Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

Known issues

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.2 Build 1749. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.2 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.2 Build 1749.

Bug ID

Description

600879

Packet capture from a firewall policy does not work.

608729

IPsec VPN phase 2 auto negotiating does not work if IPsec VPN load balancing is enabled.

612622

SSL connections to a FortiSandbox do not work if the source-ip option of the FortiSandbox configuration is enabled.

613617

The source-ip setting when configuring FortiGuard and FortiSandbox and other services may not work as expected. As a result of configuring a source-ip, only the FortiGate-6000 management board or the FortiGate-7000 primary FIM can connect to the service. Services that only require management board or primary FIM connections will operate as expected. However, many services require FPCs or FPMs to be able to connect to the service. In these cases, setting a source-ip prevents FPCs and FPMs from connecting to the service.

For example, when you set a source-ip using the following command, only the management board or primary FIM can contact FortiGuard for updates.

config system fortiguard

set source-ip <ip-address>

end

632983

When a failed FGSP session-sync interface is restored or a new FGSP node is added on the fly, existing sessions are not immediately synced among all FGSP nodes.

637125

The RSSO dstgroup log message field contains incorrect group names.

643958 Inconsistent data from FortiGate-6000 and 7000 FFDBs may cause the confsyncd process to crash.

650894

The FortiManager IPsec tunnel monitor incorrectly shows that active IPsec tunnels on a FortiGate-6000 or 7000 are down.

661982

The FortiOS 6.4 session-ttl option never (which means no session timeout) is only supported if the dp-load-distribution-method is set to src-dst-ip-sport-dport (the default) or src-dst-ip and the firewall policy that accepts the session does not perform NAT. If any other load distribution method is used, or if NAT is enabled, the DP session timer will terminate the session according to the DP processor session timer.

For more information about the never option, see No session timeout.

661987

Configuration synchronization failures can occur if the configuration is continuously changed over an extended time period.

662858

FortiGate-6000 and 7000 for FortiOS 6.4.2 does not support FortiOS Network Access Control (NAC) features. Support will be added to a future release.

662973

Changes to multiple firewall policies and changes to the order of firewall policies on a FortiGate-6000 or 7000 with a large number of firewall policies can cause configuration synchronization errors.

664903

SD-WAN health check status information is not synchronized to all FPCs or FPMs.

665984

Updating individual VDOM CA certificates may cause out-of-sync errors.

666390

After restoring a configuration containing a large number of VDOMs, the number of entries in the application list could exceed the maximum value, causing configuration errors when the FortiGate-6000 or 7000 starts up.

666583 Downgrading or upgrading the FFDB may cause the confsyncd process to crash.
667325 An FFDB update may cause the system to enter conserve mode.

667861

FortiGate-6000 or 7000 IPv6 in-band management does not work if an IPv6 policy route matching the in-band management traffic has been added to the configuration.

668290

FortiGate-6000 or 7000 traffic or data interfaces are not currently supported for FGSP session synchronization. Instead you must use FortiGate-6000 HA interfaces or FortiGate-7000 M1 and M2 interfaces for FGSP session synchronization. Due to this limitation, when traffic passes asymmetrically through FGSP peers, since UTM traffic has to be forwarded back to the session owner over the HA interface (layer2-connection unavailable case) for processing, UTM traffic throughput will be limited to 10 Gbps; which is the max capacity of an HA interface.

668801 Application control signature upgrades or downgrades may cause cmdbsvr signal 6 (Aborted) messages to appear.
669951 Under high load conditions, the confsyncd process may crash during an FFDB update.
674929 Application control signature upgrades or downgrades may cause the cmdbsvr process to crash with signal 11.

675484

During stress testing multiple updated processes may be running, some with CPU usage at 99%.

675965

The FortiView Sessions dashboard may show duplicates of some sessions.

676009

IPv6 sessions cannot be canceled from the FortiView Sources dashboard.

676270

The confsync process running on FPCs sometimes crashes.

676444

The confsyncd process sometimes crashes on idle FortiGate-6000s or 7000s.

676575

Fortigate-6000 and 7000 FGSP does not support the FGSP option down-intfs-before-sess-sync.

676649

The certificate CRL configuration may take longer than expected to synchronize after adding a new CRL.

676982 Missing a null pointer checking in hadiff causes the confsyncd process to crash.

677002

Changes to FGSP config system standalone-cluster settings are not synchronized to FPCs or FPMs. After changing standalone-cluster settings you need to restart the FortiGate-6000 or 7000 for the configuration to be synchronized from the management board or primary FIM to the FPCs or FPMs.

677812 A confsyncd process segmentation fault occurred when calling cmdb_find_child_entity() in cmf_shm_api.
678569 A confsyncd signal 11 (Segmentation fault) occurred in cmf/cli/hadiff/hadiff_tree.c.

