Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved issues

The following issues have been fixed in version 6.4.2. For inquires about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

497024 Flow mode banned word spam filter log is missing the banned word.

Anti Virus

Bug ID

Description

560044

Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series.

607432

500 internal error for some PDFs with AV applied.

615805

Device goes into conserve mode due to large files.

635535

Scanunit crashes with signal 14 at sys_fortiuser_cmd > get_iprope_mem_conserve.

Application Control

Bug ID

Description

630075 After upgrading, FortiGate faced an internet access issue when IPS and AC profiles are enabled and the outgoing interface is an npu_vlink.

Data Leak Prevention

Bug ID

Description

629713 DLP filters not matching in order if a file-type filter is configured.

DNS Filter

Bug ID

Description

511729

Domain filter entries whose action is set to allow should not be logged.

613024

DNS logs do not contain response code.

Endpoint Control

Bug ID

Description

640142 FortiOS 6.4 cannot verify EMS cloud certificate.

Explicit Proxy

Bug ID

Description

599637

Web proxy does not work properly to redirect Chrome browser to websites when disclaimer is enabled in proxy policy.

624513

IP pool address in proxy policy is not used sometimes when enabling a security profile.

634515

HTTP 1.1 host header is lost in FortiGuard web proxy requests.

File Filter

Bug ID

Description

626652

The unknown and BIN file types catch too many random files, which leads to inconsistent results for web traffic.

627795

In flow mode, file filter log can show the file type, but when in proxy inspection mode, it only shows unknown file type.

Firewall

Bug ID

Description

590039

Samsung OEM internet browser cannot connect to FortiGate VS/VIP.

595949

Any changes to the security policy table causes the hit count to reset.

596633

In NGFW mode, IPS engine drops RPC data channel when IPS profile is applied to a security policy.

606962

Timeout value is not reflected correctly to a new session when changing timeout value for system session-ttl on FortiGate-HV.

628841

Internet service entry not detected due to some IP ranges being duplicated.

633856

Sessions are marked as dirty when a route change happens, but the route still exists.

635007

Updates causing conserve mode.

635074

Firewall policy dstaddr does not show virtual server available based on virtual WAN link member.

643841

DCE RPC helper cannot parse fragmented EPM packet.

644638

Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor.

644865

Query string parameters omitted (HTTP redirect, SSL offloading).

645075

Real server byte counter resetting.

FortiView

Bug ID

Description

573138

When the data source is FortiGate Cloud, there is no paging to load sessions; only entries 1-499 are rendered.

615524

FortiView > All Sessions should be supported as a standalone dashboard widget in navigation bar.

639109

Top Countries/Regions by Bytes widget keeps trying to load.

640759

Unable to filter FortiView sessions in FortiOS 6.4.x.

GUI

Bug ID

Description

513694

User cannot log in to GUI when password change is required and has pre-login or post-login banner enabled or FIPS mode.

516031

The following behaviors regarding security profiles have changed:

  • Remove the Feature Visibility > Multiple Security Profiles option.
  • All security profiles will allow multiple profiles by default.
  • All security profile pages will be a list of profiles.

528145

BGP configuration gets applied on the wrong VDOM if user switches VDOM selection in between operations (slow GUI).

541042

Log viewer Forward Traffic does not support multiple filters for one field.

547697

Inconsistency/confusion regarding Hostname field in FortiOS web filter log.

567936

Saved SMS phone number is missing + for country code.

577991

Dotted line shown between FortiGate and second tier switch in Managed FortiSwitch topology.

592073

LED indications for FortiSwitch ports do not auto-reflect the changes made on PoE.

594534

GUI shows Invalid LDAP server error while LDAP query successfully finished.

594702

When sorting the interface list by the Name column, the ports are not always in the correct order (port10 appears before port2).

594991

New service group for explicit proxy could not be saved from GUI.

598222

After upgrading to 6.4.x from 6.2.5 and earlier, users must clear the browser cache for the best user experience with the new firmware.

601568

Interface status is not displayed on faceplate when viewed from System > HA page.

