When a proxy-based policy with AV is applied, files over 37 KB are not allowed to transfer through the PowerShell script.

HTTP 200 OK is not forwarded by WAD when an AV profile is enabled in a proxy-based policy.

DNS filter forwards the DNS status code 1 FormErr as status code 2 ServFail in cases where the redirect server responses have no question section.

In multi-VDOM with default system fortiguard configuration, the DNS filter does not work for the non-management VDOM.

When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error.

SNI ssl-exempt result conflicts with CN ssl-exempt result when SNI is an IP.

Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP.

Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking.

diagnose wad stats policy list output displays information for only 20 proxy policies, so not all policies are included.

Cisco Webex with explicit proxy and SSL deep inspection stops working after upgrading FortiOS.

Get unexpected count for established session count, and diagnose firewall iprope clear does not work as expected.

Policy with a Tor exit node as the source is not blocking traffic coming from Tor.

The src-ip in the health check should be allowed to be set to the interface IP of the current VDOM.

The CLI should give a warning message when changing the address type from iprange to ipmask and there is no subnet input.

When a policy denies traffic for a VIP and send-deny-packet is enabled, the mappedip is used for the RST packet's source IP instead of the external IP.

The packet dropped counter is not incremented for per-ip-shaper with max-concurrent-session as the only criterion and offload disabled on the firewall policy.

Custom services name is not displayed correctly in logs with a port range of more than 3000 ports.

The number of sessions in session_count does not match the output from diagnose sys session full-stat.

When using the 5 minutes time period, if the FortiGate system time is 40 to 59 second behind the browser time, no data is retrieved.

Add support to display security policies in real time view on the Dashboard > FortiView Policies page.

On the Dashboard > FortiView Web Sites_FAZ page, many websites have an Unrated category, and drilling down on these results displays no data.

Newly created deny policy incorrectly has logging disabled and can not be enabled when the Security Fabric is enabled.

A user can browse HA secondary logs in the GUI, but when a user downloads these logs, it is the primary FortiGate logs instead.

Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console.

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

On the System > HA page, when vCluster is enabled and the management VDOM is not the root VDOM, the GUI incorrectly displays management VDOM as primary VDOM.

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

On FG-VM64-AZURE, administrator is logged out every few seconds, and the following message appears in the browser: Some cookies are misusing the recommended "SameSite" attribute.

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of diagnose sys sdwan intf-sla-log exceed 2³²-1.

Bandwidth widget does not display traffic information for VLAN interfaces when a large number of VLAN interfaces are configured.

The GUI cannot restore a CLI-encrypted configuration file saved on a TFTP server. There is no issue for unencrypted configuration files or if the file is encrypted in the GUI.

GUI shows user as expired after entering a comment in guest management.

The hasync process crashed because the write buffer offset is not validated before using it.

The hasync process crashes often with signal 11 in cases when a CMDB mind map file is deleted and some processes still mind map the old file.

HA primary does not send anti-spam and outbreak prevention license information to the secondary.

In large customer configurations, some functions may time out, which causes an unexpected failover and keeps high cmdbsvr usage for a long time.

HA secondary is consistently unable to synchronize any sessions from the HA primary when the original HA primary returns.

fnbamd uses ha-mgmt-interface for certificate related DNS queries when ha-direct is enabled.

SCTP sessions are not fully synchronized between nodes in FGSP.

hasync crashes when the size of hasync statistics packets is invalid.

Firmware upgrade fails when the bandwidth between hbdev is reduced to 26 Mbps and lower (Check image file integrity error!).

FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner.

HA desynchronizes after user from a read-only administrator group logs in.

Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled.

SNMP community name with one extra character at the end stills matches when HA is enabled.

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

Unable to form HA pair when HA encryption is enabled.

Failure in self-pinging towards the management IP.

Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync.

Unexpected HA failover on AWS A-P cluster when ipsec-soft-dec-async is enabled.

The ha-mgmt-interface stops using the configured gateway6.

Flow mode web filter ovrd crashes and socket leaks in IPS daemon.

Fortinet logo is missing on web filter block page in Chrome.

Low download performance occurs when SSL deep inspection is enabled on aggregate and VLAN interfaces when NTurbo is enabled.

Users cannot visit websites with an explicit web proxy when the FortiGate enters conserve mode with fail-open disabled. Block pages appear with the replacement message, IPS Sensor Triggered!.

Offloaded transit ESP is dropped in one direction until session is deleted.

FG-40F-3G4G with WWAN DHCP interface set as L2TP client shows drops in WWAN connections and does not get the WWAN IP.

When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the resync event to synchronize SA data to the FGSP peer.

IKE is consuming excessive memory.

Tunnel had one-way traffic after iked crashed.

IKE crash disconnected all users at the same time.

Support IPsec FGSP per tunnel failover.

