Resolved issues
The following issues have been fixed in version 6.4.10. To inquire about a particular bug, please contact Customer Service & Support.
Anti Virus
Bug ID |
Description |
---|---|
702646 |
Re-enable JavaScript heuristic detection and fix detection blocking content despite low rating. |
745266 |
When a proxy-based policy with AV is applied, files over 37 KB are not allowed to transfer through the PowerShell script. |
767816 |
HTTP 200 OK is not forwarded by WAD when an AV profile is enabled in a proxy-based policy. |
800731 |
Flow AV sends HTML files to the FortiGate Cloud Sandbox every time when HTML is not configured in file list. |
Application Control
Bug ID |
Description |
---|---|
787130 | Application control does not block FTP traffic on an explicit proxy. |
791294 |
Empty application control logs appear in policy-based mode since 7.0.0. |
DNS Filter
Bug ID |
Description |
---|---|
692482 |
DNS filter forwards the DNS status code 1 |
744572 |
In multi-VDOM with default |
796052 |
If local-in and transparent requests are hashed into the same local ID list, when the DNS proxy receives a response, it finds the wrong query for requests with the same ID and domain. |
Endpoint Control
Bug ID |
Description |
---|---|
802900 |
The dynamic address in a firewall policy tagged with EMS matching is not consistent. |
Explicit Proxy
Bug ID |
Description |
---|---|
664380 |
When configuring explicit proxy with forward server, if |
755298 |
SNI |
765761 |
Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP. |
778339 |
Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking. |
780211 |
|
798954 |
Cisco Webex with explicit proxy and SSL deep inspection stops working after upgrading FortiOS. |
816879 |
When an explicit proxy is enabled with IP pools, certificate inspection probe sessions use the interface IP instead of IPs from the configured IP pool. Therefore, when an interface IP is not allowed to connect externally, the probe session fails and causes traffic to not work. |
Firewall
Bug ID |
Description |
---|---|
599638 |
Get unexpected count for |
644638 |
Policy with a Tor exit node as the source is not blocking traffic coming from Tor. |
675977 |
The |
688887 |
The CLI should give a warning message when changing the address type from |
767226 |
When a policy denies traffic for a VIP and |
770668 |
The packet dropped counter is not incremented for |
773035 |
Custom services name is not displayed correctly in logs with a port range of more than 3000 ports. |
791735 |
The number of sessions in |
803270 |
Unexpected value for |
FortiView
Bug ID |
Description |
---|---|
692734 |
When using the 5 minutes time period, if the FortiGate system time is 40 to 59 second behind the browser time, no data is retrieved. |
695347 |
Add support to display security policies in real time view on the Dashboard > FortiView Policies page. |
701979 |
On the Dashboard > FortiView Web Sites_FAZ page, many websites have an Unrated category, and drilling down on these results displays no data. |
707649 |
On the Dashboard > FortiView Sources page, when filtering by source and then drilling down to sessions, the GUI API call does not set the source IP filter. |
GUI
Bug ID |
Description |
---|---|
473841 |
Newly created deny policy incorrectly has logging disabled and can not be enabled when the Security Fabric is enabled. |
630216 |
A user can browse HA secondary logs in the GUI, but when a user downloads these logs, it is the primary FortiGate logs instead. |
663558 |
Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console. |
713529 |
When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation. |
734773 |
On the System > HA page, when vCluster is enabled and the management VDOM is not the root VDOM, the GUI incorrectly displays management VDOM as primary VDOM. |
735248 |
On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP. |
739827 |
On FG-VM64-AZURE, administrator is logged out every few seconds, and the following message appears in the browser: Some cookies are misusing the recommended "SameSite" attribute. |
746953 |
On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry. |
749451 |
On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of |