601879

When logging in to the dashboard after a factory reset, the dashboard displays The web page cannot be found.

604682

GUI takes two minutes to load VPN > IPsec Tunnels for 1483 tunnels.

605030

Send Logs to FortiCloud and Cloud Logging options not available in GUI for FG-900D.

605496

Configured overlapped subnet on GUI still shows error message after enabling subnet overlap.

606967

One-time schedules are not displayed correctly in Safari browser.

607296

Firewall address keeps loading addresses with read-write permission.

607549

GUI CMDB API to support case sensitive/insensitive filtering.

612236

RADIUS test fails from the GUI as it does not use the configured Authentication method, and authentication fails; test passes on the CLI.

615267

In Firefox, SAML SSO admin cannot create additional SSO admins or normal admins via the GUI.

616878

DHCP relay IP address not showing on Network > Interfaces page for VLAN interface.

618379

Option for TLS in Fortinet FSSO connector does not change port to CA TLS port 8001.

618617

CLI parser error: shaper-profile default class with 0% bandwidth guarantee only possible in GUI.

620854

GUI should not add speed to virtual switch member port (FG-101F).

621902

Default gateway address of DHCP server setting does not follow the interface address when Same as Interface IP is selected.

623109

IPS Filter Details column is empty when All is used.

623939

Interface bandwidth widgets for WAN, PPPoE and VDOM link interfaces are not loading.

624050

FortiGuard page does not open with custom read-write permission in the account profile (403 forbidden error).

624551

On POE devices, several sections of the GUI take over 15 seconds to fully load.

624662

CLI panel allows read-only managed device to be configured by read-only admin.

628373

Software switch members and their VLANs are not visible in the GUI interfaces list.

629139

Security Rating reports should not run as a dependent of Topology reports on downstream FortiGates.

630638

Add a warning when Capture Packets is enabled in policy dialog.

631734

GUI not displaying PoE total power budget on FOS 6.2.3.

633937

GUI is not displaying DHCP configuration if the interface name includes the \ character.

634677

User group not visible in GUI when editing the user with a single right-click.

635538

In FortiGate SAML authentication with Azure AD, service provider configuration is grayed-out.

638034

Ctrl + V does not paste command in GUI CLI console and Ctrl + C does not copy selected output in CLI console.

638277

Firewall address group object (including interface subnet) is invisible in Accessible Networks.

638615

SSO admin cannot open CLI console.

638911

IPS and application control actions cannot be modified to Quarantine.

639129

IPsec aggregate is not shown in Dashboard > Network > IPsec widget.

639163

GUI does not show user group information on firewall user widget.

639288

No historical sessions can be displayed when FortiView widget opens from Show in FortiView.

639542

The Edit pane for PAC File Content on the Explicit Proxy page cannot be opened.

639617

On Explicit Web Proxy Policy page, unable to change Outgoing Source IP option from IP Pools to Proxy Default or Original Source IP. CLI does not have this issue.

642028

On some platforms (FG-60E-61E/81E), the CLI console in the GUI may not function immediately after bootup.

642402

LCP-1250RJ3SR-K transceiver shows a warning in the GUI even though it is certified.

644999

Fortinet-sold active direct attached cable (SP-CABLE-ADASFP+) is showing as not certified by Fortinet.

HA

Bug ID

Description

595340

hasync process consuming 80-95% CPU.

609631

Simultaneous reboot of both nodes in HA when gtp-enhance-mode enabled or disabled.

627610

When HA primary device is down, a time synchronization with NTP servers will be disabled after failback.

627851

After the HA peer node has been replaced, need a way to reset the HA health status back to OK.

630070

HA is failing over due to cmdbsvr crashes.

631342

FG-100D HA active-passive mode not syncing.

634604

SCTP sessions are not fully synchronized between primary and secondary devices in version 5.6.11 on FG-3240C.

637843

HA secondary device is reporting multiple events (DDNS update failed).

638287

private-data-encryption causes cluster to be periodically out of sync due to customer certificates.