There are no incoming ESP packets from the hub to spoke after upgrade from 6.4.8 to 6.4.9.

NP7 offloaded egress ESP traffic that was not sent out of the FortiGate.

The iked process crashed.

Mixed traffic and UTM logs are in the event log file because the current category in the log packet header is not big enough.

Outdated report files deleted system event log keeps being generated.

Traffic log of ZTNA HTTPS proxy and TCP forwarding is missing policy name and FortiClient ID.

The default logtraffic setting (UTM) in a security policy unexpectedly generates a traffic log.

The reportd process consumes a high amount of CPU.

Logs are missing on FortiGate Cloud from the FortiGate.

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

The expected reboot log is missing.

When submitting files for sandbox logging in flow mode, filetype="unknown" is displayed for PDF, DOC, JS, RTF, ZIP, and RAR files.

WAD crashes with signal 11 if the client sends a client hello containing a key share that does not match the key share that the server prefers.

WAD signal 11 crash occurs due to web cache corruptions.

Proxy mode generates untagged traffic in a virtual wire pair.

Proxy mode deep inspection is causing website access problems.

Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model.

Trend Micro client results in FortiGate illegal parameter SSL alert response because the Trend Micro client sent a ClientHello that includes extra data, which is declined by the FortiGate according to RFC 5246 7.4.1.2.

When proxy-after-tcp-handshake is enabled, IPv6 enabled sites cannot be accessed with proxy mode and a web filter profile configured.

WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out.

FortiGate is silently dropping server hello in TLS negotiation.

FortiGate cannot block a virus file when using the HTTP PATCH upload method.

Multiple selected files cannot be deleted in SharePoint when deep inspection is enabled in a proxy policy.

FortiGate cannot block a virus file when using the HTTP PATCH upload method.

Memory increase suddenly and is not released until rebooting.

WAD does not forward the 302 HTTP redirect to the end client.

When accessing a specific website using UTF8 content encoding (which is unexpected according to the RFC) the FortiGate blocks the traffic as an HTTP evasion when applying an AV profile with deep inspection.

WAD process is causing one of the CPU cores to spike to 100%.

External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the interface-select-method configuration in system external-resource is changed.

One IPv6 BGP neighbor is allowed to be configured with one IPv6 address format and shows a different IPv6 address format.

High CPU on hub BGPD due to hub FortiGate being unable to maintain BGP connections with more than 1000 branches when route-reflector is enabled.

When syncing a large number of service qualities, there is a chance of accessing out-of-boundary memory, which causes the VWL daemon to crash.

Health check over shortcut tunnel is dead after auto-discovery-receiver is disabled/enabled and VWL crash occurs.

The default SD-WAN route for the LTE wwan interface is not created.

FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet.

When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down.

The set next-hop-self-rr6 enable parameter not effective.

The key-outbound and key-inbound parameters are missing on the FG-1800F and FG-1801F.

Kernel panic crash occurs after receiving new IPv6 prefix via BGP.

Changing the interface weight under SD-WAN takes longer to be applied from the GUI than the CLI.

FortiGate SD-WAN default route is deleted after FortiManager installation with the SD-WAN template.

GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.

SIP-RTP fails after a route or interface change.

Dynamic address resolution is lost when SDN connector sends sync.callback command to the FortiGate.

FortiGate firewall dynamic address resolution lost when SDN connector updates its cache.

The security rating for Admin Idle Timeout incorrectly fails for a FortiAnalyzer with less than 10 minutes.

csfd shows high memory usage due to the JSON object not being used properly and the reference not being released properly.

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

Log disk usage from user information history daemon is high and can restrict the use for general logging purposes.

Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer.

The csfd process is causing high memory usage on the FortiGate.

The wildcard FQDN does not always work reliably in cases where the kernel does not have the address yet.

Windows FortiClient 7.0.1 cannot work with FortiOS 7.0.1 over SSL VPN when the tunnel IP is in the same subnet as one of the outgoing interfaces and NAT is not enabled.

Customer internal website (https://cm***.msc****.com/x***) cannot be rendered in SSL VPN web mode.

Logging in with SSO to FortiAnalyzer with SSL VPN web mode fails.

Web mode and tunnel mode could not reflect the VRF setting, which causes the traffic to not pass through as expected.

FQDN in firewall policy is treated case sensitive, which causes SSL VPN failure when redirecting or accessing a URL that contains capitalized characters.

SSL VPN web portal does not serve updated certificate.

Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected.

Punycode is not supported in SSL VPN DNS split tunneling.

After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.

SCADA portal will not fully load with SSL VPN web bookmark.

Unable to access SSL VPN bookmark in web mode.

Website is not loading in SSL VPN web mode.

SSL VPN web portal not loading internal webpage.

Comma character (,) is acting as delimiter in authentication session decoding when CN format is Surname, Name.