749843 |
Bandwidth widget does not display traffic information for VLAN interfaces when a large number of VLAN interfaces are configured. |
758820 |
The GUI cannot restore a CLI-encrypted configuration file saved on a TFTP server. There is no issue for unencrypted configuration files or if the file is encrypted in the GUI. |
763925 |
GUI shows user as expired after entering a comment in guest management. |
787565 |
When logged in as guest management administrator, the custom image shows as empty on the user information printout. |
HA
Bug ID |
Description |
---|---|
683584 |
The hasync process crashed because the write buffer offset is not validated before using it. |
683628 |
The hasync process crashes often with signal 11 in cases when a CMDB mind map file is deleted and some processes still mind map the old file. |
717785 |
HA primary does not send anti-spam and outbreak prevention license information to the secondary. |
750829 |
In large customer configurations, some functions may time out, which causes an unexpected failover and keeps high cmdbsvr usage for a long time. |
751072 |
HA secondary is consistently unable to synchronize any sessions from the HA primary when the original HA primary returns. |
752928 |
fnbamd uses |
754599 |
SCTP sessions are not fully synchronized between nodes in FGSP. |
760562 |
hasync crashes when the size of hasync statistics packets is invalid. |
763214 |
Firmware upgrade fails when the bandwidth between |
764873 |
FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner. |
765619 |
HA desynchronizes after user from a read-only administrator group logs in. |
766842 |
Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled. |
771389 |
SNMP community name with one extra character at the end stills matches when HA is enabled. |
779512 |
If the interface name is a number, an error occurs when that number is used as an |
782769 |
Unable to form HA pair when HA encryption is enabled. |
786592 |
Failure in self-pinging towards the management IP. |
794707 |
Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP |
801872 |
Unexpected HA failover on AWS A-P cluster when |
803697 |
The |
813600 |
FortiAnalyzer connectivity test failed on the secondary unit. |
ICAP
Bug ID |
Description |
---|---|
748574 |
WAD crash related to ICAP occurs. |
Intrusion Prevention
Bug ID |
Description |
---|---|
698247 |
Flow mode web filter |
699775 |
Fortinet logo is missing on web filter block page in Chrome. |
713508 |
Low download performance occurs when SSL deep inspection is enabled on aggregate and VLAN interfaces when NTurbo is enabled. |
739272 |
Users cannot visit websites with an explicit web proxy when the FortiGate enters conserve mode with |
809691 |
High CPU usage on IPS engine when certain flow-based policies are active. |
IPsec VPN
Bug ID |
Description |
---|---|
771935 |
Offloaded transit ESP is dropped in one direction until session is deleted. |
773313 |
FG-40F-3G4G with WWAN DHCP interface set as L2TP client shows drops in WWAN connections and does not get the WWAN IP. |
777476 |
When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the |
781403 |
IKE is consuming excessive memory. |
786409 |
Tunnel had one-way traffic after iked crashed. |
789705 |
IKE crash disconnected all users at the same time. |
790486 |
Support IPsec FGSP per tunnel failover. |
814366 |
There are no incoming ESP packets from the hub to spoke after upgrade from 6.4.8 to 6.4.9. |
815253 |
NP7 offloaded egress ESP traffic that was not sent out of the FortiGate. |
825047 |
The iked process crashed. |
825523 |
NP7 drops outbound ESP after IPsec VPN is established for some time. |
Log & Report
Bug ID |
Description |
---|---|
621329 |
Mixed traffic and UTM logs are in the event log file because the current |
702859 |
Outdated report files deleted system event log keeps being generated. |
708890 |
Traffic log of ZTNA HTTPS proxy and TCP forwarding is missing policy name and FortiClient ID. |
726231 |
The default |
753904 |
The reportd process consumes a high amount of CPU. |
764478 |
Logs are missing on FortiGate Cloud from the FortiGate. |
768626 |
FortiGate does not send WELF (WebTrends Enhanced Log Format) logs. |
769300 |