639307

Both primary and secondary consoles keep printing get_ha_sync_obj_sig_4dir: stat /etc/cert/ca/5c44d531.0 error 2.

640428

SSL VPN related auth login user event logs do not require HA to be in sync.

643958

Inconsistent data from FFDB caused several confsyncd crashes.

645293

traceroute not working in asymmetric FGSP environment.

645387

HA pingsvr is in up state in spite of lnkmtd showing it as being in die state.

648073

HA cluster uses physical port MAC address at the time of HA failover.

Intrusion Prevention

Bug ID

Description

582936

IPS traffic log and PCAP archive do not match.

595062

SSL offloading randomly does not work when UTM (AV/IPS) is enabled in firewall policy.

617588

Unable to open TCP application via IPsec tunnel when np-accel-mode is enabled.

631381

RDP NLA authentication blocked by FortiGate when enabling IPS profile in the security group (central NAT).

638235

Some IPS logs do not include direction field.

IPsec VPN

Bug ID

Description

516029

Remove the IPsec global lock.

610203

When an offloaded IPsec SA uses NP6 reserved space, it gets stuck and packets on the tunnel start to drop.

622959

FortiGate does not send framed IPv6 address in RADIUS accounting records.

631804

OCVPN errors showing in logs when OCVPN is disabled.

631968

IKE daemon signal 6 crash when phase1 add-gw-route is enabled.

634883

IKE crashes at ike_hasync__xauth.

635325

Static route for site-to site VPN remains active even when the tunnel is down.

645196

Static routes added by iked in non-root VDOM are not removed when tunnel interface status is set to down by configuration change.

Log & Report

Bug ID

Description

589782

IPS sensor log-attack-context output truncated.

605405

IPS logs are recorded twice with TCP offloading on virtual server.

607449

Log searches being conducted in a FortiGate for logs stored on a FortiAnalyzer are only sent as case-sensitive.

630769

miglogd crashes when the FortiGate does a weekly log purge.

634947

rlogd signal 11 crashes.

635013

FortiOS gives wrong time stamp when querying FortiGate Cloud log view.

637117

Incomplete log field returned from CEF formatted syslog message.

639807

PBA logs show only 0 or 1 duration in logs; cannot answer data requests from law enforcement.

641450

miglogd processes bound to busy CPUs even though there are other completely idle CPUs available.

Proxy

Bug ID

Description

586281

WAD memory corruption.

603195

Multiple WAD crashes with signal 11.

623108

FTP-TP reaches high memory usage and triggers conserve mode.

624245

WAD crashes when all of these conditions are met: policy is doing deep inspection, SNI in client hello is in the exempt list, server certificate CNAME is not in the exempt list.

631542

WAD signal 11 crash logs SSL/TLS errors and disconnects with the OCSP stapling.

633175

WAD crash observed, wad_http_pattern_match_response + 0x0045, on FG-80E-POE during regression testing.

636508

FortiGate blocks traffic in transparent proxy policy, even if the traffic matches the proxy address.

637389

The WAD process is crashing multiple times.

640427

Web proxy WAD crash under WAN Opt auto-active mode.

643725

The IMAP proxy crashes with signal 7 (SIGBUS).

645943

Memory usage spike (all WAD workers) without bandwidth spike.

Routing

Bug ID

Description

624621

Log traffic to remote servers does not follow SD-WAN rules.

627951

NTP and FSSO not following SD-WAN rules.

628896

DHCP relay does not match the SD-WAN policy route.

632160

FortiGuard GeoIP queries (TCP/443) and FortiSandbox Cloud traffic do not follow policy route/SD-WAN rule.

632285

Health check SLA status log shows configured bandwidth value instead of used bandwidth value.

633463

DRother firewall in OSPFv3 generates neighbor state is less than Exchange log for the LSA update from a DCother neighbor.

633600

BGP hold time and keepalive timers are not updated on spokes after changing on the hub side.

635716

FortiGuard web filter traffic also needs to follow SD-WAN service.

639834

Inconsistency in source IP-based ECMP for IPv6.

