Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.4.11 FortiOS Release Notes

Resolved issues

6.4.11
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
Copy Link
Copy Doc ID 29280f21-53eb-11ed-9d74-fa163e15d75b:289806
Download PDF

Resolved issues

The following issues have been fixed in version 6.4.11. To inquire about a particular bug, please contact Customer Service & Support.

Explicit Proxy

Bug ID

Description

803228

When converting an explicit proxy session to SSL redirect, traffic may be interrupted inadvertently in some situations.

Firewall

Bug ID

Description

815565

Unable to connect to the reserved management interface allowed by the local-in policy.

HA

Bug ID

Description

664929

The hatalk process crashed when creating a disabled VLAN interface in an A-P cluster.

722703

ISDB is not updating; last update attempt is stuck at an older date.

779587

When an authentication log on length is longer than the hasync packet length and when there is a large number of logons, hasync is busy.

788702

Due to an HA port (Intel i40e) driver issue, not all SW sessions are synchronized to the secondary, so there is a difference.

837200

The hasync process is stuck with high CPU usage when a failover occurs, there is a large number of logons, and the authentication logon length is longer than hasync packet length.

845572

FGCP HA cannot synchronize because of a system.replacemsg-image checksum mismatch when upgrading from 6.2 to 6.4.

Hyperscale

Bug ID

Description

763966

FGSP synchronizes NP sessions of all VDOMs when syncvd is only set for hyperscale VDOM.

771857

Firewall virtual IP (VIP) features that are not supported by hyperscale firewall policies are no longer visible from the CLI or GUI when configuring firewall VIPs in a hyperscale firewall VDOM.

782674

A few tasks are hung on issuing stat verbose on the secondary device.

795853

VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM.

807476

After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled.

810025

Using EIF to support hairpinning does not work for NAT64 sessions.

810366

Unrelated background traffic gets impacted when changing a policy where a hyperscale license is used.

839958

service-negate does not work as expected in a hyperscale deny policy.

IPsec VPN

Bug ID

Description

707086

Packets with DF bit set that does not need fragmentation are dropped with the message, fragmentation required but not allowed.

757696

Implementing the route-overlap setting on phase 2 configurations brings tunnels down until a reboot is not performed on the FGSP cluster.

763205

IKE crashes after HA failover when the enforce-unique-id option is enabled.

828541

IPsec DPD packets keep getting sent while IPsec traffic passes through the tunnel (DPD mode is on-idle).

830252

IPsec VPN statistics are not increasing on the device.

Proxy

Bug ID

Description

796910

Application wad crash (Segmentation fault) , which is the first crash in a series.

822271

Unable to access a website when deep inspection is enabled in a proxy policy.

Routing

Bug ID

Description

822659

Secure SD-WAN Monitor in FortiAnalyzer does not show graphs when the SLA target is not configured in SD-WAN performance SLA.

830254

When changing interfaces from dense mode to sparse mode, and then back to dense mode, the interfaces did not show up under dense mode.

SSL VPN

Bug ID

Description

830824

Veeam Backup Enterprise website has SSL VPN access problem in web mode.

848437

The sslvpn process crashes if a POST request with a body greater than 2 GB is received.

System

Bug ID

Description

622803

L2TP tunnel is not removed after Android client VPN disconnects.

675558

SFP port with 1G copper SFP always is up.

735492

Many processes are in a "D" state due to unregister_netdevice.

764954

FortiAnalyzer serial number automatically learned from miglogd does not send it to FortiManager through the automatic update.

766906

Hardware logs sent to syslog server with an incorrect timestamp in hyperscale mode.

800333

DoS offload does not work in 6.4.9 and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite.

801040

Session anomaly was incorrectly triggered though concurrent sessions on the FortiGate that were below the configured threshold.

809030

Traffic loss occurs when running SNAT PBA pool in a hyperscale VDOM. The NP7 hardware module PRP got stuck, which caused the NP7 to hang.

810583

Running diagnose hardware deviceinfo psu shows the incorrect PSU slot.

818452

The ifLastChange SNMP OID only shows zeros.

826440

Null pointer causing kernel crash on FWF-61F.

User & Authentication

Bug ID

Description

822684

When multiple FSSO CA connections are configured at the same time, only the last configured FSSO connection comes up.

VM

Bug ID

Description

761736

FG-AWS failover does not trigger the elastic IP or route move during an upgrade if the HA connection between the active and passive node breaks for a few seconds and reconnects.

WiFi Controller

Bug ID

Description

827902

CAPWAP data traffic over redundant IPsec tunnels failing when the primary IPsec tunnel is down (failover to backup tunnel).