Traffic denied by security policy (NGFW policy-based mode) is shown as |
774767 |
The expected reboot log is missing. |
776929 |
When submitting files for sandbox logging in flow mode, |
793352 |
NGFW policy-based application control logs are being generated, even though application control is not set in the security policy. |
Proxy
Bug ID |
Description |
---|---|
678815 |
WAD crashes with signal 11 if the client sends a client hello containing a key share that does not match the key share that the server prefers. |
716234 |
WAD signal 11 crash occurs due to web cache corruptions. |
717995 |
Proxy mode generates untagged traffic in a virtual wire pair. |
723104 |
Proxy mode deep inspection is causing website access problems. |
747915 |
Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model. |
755685 |
Trend Micro client results in FortiGate illegal parameter SSL alert response because the Trend Micro client sent a ClientHello that includes extra data, which is declined by the FortiGate according to RFC 5246 7.4.1.2. |
763988 |
When |
768278 |
WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out. |
791662 |
FortiGate is silently dropping server hello in TLS negotiation. |
802935 |
FortiGate cannot block a virus file when using the HTTP PATCH upload method. |
801165 |
Multiple selected files cannot be deleted in SharePoint when deep inspection is enabled in a proxy policy. |
802935 |
FortiGate cannot block a virus file when using the HTTP PATCH upload method. |
803260 |
Memory increase suddenly and is not released until rebooting. |
807332 |
WAD does not forward the 302 HTTP redirect to the end client. |
808072 |
When accessing a specific website using UTF8 content encoding (which is unexpected according to the RFC) the FortiGate blocks the traffic as an HTTP evasion when applying an AV profile with deep inspection. |
809970 |
WAD process is causing one of the CPU cores to spike to 100%. |
815313 |
WAD crash occurred due to a certificate validation failure. |
Routing
Bug ID |
Description |
---|---|
717086 |
External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the |
724541 |
One IPv6 BGP neighbor is allowed to be configured with one IPv6 address format and shows a different IPv6 address format. |
729621 |
High CPU on hub BGPD due to hub FortiGate being unable to maintain BGP connections with more than 1000 branches when |
730194 |
When syncing a large number of service qualities, there is a chance of accessing out-of-boundary memory, which causes the VWL daemon to crash. |
742648 |
Health check over shortcut tunnel is dead after |
745856 |
The default SD-WAN route for the LTE wwan interface is not created. |
759752 |
FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet. |
762258 |
When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down. |
771052 |
The |
774112 |
The |
778392 |
Kernel panic crash occurs after receiving new IPv6 prefix via BGP. |
780210 |
Changing the interface weight under SD-WAN takes longer to be applied from the GUI than the CLI. |
790806 |
FortiGate SD-WAN default route is deleted after FortiManager installation with the SD-WAN template. |
796409 |
GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load. |
805285 |
SIP-RTP fails after a route or interface change. |
833399 |
Static routes are incorrectly added to the routing table, even if the IPsec tunnel type is static. |
Security Fabric
Bug ID |
Description |
---|---|
686420 |
Dynamic address resolution is lost when SDN connector sends |
690812 |
FortiGate firewall dynamic address resolution lost when SDN connector updates its cache. |
712155 |
The security rating for Admin Idle Timeout incorrectly fails for a FortiAnalyzer with less than 10 minutes. |
717080 |
csfd shows high memory usage due to the JSON object not being used properly and the reference not being released properly. |
718469 |
Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch. |
724071 |
Log disk usage from user information history daemon is high and can restrict the use for general logging purposes. |
788543 |
Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer. |
789820 |
The csfd process is causing high memory usage on the FortiGate. |
791324 |