641022

Kernel does not remove duplicate routes generated by SD-WAN health checks when hostname IP changes.

641928

When BGP's recursive next hop can be resolved by multiple routes, the recursive distance is not taken into account when installing the routes. Multiple ECMP paths can be installed with different recursive distances to the next hop.

646418

SD-WAN information available in session list is confusing.

Security Fabric

Bug ID

Description

619696

Automation stitch traffic is sent via mgmt with ha-direct to AWS Lambda after upgrading from 6.0.9 to 6.2.3

622032

SSH as automation action is not working as expected.

626691

FG-60F unable to join Security Fabric, unknown CA.

629723

SDN dynamic address import is too slow, and HA sync may miss endpoints in high scale and stress conditions.

631607

CSF root FortiGate cannot listen to loopback interface.

637464

FortiMail appears as Unknown fabric device when multi-vdom is enabled.

638512

User sees a Failed to send request error when generating access token for FortiMail under multi-VDOM FortiGate.

641006

Automation stitch causes HA sync failure.

SSL VPN

Bug ID

Description

505986

On IE 11, SSL VPN web portal displays blank page titled {{::data.portal.heading}} after authentication.

573853

TX packet drops on SSL root interface.

604772

SSL VPN tunnel is unexpectedly down sometimes when certificate bundle is updated.

608464

Get 305 error when browsing website through SSL VPN web mode bookmark and sslvpnd crashes.

611498

SMB/CIFS traffic via SSL VPN web mode not using correct SNAT IP (IP pool).

613612

Important GUI pages in 6.4.0 are not rendered well by SSL VPN portal.

620508

CLI command get vpn ssl monitor displays users from other VDOM.

622110

SSL VPN disconnected when importing or renaming CA certificates.

623076

Add memory protection for web mode SSL VPN child process (guacd).

623217

Website pop-up error using SSL VPN web mode.

623379

Memory corrupt in some DNS callback cases causes SSL VPN crash.

624283

Customer has to manually add domain in SMB share login through SSL VPN portal.

624899

Log entry for tunnel stats shows wrong tunnel ID when using RDP bookmark.

624904

The company website is not shown properly in SSL VPN web mode.

626228

Bookmark does not load though SSL VPN web mode.

626237

SAP portal link is not working in SSL VPN web mode.

626822

SSL VPN denies login after receiving FortiToken Cloud token and entering token.

627150

SSL VPN web mode unable to load custom web application JavaScript parts.

627456

Traffic cannot pass when SAML user logs in to SSL VPN portal with group match.

628059

SSL VPN web mode gets redirected out of SSL VPN proxy.

628597

Unable to load the SSL VPN bookmark internal website https://fi***.

628801

Internal web application is not opened after the login.

628821

Internal aixws7test2 portal is not loading in SSL VPN web mode.

629190

After SSL VPN proxy, some JS files of hapi website could not work.

629373

SAML login button is lost on SSL VPN portal.

630432

Slides in website https://re***.nz are displayed in SSL VPN web mode.

631050

ERR_EMPTY_RESPONSE while accessing internal portal's webpages in SSL VPN web mode.

631130

Internal site http://va***.com not completely loading through SSL VPN web mode bookmark.

631402

Website (https://uj***) is not accessible in SSL VPN web mode.

631510

Some internal servers do not provide any content type or content length in response header; sslvpnd treats it as HTML file to handle and has problem to finish it.

631809

Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.

633047

Cannot load local 1C application through web mode.

633114

Cannot access internal website pl***.fr using SSL VPN web mode.

633812

For guacd daemon generated for RDP session, it would sometimes be in an unknown state with 100% CPU and could not be released.

634210

SSL VPN daemon crash due to limit-user-login.

634991

Internal server error 500 while accessing contolavdip portal in SSL VPN web mode.

635307

Map could not be displayed correctly in SSL VPN web mode.

635341

SSL VPN not assigning IP from local IP pool when framed IP address is received with value 0xFFFFFFFE.

635608

Map could not be displayed correctly in SSL VPN web mode.

