault when a FortiGate-6000 or 7000 is very busy while making configuration changes.
752402 Resolved an issue that sometimes blocked traffic from passing through a FortiGate-7000F because FortiOS assigned an incorrect MAC address to a VLAN interface.

752558

Resolved an issue that added DNS Safe Search Enforced to DNS filter log messages when DNS safe search was not enabled in the DNS filtering profile.
764386 If FortGate-7000F management interfaces are not configured to be FGCP HA heartbeat interfaces or FGSP session synchronization interfaces, you can now assign them IPv6 addresses.

765407

Resolved an issue that prevented using management interfaces on the secondary FIM in a FortiGate-7000F for FGSP heartbeat traffic.

777336

Resolved a FortiGate-7000 issue that could cause local out traffic from FIMs and FPMs to have overlapping SNAT port ranges.
777415 780296 814330 821710 823335 819962 Resolved a number of issues with synchronizing SDN connector information among components within a FortiGate-6000 or 7000 or between FortiGate-6000s or 7000s in an FGCP HA configuration.
778260 DP session monitoring no longer incorrectly refreshes DP IPSec sessions.
779078 Resolved an issue that caused some synchronized sessions to stay in the CLOSE_WAIT state on the secondary FortiGate-6000 or 7000 in an FGCP cluster.
779839 Resolved a memory use issue that could cause deep proxy inspection to use excessive amounts of CPU time.
782338

A single SSL VPN user can no longer tie up multiple client IP addresses, resulting in fewer SSL VPN users being able to get IP addresses than expected.

783689

Resolved an issue that caused FortiGate-6000F DC models with only one DC PSU connected to power to become unstable, causing some FPCs to restart.
784653 827567 Resolved an issue with FortiGate-7000F signature handling that resulted in Fail to append signature error messages and caused the GUI and CLI to indicate that the firmware is not certified.
785815 FPMs no longer display an incorrect checksum message on the console while restarting.

786659

Resolved an issue that caused the confsyncd process running on the primary FIM of the primary FortiGate-7121F to crash, preventing configuration changes from synchronizing to the FPMs in the primary FortiGate-7121F.
789847 The CLI no longer allows you to split the FIM-7921F P1 and P2 interfaces. Splitting these interfaces is not supported by the FIM-7921F hardware.

792617 786529

Resolved multiple issues that could cause the confsyncd process to crash.

792717 783153

Resolved an issue that caused large numbers of IPsec VPN clients with dead peer detection (DPD) enabled to temporarily block dialup IPsec VPN tunnel traffic.
803536 850974 849618 850924 823970 825031 Resolved multiple issues that could prevent a FortiGate-6000 or 7000 from correctly synchronizing routes after various failover scenarios.
803585 Resolved memory leak issues that could cause a FortiGate-6000 or 7000 to enter conserve mode and become unresponsive because of high memory utilization.
808859 The Security Fabric no longer sends CSF discovery packets when the log-unification Security Fabric option is disabled.
809019 Resolved an issue that prevented the secondary FortiGate-6000 or 7000 in an FGCP HA cluster from replying to SNMP queries sent to one of the secondary FortiGate's in-band management IP addresses.
811615 Resolved an issue that prevented GTP tunnels from being synchronized to the secondary FortiGate-7000 in an FGCP HA cluster running FortiOS Carrier after the secondary FortiGate-7000 restarts.
813646 Time zone changes are now successfully synchronized to all FPCs or all FIMs and FPMs.
814698 852406 Multiple improvements to FGSP session synchronization.
816012 The FortiGate-6000 no longer indicates that interfaces configured for 1G speed are always up when the interface socket contains a CR transceiver.
817282 Fixed some cmdb and configuration synchronization memory leaks that could cause the FortiGate-6000 management board to experience high memory usage.

