Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.4.12 FortiOS Release Notes

Resolved issues

6.4.12
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
Copy Link
Copy Doc ID db82f77a-9ea6-11ed-8e6d-fa163e15d75b:289806
Download PDF

Resolved issues

The following issues have been fixed in version 6.4.12. To inquire about a particular bug, please contact Customer Service & Support.

Explicit Proxy

Bug ID

Description

763796

FTP proxy refuses a connection on a freshly configured FortiGate.

774442

WAD is NATting to the wrong IP pool address for the interface.

GUI

Bug ID

Description

794757

Inbound traffic on the interface bandwidth widget shows 0 bps on the VLAN interface.

HA

Bug ID

Description

662978

Long lasting sessions are expired on HA secondary device with a 10G interface.

750978

Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.

785514

In some cases, the fgfmd daemon is blocked by a query to the HA secondary checksum, and it will cause the tunnel between FortiManager and the FortiGate to go down.

838541

HA is out-of-sync due to certificate local in FGSP standalone cluster.

859242

Unable to synchronize IPsec SA between FGCP members after upgrading.

Hyperscale

Bug ID

Description

805846

In the FortiOS MIB files, the trap fields fgFwIppStatsGroupName and fgFwIppStatsInusePBAs have the same OID. As a result, the fgFwIppStatsInusePBAs field always returns a value of 0.

IPsec VPN

Bug ID

Description

675838

iked ignores phase 1 configuration changes due to frequent FortiExtender CMDB changes.

855772

FortiGate IPsec tunnel role could be incorrect after rebooting or upgrading, and causes negotiation to be stuck when it comes up.

858715

IPsec phase 2 fails when both HA cluster members reboot at the same time.

Log & Report

Bug ID

Description

838357

A deny policy with log traffic disabled is generating logs.

Proxy

Bug ID

Description

650348

FortiGate refuses incoming TCP connection to FTP proxy port after explicit proxy related configurations are changed.

799381

WAD crash occurs when TLS 1.2 receives the client certificate and that server-facing SSL port has been closed due to the SSL bypass.

Routing

Bug ID

Description

817670

IPv6 route redistribution metric value is not taking effect.

Security Fabric

Bug ID

Description

837347

Upgrading from 6.4.8 to 7.0.5 causes SDN firewall address configurations to be lost.

843043

Only the first ACI SDN connector can be kept after upgrading from 6.4.8 if multiple ACI SDN connectors are configured.

857441

Azure Fabric connector process (azd) has high memory consumption during updates, which leads to entry-level FortiGate models entering conserve mode.

SSL VPN

Bug ID

Description

705880

Updated empty group with SAML user does not trigger an SSL VPN firewall policy refresh, which causes the SAML user detection to not be successful in later usage.

742332

SSL VPN web portal redirect fails in http://qu***.jj***.bu***.

746230

SSL VPN web mode cannot display certain websites that are internal bookmarks.

748085

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

784522

When trying to create a support ticket in Jira with SSL VPN proxy web mode, the dropdown field does not contain any values.

822432

SSL VPN crashes after copying a string to the remote server using the clipboard in RDP web mode when using RDP security.

825810

SSL VPN web mode is unable to access EMS server.

834713

Getting re-authentication pop-up window for VNC quick connection over SSL VPN web proxy.

848067

RDP over VPN SSL web mode stops work after upgrading to 6.4.10.

852566

User peer feature for one group to match to multiple user peers in the authentication rules is broken.

854143

Unable to access Synology NAS server through SSL VPN web mode.

856316

Browser displays an Error, Feature is not available message if a file larger than 1 MB is uploaded from FTP or SMB using a web bookmark, even though the file is uploaded successfully. There are no issues with downloading files.

Switch Controller

Bug ID

Description

845667

Enabling allowed-vlans-all on FortiSwitch ports will push VLANs from both owner and tenant VDOMs.

859690

The flcfgd daemon crashes frequently on the HA passive unit.

System

Bug ID

Description

649729

HA synchronization packets are hashed to a single queue when sync-packet-balance is enabled.

713951

Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E.

733096

FG-100F HA secondary's unused ports flaps from down to up, then to down.

776052

Add SNMP MIB support for PBA pools.

783939

IPv4 session is flushed after creating a new VDOM.

784169

When a virtual switch member port is set to be an alternate by STP, it should not reply with ARP; otherwise, the connected device will learn the MAC address from the alternate port and send subsequent packets to the alternate port.