Test Automation Stitch function only works on the root FortiGate, and is not working on the downstream FortiGate. |
SSL VPN
Bug ID |
Description |
---|---|
729426 |
The wildcard FQDN does not always work reliably in cases where the kernel does not have the address yet. |
740378 |
Windows FortiClient 7.0.1 cannot work with FortiOS 7.0.1 over SSL VPN when the tunnel IP is in the same subnet as one of the outgoing interfaces and NAT is not enabled. |
741674 |
Customer internal website (https://cm***.msc****.com/x***) cannot be rendered in SSL VPN web mode. |
745554 |
Logging in with SSO to FortiAnalyzer with SSL VPN web mode fails. |
749857 |
Web mode and tunnel mode could not reflect the VRF setting, which causes the traffic to not pass through as expected. |
756753 |
FQDN in firewall policy is treated case sensitive, which causes SSL VPN failure when redirecting or accessing a URL that contains capitalized characters. |
757726 |
SSL VPN web portal does not serve updated certificate. |
759664 |
Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected. |
762685 |
Punycode is not supported in SSL VPN DNS split tunneling. |
767832 |
After upgrading from 6.4.7 to 7.0.1, the |
767869 |
SCADA portal will not fully load with SSL VPN web bookmark. |
771162 |
Unable to access SSL VPN bookmark in web mode. |
772191 |
Website is not loading in SSL VPN web mode. |
774661 |
SSL VPN web portal not loading internal webpage. |
774831 |
Comma character (,) is acting as delimiter in authentication session decoding when CN format is |
779892 |
After using the recommended upgrade path from 6.2.9 to 6.4.8, the sslvpnd daemon does not start in a consolidated policy environment. |
781542 |
Unable to access internal SSL VPN bookmark in web mode. |
783508 |
After upgrading to 6.4.8, NLA security mode for SSL VPN web portal bookmark does not work. |
786179 |
Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode. |
796768 |
SSL VPN RDP is unable to connect to load-balanced VMs. |
801588 |
After Kronos (third-party) update from 8.1.3 to 8.1.13, SSL VPN web portal users get a blank page after logging in successfully. |
809209 |
SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time. |
809473 |
When sslvpnd debugs are enabled, the SSL VPN process crashes more often. |
816716 |
sslvpnd crashed when deleting a VLAN interface. |
Switch Controller
Bug ID |
Description |
---|---|
774848 |
Bulk MAC addresses deletions on FortiSwitch is randomly causing all wired clients to disconnect at the same time and reconnect. |
777611 |
NAC configuration not updating correctly on all managed switch ports. |
807403 |
A switch is missing from the Managed FortiSwitch topology view (REST API has the data). |
System
Bug ID |
Description |
---|---|
623775 |
newcli daemon crash due to FortiToken Mobile user token activation email processing. |
666438 |
The iotd daemon has problems connecting to an anycast server when |
679059 |
The ipmc_sensord process is killed multiple times when the CPU or memory usage is high. |
682681 |
DSL line takes a long time to synchronize. |
699721 |
Running |
705878 |
Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched. |
712321 |
Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D. |
716250 |
Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface. |
717791 |
Running |
718307 |
Verizon LTE connection is not stable, and the connection may drop after a few hours. |
724451 |
Upgrading to 6.4 removes regular VDOM links with |
729078 |
Verizon LTE connection is not stable, and the connection may drop after a few hours. |
738423 |
Unable to create a hardware switch with no member. |
749613 |
Unable to save configuration changes and get |
750171 |
Legitimate traffic is unable to go through with NP6 |
750533 |
The cmdbsvr crashes when accessing an invalid |
751044 |
PSU alarm log and SNMP trap are added for FG-20xF and FGR-60F models. |
751870 |
User should be disallowed from sending an alert email from a customized address if the email security compliance check fails. |
753912 |
FortiGate calculates faulty FDS weight with DST enabled. |
757478 |
Kernel panic results in reboot due the size of inner Ethernet header and IP header not being checked properly when the SKB is received by the VXLAN interface. |