819329

Resolved an issue that prevented administrators from pinging the remote interface of a GRE tunnel from the FortiGate-6000 or 7000 CLI.
819521 818058

Resolved an issue that prevented the miglogdisk_info file from being updated correctly when a FortiGate-7121F starts up or restarts.The miglogdisk_info file that is present on all FIMs and FPMs should be updated by reading current log disk information every time a FortiGate-7121F chassis restarts. This problem also caused FPMs to be out of synchronization.
821125 Resolved an issue with IPsec tunnel synchronization that caused IPsec tunnels to block traffic if the firewall policy included one or more user groups. Traffic would be blocked because the user group id was not being synchronized correctly.
822791 807725 653092 811240 811279 When a FortiGate-6000 and 7000 management interface is configured to be an HA reserved management interface (using the ha-mgmt-interface HA option), the interface now correctly reverts to using its own permanent MAC address, instead of using the virtual MAC address assigned to the interface by the FGCP.
822976 Resolved an issue that caused some routes used by IPsec VPNs to be unexpectedly missing from the kernel routing table.
823129

The FortiGate-7121F now correctly forwards all ICMPv6 non-0x80/81 traffic to the primary FPM.
824205 Configuration synchronization problems no longer occur when an FPM completes starting up when no FIMs are running or all FIMs are in the process of starting up.
824789 IPsec tunnels now support authenticating users added to the FortiGate configuration as local users.
826344 Resolved an issue that created duplicate IPsec VPN event log messages.
828072 Resolved an issue that would sometimes mean that UTM security events are not linked to forward traffic logs.
830454 Changing the FPC or FPM that an IPsec tunnel is using can cause traffic in the tunnel to be blocked. The problem is a timing issue, so sometimes traffic will be unaffected when making this configuration change and other times it may be blocked.
830531 The SNMP sysName field no longer includes a serial number. The sysName field now just returns the host name.
831227 829767 Resolved an issue that could cause a FortiGate-6000 or 7000 to be out of synchronization after deleting or importing certificates.

832121

Resolved an issue that caused IPv6 link-local addresses to not be updated to use HA virtual MAC addresses after enabling FGCP HA.

833488 Resolved a CMDB issue that can cause the fcnacd process to add a VDOM during stress testing.

835699

Resolved an issue that caused configuration synchronization looping because incorrect checksums were generated for certificates. As a result, the system would incorrectly determine that certificates were not synchronized and attempt to re-synchronize them.
835847 Resolved an issue that prevented automation stitches from updating the password policy.

839987

Resolved an issue with FGCP HA status synchronization between the management board and FPCs or between FIMs and FPMs that could cause traffic to be blocked. The problem would usually occur after the FortiGate-6000s or 7000s in the cluster restarted (for example, after a firmware upgrade).
840459 The information displayed by the diagnose load-balance switch stats egress command is now correct.

841852

Resolved an issue that caused the confsyncd process to crash.

841785

Resolved an issue that could prevent FPMs from sending log messages to syslog servers.
843583 806401 Resolved an issue that caused FIM interfaces to have incorrect MAC addresses after reverting from FGCP HA to standalone mode.

844424

A Transceiver is not detected message is no longer displayed for FIM-7921F interfaces for some supported transceivers.

846164

Resolved an issue that caused the DP processor to send IPv6 traffic to the wrong FPC.
846382 FortiGate-7000F FPM front panel interfaces now operate as expected.

847464

Resolved an issue that caused the DNS proxy process running on a FortiGate-6000 management board and on FPCs to use excessive amounts of CPU time when synchronizing wildcard FQDNs.

848609

Resolved an issue that blocked IPv6 VIP traffic.

849022 849787

IPv6 router advertisement (RA) packets received by the management board or primary FIM are now broadcast to all FPCs or FPMs.

850284

Active FTP data sessions are no longer handled by different FPCs or FPMs in the FortiGate-6000s or 7000s in an FGSP cluster.

850831

Resolved an issue that could cause the firewall policy GUI to display statistics for the implicit deny firewall policy when editing any firewall policy.

852500

The FortiGate-6000F management board and FPCs now have the same default IPS socket size. FortiGate-7000 FIMs and FPMs now also all have the same default IPS socket size.

852770

Resolved an issue that could prevent the GUI or CLI from displaying correct information about the transceivers installed in management interfaces.

853079 849650 848879

Resolved multiple issues related to support for EMAC VLAN interfaces.

855552

Resolved an issue that could sometimes prevent administrators from removing quarantined IP addresses from the Quarantine Monitor.

860197

Resolved an issue that could cause users to see an incomplete webfilter override page.

Common vulnerabilities and exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references
853448

FortiOS 6.4.10 for FortiGate-6000 and 7000 is no longer vulnerable to the following CVE Reference:
Previous
Next