787929

Deleting a VDOM that contains EMAC interfaces might affect the interface bandwidth widget of the parent VLAN.

807334

DDNS is not working when cleartext is enabled.

810466

EHP and HRX drop on NP6 FortiGate, causing low throughput.

811367

Ports 33-35 constantly show suspect messaging in the transceiver output. Affected platforms: FG-2600F and FG-2601F.

813607

LACP interfaces are flapping after upgrading to 6.4.9.

815692

Slow upload speeds when connected to FIOS connection. Affected platforms: NP6Lite and NP6xLite.

821000

QSFP and QSFP+ Fortinet transceivers are not operational on FG-3401E.

824543

The reply-to option in the email server settings is no longer visible in a default server configuration.

827240

FortiGate in HA may freeze and reboot. Before the reboot, softIRQ may be seen as high. This leads to a kernel panic.

827736

As the size of the internet service database expands, ffdb_err_msg_print: ret=-4, Error: kernel error is observed frequently on 32-bit CPU platforms, such as the FG-100E.

834850

GUI CLI console displays a Connection lost message when logging in as an API administrator.

847077

Can't find xitem. Drop the response. error appears for DHCPOFFER packets in the DHCP relay debug.

850774

Session synchronization packets may be dropped when using HA1/HA2. Affected platforms: FGT-420xF and FGT-440xF.

Upgrade

Bug ID

Description

848926

After upgrading, the AV filter feature set is changed from proxy mode to flow mode.

User & Authentication

Bug ID

Description

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

824999

Subject Alternative Name (SAN) is missing from the certificate upon automatic certificate renewal made by the FortiGate.

845198

Local-in policies for authentication disappear and the authentication page returns a ERR_CONNECTION_TIMED_OUT error. The authentication page is not displayed because it is not rebuilt when firewall local-in-policy is added, edited, or deleted.

853793

FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

WiFi Controller

Bug ID

Description

761836

FWF-8xF platforms should allow the DHCP server configuration of an aggregate interface (aplink) to be edited in the GUI.

807713

FortiGate is not sending RADIUS accounting message consistently to RADIUS server for wireless SSO.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

843331

FortiOS 6.4.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-41330

844920

FortiOS 6.4.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-41328

845847

FortiOS 6.4.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-41329

854227

FortiOS 6.4.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-42476

865932

FortiOS 6.4.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-45861
Previous
Next

Resolved issues

The following issues have been fixed in version 6.4.12. To inquire about a particular bug, please contact Customer Service & Support.

Explicit Proxy

Bug ID

Description

763796

FTP proxy refuses a connection on a freshly configured FortiGate.

774442

WAD is NATting to the wrong IP pool address for the interface.

GUI

Bug ID

Description

794757

Inbound traffic on the interface bandwidth widget shows 0 bps on the VLAN interface.

HA

Bug ID

Description

662978

Long lasting sessions are expired on HA secondary device with a 10G interface.

750978

Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.

785514

In some cases, the fgfmd daemon is blocked by a query to the HA secondary checksum, and it will cause the tunnel between FortiManager and the FortiGate to go down.

838541

HA is out-of-sync due to certificate local in FGSP standalone cluster.

859242

Unable to synchronize IPsec SA between FGCP members after upgrading.

Hyperscale

Bug ID

Description

805846

In the FortiOS MIB files, the trap fields fgFwIppStatsGroupName and fgFwIppStatsInusePBAs have the same OID. As a result, the fgFwIppStatsInusePBAs field always returns a value of 0.

IPsec VPN

Bug ID

Description

675838

iked ignores phase 1 configuration changes due to frequent FortiExtender CMDB changes.

855772

FortiGate IPsec tunnel role could be incorrect after rebooting or upgrading, and causes negotiation to be stuck when it comes up.

858715

IPsec phase 2 fails when both HA cluster members reboot at the same time.

Log & Report

Bug ID

Description

838357

A deny policy with log traffic disabled is generating logs.

Proxy

Bug ID

Description

650348

FortiGate refuses incoming TCP connection to FTP proxy port after explicit proxy related configurations are changed.

799381

WAD crash occurs when TLS 1.2 receives the client certificate and that server-facing SSL port has been closed due to the SSL bypass.

Routing

Bug ID

Description

817670

IPv6 route redistribution metric value is not taking effect.

Security Fabric

Bug ID

Description

837347

Upgrading from 6.4.8 to 7.0.5 causes SDN firewall address configurations to be lost.