After using the recommended upgrade path from 6.2.9 to 6.4.8, the sslvpnd daemon does not start in a consolidated policy environment.

Unable to access internal SSL VPN bookmark in web mode.

After upgrading to 6.4.8, NLA security mode for SSL VPN web portal bookmark does not work.

Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode.

SSL VPN RDP is unable to connect to load-balanced VMs.

After Kronos (third-party) update from 8.1.3 to 8.1.13, SSL VPN web portal users get a blank page after logging in successfully.

SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time.

When sslvpnd debugs are enabled, the SSL VPN process crashes more often.

Bulk MAC addresses deletions on FortiSwitch is randomly causing all wired clients to disconnect at the same time and reconnect.

NAC configuration not updating correctly on all managed switch ports.

newcli daemon crash due to FortiToken Mobile user token activation email processing.

The iotd daemon has problems connecting to an anycast server when fortiguard-anycast is disabled.

The ipmc_sensord process is killed multiple times when the CPU or memory usage is high.

DSL line takes a long time to synchronize.

Running diagnose hardware test network on FWF-60F needs cable setup adjustment.

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D.

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

Running execute restore vmlicense tftp fails and displays tftp: bind: Address already in use message.

Verizon LTE connection is not stable, and the connection may drop after a few hours.

Upgrading to 6.4 removes regular VDOM links with npuX_vlink naming scheme.

Verizon LTE connection is not stable, and the connection may drop after a few hours.

Unable to create a hardware switch with no member.

Unable to save configuration changes and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

Legitimate traffic is unable to go through with NP6 synproxy enabled.

The cmdbsvr crashes when accessing an invalid firewall vip mapped IP that causes traffic to stop traversing the FortiGate.

PSU alarm log and SNMP trap are added for FG-20xF and FGR-60F models.

User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.

FortiGate calculates faulty FDS weight with DST enabled.

Kernel panic results in reboot due the size of inner Ethernet header and IP header not being checked properly when the SKB is received by the VXLAN interface.

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries.

Incorrect bandwidth utilization traffic widget for VLAN interface on NP6 platforms.

FortiGate running startup configuration is not saved on flash drive.

Hardware switch is not passing VRRP packets.

Restricted VDOM user is able to access the root VDOM.

Incorrect values in NP7/hyperscale DoS policy anomaly logs. For packet rate-based meter log, the repeated numbers do not reflect the amount of dropped packets for a specific anomaly/attack; for the session counter meter log, the pps number is negative.

Negative tunnel_count in diagnose firewall gtp profile list for FGSP peer.

FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.

A request is made to the remote authentication server before checking trusthost.

BPDUs packets are blocked even though STF forwarding is enabled on FG-800D in transparent mode (UTP and SFP).

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

Hostname is not resolved when adding multiple domain lists.

DHCP IP lease is flushed within the lease time.

Kernel panic occurs when a virtual switch with VLAN is created, and another port is configured with a trunk.

PPPoE virtual tunnel drops traffic after logon credentials are changed.

FG-40F with STP enabled on a hardware switch creates a loop after upgrading to 6.4.9.

The kernel crashes and forces a system reboot a few times a month in an IPsec setup with thousands of tunnels.

When traffic gets offloaded, an incorrect MAC address is used as a source.

DHCP relay offers to iPhones is blocked by the FortiGate.

Memory increase due to iked process.

When upgrading from 6.2.9 to 6.4.6, a set client-cert-request inspect parse error occurs and the parameter is set to bypass after the upgrade.

ISDB objects are obsolete after upgrading to 6.4.6, which blocked FortiGuard access using the root VDOM.

FortiToken Mobile push notification not working with dynamic WAN IP service provider.

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.

In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement.

Problems occur when switching between HA broadcast heartbeat to unicast heartbeat and vice versa.

DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID.

FortiFlex license activation failed to be applied to FortiGate VM in HA. Standalone mode is OK.

Failed to load FFW-VM; cw_acd: can not find board mac from interfaces error displayed in console.

Data partition is almost full on FG-VM64 platforms.

After upgrading FortiOS from 6.2 to 6.4, a new arrp-profile (arrp-default) is added as a static entry. FortiManager cannot install the configuration to a managed FortiGate when trying to purge the arrp-profile table.

FWF-60F has kernel panic and reboots by itself every few hours.

CAPWAP tunnel traffic over WPA2-Enterprise SSID is dropped when offloading is enabled on FG-1800F.

FortiOS 6.4.10 is no longer vulnerable to the following CVE Reference:

• CVE-2021-43206

FortiOS 6.4.10 is no longer vulnerable to the following CVE Reference:

• CVE-2022-29055

FortiOS 6.4.10 is no longer vulnerable to the following CVE Reference:

• CVE-2022-35842

FortiOS 6.4.10 is no longer vulnerable to the following CVE Reference:

• CVE-2022-30307