831932

The cw_acd process crashes several times after the system enters conserve mode.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

850842

FortiOS 6.4.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-41335

853448

FortiOS 6.4.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-42475
Previous
Next

Resolved issues

The following issues have been fixed in version 6.4.11. To inquire about a particular bug, please contact Customer Service & Support.

Explicit Proxy

Bug ID

Description

803228

When converting an explicit proxy session to SSL redirect, traffic may be interrupted inadvertently in some situations.

Firewall

Bug ID

Description

815565

Unable to connect to the reserved management interface allowed by the local-in policy.

HA

Bug ID

Description

664929

The hatalk process crashed when creating a disabled VLAN interface in an A-P cluster.

722703

ISDB is not updating; last update attempt is stuck at an older date.

779587

When an authentication log on length is longer than the hasync packet length and when there is a large number of logons, hasync is busy.

788702

Due to an HA port (Intel i40e) driver issue, not all SW sessions are synchronized to the secondary, so there is a difference.

837200

The hasync process is stuck with high CPU usage when a failover occurs, there is a large number of logons, and the authentication logon length is longer than hasync packet length.

845572

FGCP HA cannot synchronize because of a system.replacemsg-image checksum mismatch when upgrading from 6.2 to 6.4.

Hyperscale

Bug ID

Description

763966

FGSP synchronizes NP sessions of all VDOMs when syncvd is only set for hyperscale VDOM.

771857

Firewall virtual IP (VIP) features that are not supported by hyperscale firewall policies are no longer visible from the CLI or GUI when configuring firewall VIPs in a hyperscale firewall VDOM.

782674

A few tasks are hung on issuing stat verbose on the secondary device.

795853

VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM.

807476

After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled.

810025

Using EIF to support hairpinning does not work for NAT64 sessions.

810366

Unrelated background traffic gets impacted when changing a policy where a hyperscale license is used.

839958

service-negate does not work as expected in a hyperscale deny policy.

IPsec VPN

Bug ID

Description

707086

Packets with DF bit set that does not need fragmentation are dropped with the message, fragmentation required but not allowed.

757696

Implementing the route-overlap setting on phase 2 configurations brings tunnels down until a reboot is not performed on the FGSP cluster.

763205

IKE crashes after HA failover when the enforce-unique-id option is enabled.

828541

IPsec DPD packets keep getting sent while IPsec traffic passes through the tunnel (DPD mode is on-idle).

830252

IPsec VPN statistics are not increasing on the device.

Proxy

Bug ID

Description

796910

Application wad crash (Segmentation fault) , which is the first crash in a series.

822271

Unable to access a website when deep inspection is enabled in a proxy policy.

Routing

Bug ID

Description

822659

Secure SD-WAN Monitor in FortiAnalyzer does not show graphs when the SLA target is not configured in SD-WAN performance SLA.

830254

When changing interfaces from dense mode to sparse mode, and then back to dense mode, the interfaces did not show up under dense mode.

SSL VPN

Bug ID

Description

830824

Veeam Backup Enterprise website has SSL VPN access problem in web mode.

848437

The sslvpn process crashes if a POST request with a body greater than 2 GB is received.

System

Bug ID

Description

622803

L2TP tunnel is not removed after Android client VPN disconnects.

675558

SFP port with 1G copper SFP always is up.

735492

Many processes are in a "D" state due to unregister_netdevice.

764954

FortiAnalyzer serial number automatically learned from miglogd does not send it to FortiManager through the automatic update.

766906

Hardware logs sent to syslog server with an incorrect timestamp in hyperscale mode.

800333

DoS offload does not work in 6.4.9 and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite.

801040

Session anomaly was incorrectly triggered though concurrent sessions on the FortiGate that were below the configured threshold.

809030

Traffic loss occurs when running SNAT PBA pool in a hyperscale VDOM. The NP7 hardware module PRP got stuck, which caused the NP7 to hang.

810583

Running diagnose hardware deviceinfo psu shows the incorrect PSU slot.

818452

The ifLastChange SNMP OID only shows zeros.

826440

Null pointer causing kernel crash on FWF-61F.

User & Authentication

Bug ID

Description

822684

When multiple FSSO CA connections are configured at the same time, only the last configured FSSO connection comes up.

VM

Bug ID

Description

761736

FG-AWS failover does not trigger the elastic IP or route move during an upgrade if the HA connection between the active and passive node breaks for a few seconds and reconnects.

WiFi Controller

Bug ID

Description

827902

CAPWAP data traffic over redundant IPsec tunnels failing when the primary IPsec tunnel is down (failover to backup tunnel).

831932

The cw_acd process crashes several times after the system enters conserve mode.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

850842

FortiOS 6.4.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-41335

853448

FortiOS 6.4.11 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-42475
Previous
Next