635896

The sa***.org website is not shown properly in SSL VPN web mode.

635899

SharePoint portal URL links for Office documents are not redirected over SSL VPN web mode in Firefox.

635907

AM*** website is not shown properly using SSL VPN web mode.

636332

With SSL VPN proxy JIRA web application, get one wrong URL without proxy path.

636984

Website (pr***.com) not loading properly in SSL VPN web mode.

637018

After the upgrade to 6.0.10/6.2.4/6.4.0, SSL VPN portal mapping/remote authentication is matching user into the incorrect group.

637164

The customer's website (https://vpn.***.org) is not shown properly using SSL VPN web mode.

638733

Internal website hosted in bookmark https://in***.cat is not loading completely in SSL VPN web mode.

639431

Three of the internal applications/portal bookmarks do not load/partially work with SSL VPN web mode.

639768

Log in page loading with delays in web mode.

639789

Apache Guacamole page is redirected to direct link in SSL VPN web mode.

640167

The Run*** website is not displayed properly using SSL VPN web mode.

642225

The IC*** internal website is not displayed properly using SSL VPN web mode.

643598

Application is not working using SSL VPN web mode.

643749

SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters the wrong password.

644506

Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password.

644607

Sco*** internal portal webpage is not loading after logging in with web mode.

645276

After SSL VPN web mode proxy, some JS files of sthlm04 SCA*** website have problems.

646429

Update Telnet idle timeout setting and fix issue of Telnet not working.

647296

SSL VPN web mode problem with https://de***.com.

648192

DTLS tunnel performance improvements by allowing multiple packets to be read from the kernel driver, and redistributing the UDP packets to several worker processes in the kernel.

648369

Some JS files of ji***.v** could not run in SSL VPN web mode.

649197

Unable to use editor in Atlassian internal Confluence portal over SSL VPN web mode.

649466

SSL VPN authentication fails when all-usergroup is enabled in RADIUS server.

Switch Controller

Bug ID

Description

620718

FortiSwitch port goes down and up too quickly when bounce-nac-port is enabled, and the device interface does not get the new DHCP IP.

633842

FortiLink down with LACP mode set to active.

646178

It is possible to view information of shared FortiSwitch ports in a tenant VDOM from the GUI, but there should not be recommended configuration changes in the GUI. Please use CLI for configuration changes.

System

Bug ID

Description

506485

FortiOS get system interface cross-check command improvement.

552788

DSL route not removed when interface is down.

567019

CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120 and device reboots.

572847

The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series.

576323

SFP+ 1G speed should be supported on FG-1100E, FG-1800F, FG-2200E, and FG-3300E series.

594264

NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session TTL expiry.

594871

Potential memory leak triggered by FTP command in WAD.

596209

Device has become unmanageable; receiving errno=Resource temporarily unavailable when trying to update objects.

598928

FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN.

605723

FG-600E stops sending out packets on its SPF and copper port on NP6.

611512

When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE.

612302

FortiOS is not sending out IPv6 router advertisements from the link-local addresses added on the fly.

613017

ip6-extra-addr does not perform router advertisement after reboot in HA.

615586

Incorrect IP/MAC address on ESXi hosts.

617134

Traffic not showing statistics for VLAN interfaces based on hardware switch.

617154

Fortinet_CA is missing in FG-3400E.

618158

DHCP client cannot get IP address when NTP server option in DHCP server settings is set to Same as System NTP.

618762

Fail to detect transceiver on all SFP28/QSFP ports. Affected platforms: FG-3300E and FG-3301E.

626371

Request to blocked signature with SSL mirrored traffic capture causes FG-500E to reboot.

626785

FG-101F should support the same WTP size (128) as the FG-100F.

627054

HTTPSD signal 6 crash in cases of long application lists that are greater or equal to the maximum size of 16.

627409

Cannot create hardware switch on FG-100F.

627629

DHCP client sent invalid DHCP-REQUEST format during INIT state.

628642

Issue when packets from same session are forwarded to each LACP member when NPx offload is enabled.