843043

Only the first ACI SDN connector can be kept after upgrading from 6.4.8 if multiple ACI SDN connectors are configured.

857441

Azure Fabric connector process (azd) has high memory consumption during updates, which leads to entry-level FortiGate models entering conserve mode.

SSL VPN

Bug ID

Description

705880

Updated empty group with SAML user does not trigger an SSL VPN firewall policy refresh, which causes the SAML user detection to not be successful in later usage.

742332

SSL VPN web portal redirect fails in http://qu***.jj***.bu***.

746230

SSL VPN web mode cannot display certain websites that are internal bookmarks.

748085

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

784522

When trying to create a support ticket in Jira with SSL VPN proxy web mode, the dropdown field does not contain any values.

822432

SSL VPN crashes after copying a string to the remote server using the clipboard in RDP web mode when using RDP security.

825810

SSL VPN web mode is unable to access EMS server.

834713

Getting re-authentication pop-up window for VNC quick connection over SSL VPN web proxy.

848067

RDP over VPN SSL web mode stops work after upgrading to 6.4.10.

852566

User peer feature for one group to match to multiple user peers in the authentication rules is broken.

854143

Unable to access Synology NAS server through SSL VPN web mode.

856316

Browser displays an Error, Feature is not available message if a file larger than 1 MB is uploaded from FTP or SMB using a web bookmark, even though the file is uploaded successfully. There are no issues with downloading files.

Switch Controller

Bug ID

Description

845667

Enabling allowed-vlans-all on FortiSwitch ports will push VLANs from both owner and tenant VDOMs.

859690

The flcfgd daemon crashes frequently on the HA passive unit.

System

Bug ID

Description

649729

HA synchronization packets are hashed to a single queue when sync-packet-balance is enabled.

713951

Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E.

733096

FG-100F HA secondary's unused ports flaps from down to up, then to down.

776052

Add SNMP MIB support for PBA pools.

783939

IPv4 session is flushed after creating a new VDOM.

784169

When a virtual switch member port is set to be an alternate by STP, it should not reply with ARP; otherwise, the connected device will learn the MAC address from the alternate port and send subsequent packets to the alternate port.

787929

Deleting a VDOM that contains EMAC interfaces might affect the interface bandwidth widget of the parent VLAN.

807334

DDNS is not working when cleartext is enabled.

810466

EHP and HRX drop on NP6 FortiGate, causing low throughput.

811367

Ports 33-35 constantly show suspect messaging in the transceiver output. Affected platforms: FG-2600F and FG-2601F.

813607

LACP interfaces are flapping after upgrading to 6.4.9.

815692

Slow upload speeds when connected to FIOS connection. Affected platforms: NP6Lite and NP6xLite.

821000

QSFP and QSFP+ Fortinet transceivers are not operational on FG-3401E.

824543

The reply-to option in the email server settings is no longer visible in a default server configuration.

827240

FortiGate in HA may freeze and reboot. Before the reboot, softIRQ may be seen as high. This leads to a kernel panic.

827736

As the size of the internet service database expands, ffdb_err_msg_print: ret=-4, Error: kernel error is observed frequently on 32-bit CPU platforms, such as the FG-100E.

834850

GUI CLI console displays a Connection lost message when logging in as an API administrator.

847077

Can't find xitem. Drop the response. error appears for DHCPOFFER packets in the DHCP relay debug.

850774

Session synchronization packets may be dropped when using HA1/HA2. Affected platforms: FGT-420xF and FGT-440xF.

Upgrade

Bug ID

Description

848926

After upgrading, the AV filter feature set is changed from proxy mode to flow mode.

User & Authentication

Bug ID

Description

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

824999

Subject Alternative Name (SAN) is missing from the certificate upon automatic certificate renewal made by the FortiGate.

845198

Local-in policies for authentication disappear and the authentication page returns a ERR_CONNECTION_TIMED_OUT error. The authentication page is not displayed because it is not rebuilt when firewall local-in-policy is added, edited, or deleted.

853793

FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

WiFi Controller

Bug ID

Description

761836

FWF-8xF platforms should allow the DHCP server configuration of an aggregate interface (aplink) to be edited in the GUI.

807713

FortiGate is not sending RADIUS accounting message consistently to RADIUS server for wireless SSO.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

843331

FortiOS 6.4.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-41330

844920

FortiOS 6.4.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-41328

845847

FortiOS 6.4.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-41329

854227

FortiOS 6.4.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-42476

865932

FortiOS 6.4.12 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-45861
Previous
Next