764252 |
On FG-100F, no event is raised for PSU failure and the diagnostic command is not available. |
764483 |
After restoring the VDOM configuration, |
771267 |
Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries. |
771331 |
Incorrect bandwidth utilization traffic widget for VLAN interface on NP6 platforms. |
773702 |
FortiGate running startup configuration is not saved on flash drive. |
775529 |
Hardware switch is not passing VRRP packets. |
778116 |
Restricted VDOM user is able to access the root VDOM. |
778794 |
Incorrect values in NP7/hyperscale DoS policy anomaly logs. For packet rate-based meter log, the repeated numbers do not reflect the amount of dropped packets for a specific anomaly/attack; for the session counter meter log, the |
779523 |
Negative |
787595 |
FFDB cannot be updated with |
792544 |
A request is made to the remote authentication server before checking |
796398 |
BPDUs packets are blocked even though STF forwarding is enabled on FG-800D in transparent mode (UTP and SFP). |
799255 |
Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing. |
801410 |
Hostname is not resolved when adding multiple domain lists. |
801474 |
DHCP IP lease is flushed within the lease time. |
801985 |
Kernel panic occurs when a virtual switch with VLAN is created, and another port is configured with a trunk. |
802917 |
PPPoE virtual tunnel drops traffic after logon credentials are changed. |
809366 |
FG-40F with STP enabled on a hardware switch creates a loop after upgrading to 6.4.9. |
811329 |
The kernel crashes and forces a system reboot a few times a month in an IPsec setup with thousands of tunnels. |
812499 |
When traffic gets offloaded, an incorrect MAC address is used as a source. |
813606 |
DHCP relay offers to iPhones is blocked by the FortiGate. |
816278 |
Memory increase due to iked process. |
824464 |
CMDB checksum is not updated when a certificate is renewed over CMP, causing a FortiManager failure to synchronize with the certificate. |
Upgrade
Bug ID |
Description |
---|---|
730245 |
When upgrading from 6.2.9 to 6.4.6, a |
757660 |
ISDB objects are obsolete after upgrading to 6.4.6, which blocked FortiGuard access using the root VDOM. |
790823 |
VDOM links configuration is lost after upgrading. |
User & Authentication
Bug ID |
Description |
---|---|
624167 |
FortiToken Mobile push notification not working with dynamic WAN IP service provider. |
754725 |
After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot. |
756763 |
In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement. |
777004 |
Local users named pop or map do not work as expected when trying to add then as sources in a firewall policy. |
VM
Bug ID |
Description |
---|---|
721439 |
Problems occur when switching between HA broadcast heartbeat to unicast heartbeat and vice versa. |
750889 |
DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID. |
781879 |
FortiFlex license activation failed to be applied to FortiGate VM in HA. Standalone mode is OK. |
794290 |
Failed to load FFW-VM; |
799536 |
Data partition is almost full on FG-VM64 platforms. |
800473 |
FG-VM64 deployed with 6.4 loses configuration and license after upgrading to 7.2.1 (no issue if deployed with 7.0). |
VoIP
Bug ID |
Description |
---|---|
794517 |
VoIP daemon memory leak occurs when the following conditions are met:
|
WiFi Controller
Bug ID |
Description |
---|---|
783209 |
After upgrading FortiOS from 6.2 to 6.4, a new |
790367 |
FWF-60F has kernel panic and reboots by itself every few hours. |
791761 |
CAPWAP tunnel traffic over WPA2-Enterprise SSID is dropped when offloading is enabled on FG-1800F. |
801259 |
CLI script from FortiManager with two commands fails, but succeeds with one command. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID |
CVE references |
---|---|
764221 |
FortiOS 6.4.10 is no longer vulnerable to the following CVE Reference:
|
800259 |
FortiOS 6.4.10 is no longer vulnerable to the following CVE Reference:
|
811492 |
FortiOS 6.4.10 is no longer vulnerable to the following CVE Reference:
|
819640 |
FortiOS 6.4.10 is no longer vulnerable to the following CVE Reference:
|
825695 |
FortiOS 6.4.10 is no longer vulnerable to the following CVE Reference:
|