630658

Auto-script output file size over 400 MB when configured output size is default 10 MB.

632353

Virtual WAN link stops responding after 45 members.

632407

Cannot delete VDOM due to ssl.vdom1 interface after changing mode from split-task VDOM to multi VDOM.

632635

Frame size option in sniffer does not work.

633102

DHCPv6 client's DUID generated on two different FortiGates match.

633298

10G ports x1/x2 cannot be set as interfaces in firewall acl/acl6 policies.

634415

Speed of 100G in get system interface cross-check shown incorrectly as 34464 for Fortinet-authorized FINISAR CORP FTLC9551REPM.

634494

accprofile permission for config system link-monitor is not correct.

634495

accprofile permission for execute ping is not correct.

635308

factoryreset2 does not preserve all interfaces.

636069

Unable to handle kernel NULL pointer dereference at 000000000000008f.

637420

execute shutdown reboots instead of shutting down on SoC4 platforms.

638041

SFP28 port group (ha1, ha2, port1 and port2) missing 1000full speed option. Affected platforms: FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

638738

In VDOM, config log syslogd xxx is not shown in show full-configuration.

639623

Possible conflicts between software switch VLAN setting and its member interface VLAN setting.

641419

FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632).

641708

FTLF8536P4BCV shows This transceiver is not certified by Fortinet, corrupt part number and serial number after HA cluster sync.

643188

Interface forward-error-correction setting not honored after reboot.

644427

Interface forward-error-correction setting not honored after reboot. Affected platforms: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3400E, and FG-3600E.

645363

SNMP monitoring does not provide the SD-WAN member interface name.

647593

After reboot, forward-error-correction value is not maintained as it should be.

647718

VDOM with long name cannot be deleted.

647777

FortiGate not responding to DHCP relay requests from clients behind a DHCP relay.

648977

Sometimes when updating the FortiGate license, there is a certificate verification failure.

649506

Sometimes FortiGate does not boot when restoring configuration using private data encryption.

678809

dhcpd crashes with signal 6 because the timer is not canceled before calling the free release function.

Upgrade

Bug ID

Description

635589

Upon upgrading to an affected 6.2 or 6.4 firmware, DoS policies configured on interfaces may drop traffic that is passing through the DoS policy configuration. Note that this can occur if the DoS policy is configured in drop or monitor mode.

Workaround: disable the DoS policy.

User & Authentication

Bug ID

Description

597319

In SSL VPN certificate authentication, add auth policies in base of LDAP group.

605838

Device identification scanner crashes on receipt of SSDP search.

620941

Two-factor authentication using FortiClient SSL VPN and FortiToken Cloud is not working due to push notification delay.

625107

No response when using FTM-PUSH because unable to set source IP for FTM-PUSH.

627144

Remote admin LDAP user login has authentication failure when the same LDAP user has local two-factor authentication.

629487

Older FortiGate models do not have CA2 and will cause EMS server authentication to fail.

634580

Peer users are matching every group instead of only groups based on the LDAP group membership.

635385

In HA cluster, RADIUS accounting not working with use-management-vdom enable.

637577

Inconsistent fnbamd LDAP group match result.

638593

Certificate verification fails if any CA in a peer-provided certificate chain expires, but its cross-signed certificate is still valid in the system trust store.

658982

ADVPN IKEv2 certificate authentication does not work with OCSP check when certificates do not contain OCSP path.

663692

FortiOS queries first 10 LDAP servers for user authentication.

VM

Bug ID

Description

587180

FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.

603100

Autoscale not syncing certificate among the cluster members.

623376

Cross-zone HA breaks after upgrading to 6.4.0 because upgrade process does not add relevant items under vdom-exception.

624657

Azure changes FPGA for Accelerated Networking live and VM loses SR-IOV interfaces.

626705

By assigning port1 as the HA management port, the HA secondary unit node is now able to send system information to the Azure portal through waagent so that up-to-date information is displayed on the Azure dashboard.

If port1 is not used as the HA management port, the Azure display and Azure Security Center alerts will not reflect the correct state of the node, which may result in unnecessary alarms.