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.2 Build 1749. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.2 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.2 Build 1749.

Bug ID

Description

600879

Packet capture from a firewall policy does not work.

608729

IPsec VPN phase 2 auto negotiating does not work if IPsec VPN load balancing is enabled.

612622

SSL connections to a FortiSandbox do not work if the source-ip option of the FortiSandbox configuration is enabled.

613617

The source-ip setting when configuring FortiGuard and FortiSandbox and other services may not work as expected. As a result of configuring a source-ip, only the FortiGate-6000 management board or the FortiGate-7000 primary FIM can connect to the service. Services that only require management board or primary FIM connections will operate as expected. However, many services require FPCs or FPMs to be able to connect to the service. In these cases, setting a source-ip prevents FPCs and FPMs from connecting to the service.

For example, when you set a source-ip using the following command, only the management board or primary FIM can contact FortiGuard for updates.

config system fortiguard

set source-ip <ip-address>

end

632983

When a failed FGSP session-sync interface is restored or a new FGSP node is added on the fly, existing sessions are not immediately synced among all FGSP nodes.

637125

The RSSO dstgroup log message field contains incorrect group names.

643958 Inconsistent data from FortiGate-6000 and 7000 FFDBs may cause the confsyncd process to crash.

650894

The FortiManager IPsec tunnel monitor incorrectly shows that active IPsec tunnels on a FortiGate-6000 or 7000 are down.

661982

The FortiOS 6.4 session-ttl option never (which means no session timeout) is only supported if the dp-load-distribution-method is set to src-dst-ip-sport-dport (the default) or src-dst-ip and the firewall policy that accepts the session does not perform NAT. If any other load distribution method is used, or if NAT is enabled, the DP session timer will terminate the session according to the DP processor session timer.

For more information about the never option, see No session timeout.

661987

Configuration synchronization failures can occur if the configuration is continuously changed over an extended time period.

662858

FortiGate-6000 and 7000 for FortiOS 6.4.2 does not support FortiOS Network Access Control (NAC) features. Support will be added to a future release.

662973

Changes to multiple firewall policies and changes to the order of firewall policies on a FortiGate-6000 or 7000 with a large number of firewall policies can cause configuration synchronization errors.

664903

SD-WAN health check status information is not synchronized to all FPCs or FPMs.

665984

Updating individual VDOM CA certificates may cause out-of-sync errors.

666390

After restoring a configuration containing a large number of VDOMs, the number of entries in the application list could exceed the maximum value, causing configuration errors when the FortiGate-6000 or 7000 starts up.

666583 Downgrading or upgrading the FFDB may cause the confsyncd process to crash.
667325 An FFDB update may cause the system to enter conserve mode.

667861

FortiGate-6000 or 7000 IPv6 in-band management does not work if an IPv6 policy route matching the in-band management traffic has been added to the configuration.

668290

FortiGate-6000 or 7000 traffic or data interfaces are not currently supported for FGSP session synchronization. Instead you must use FortiGate-6000 HA interfaces or FortiGate-7000 M1 and M2 interfaces for FGSP session synchronization. Due to this limitation, when traffic passes asymmetrically through FGSP peers, since UTM traffic has to be forwarded back to the session owner over the HA interface (layer2-connection unavailable case) for processing, UTM traffic throughput will be limited to 10 Gbps; which is the max capacity of an HA interface.

668801 Application control signature upgrades or downgrades may cause cmdbsvr signal 6 (Aborted) messages to appear.
669951 Under high load conditions, the confsyncd process may crash during an FFDB update.
674929 Application control signature upgrades or downgrades may cause the cmdbsvr process to crash with signal 11.

675484

During stress testing multiple updated processes may be running, some with CPU usage at 99%.

675965

The FortiView Sessions dashboard may show duplicates of some sessions.

676009

IPv6 sessions cannot be canceled from the FortiView Sources dashboard.

676270

The confsync process running on FPCs sometimes crashes.

676444

The confsyncd process sometimes crashes on idle FortiGate-6000s or 7000s.

676575

Fortigate-6000 and 7000 FGSP does not support the FGSP option down-intfs-before-sess-sync.

676649

The certificate CRL configuration may take longer than expected to synchronize after adding a new CRL.

676982 Missing a null pointer checking in hadiff causes the confsyncd process to crash.

677002

Changes to FGSP config system standalone-cluster settings are not synchronized to FPCs or FPMs. After changing standalone-cluster settings you need to restart the FortiGate-6000 or 7000 for the configuration to be synchronized from the management board or primary FIM to the FPCs or FPMs.

677812 A confsyncd process segmentation fault occurred when calling cmdb_find_child_entity() in cmf_shm_api.
678569 A confsyncd signal 11 (Segmentation fault) occurred in cmf/cli/hadiff/hadiff_tree.c.