629709

AWS VM stops processing traffic in some interfaces when running diagnose debug application ike -1.

634245

Dynamic address objects are not resolved to all addresses using Azure SDN connector.

634499

AWS FortiGate NIC gets swapped between port2 and port3 after FortiGate reboots.

637376

In FG-VM64-HV, 802.1Q does not work on interfaces with DPDK enabled.

641038

SSL VPN performance problem on OCI due to driver.

644130

FortiGates in multi-Azure sync their SP addresses for SAML admin authentication.

653567

Admin cannot log in to FortiGate VM GUI after license expired.

VoIP

Bug ID

Description

643548

SIP transfer calls fail when extensions are behind the same FortiGate (spoke).

Web Application Firewall

Bug ID

Description

624452

user-agent setting under config system external-resource does not accept XSS characters.

Web Filter

Bug ID

Description

576862

Update urlfilteridx in traffic log to be webfilter.urlfilter.entry.id.

611501

Clarify meaning of urlfilteridx=0 log field when proxy-based inspection is used.

621807, 625897

Filtering Services Availability status is down on the GUI when HTTP/80 is used for web filtering rating service.

629005

foauthd has signal 11 crashes when FortiGate does authentication for a web filter category.

630232

Certain regex static URL entries stopped working in 6.2.3.

636754

If the last line in a threat feed does not end with \n, it is not parsed and is not displayed in the GUI.

647227

Externally imported list (custom threat feed) is matching incorrectly in web filter remote category.

WiFi Controller

Bug ID

Description

605937

WiFi health monitor Client Count widget shows clients on the wrong band (on local standalone SSID).

625326

FortiAP not coming online on FG-PPPoE interface.

638537

Applications, Destinations, and Policies keep loading for WiFi Clients > Diagnostics and Tools drill-down.

641811

In FG-100F/101F with PPPoE interface, the FortiGate could not manage FortiAP.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

558685

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-12812

600586

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-16151

618238

FortiOS 6.4.2 running AV engine version 6.00145 or later is no longer vulnerable to the following CVE Reference:

  • CVE-2020-9295

633089

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-15937

634975

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-12819

Resolved issues

The following issues have been fixed in version 6.4.2. For inquires about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

497024 Flow mode banned word spam filter log is missing the banned word.

Anti Virus

Bug ID

Description

560044

Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series.

607432

500 internal error for some PDFs with AV applied.

615805

Device goes into conserve mode due to large files.

635535

Scanunit crashes with signal 14 at sys_fortiuser_cmd > get_iprope_mem_conserve.

Application Control

Bug ID

Description

630075 After upgrading, FortiGate faced an internet access issue when IPS and AC profiles are enabled and the outgoing interface is an npu_vlink.

Data Leak Prevention

Bug ID

Description

629713 DLP filters not matching in order if a file-type filter is configured.

DNS Filter

Bug ID

Description

511729

Domain filter entries whose action is set to allow should not be logged.

613024

DNS logs do not contain response code.

Endpoint Control

Bug ID

Description

640142 FortiOS 6.4 cannot verify EMS cloud certificate.

Explicit Proxy

Bug ID

Description

599637

Web proxy does not work properly to redirect Chrome browser to websites when disclaimer is enabled in proxy policy.

624513

IP pool address in proxy policy is not used sometimes when enabling a security profile.

634515

HTTP 1.1 host header is lost in FortiGuard web proxy requests.

File Filter

Bug ID

Description

626652

The unknown and BIN file types catch too many random files, which leads to inconsistent results for web traffic.

627795

In flow mode, file filter log can show the file type, but when in proxy inspection mode, it only shows unknown file type.

Firewall

Bug ID

Description

590039

Samsung OEM internet browser cannot connect to FortiGate VS/VIP.

595949

Any changes to the security policy table causes the hit count to reset.

596633

In NGFW mode, IPS engine drops RPC data channel when IPS profile is applied to a security policy.

606962

Timeout value is not reflected correctly to a new session when changing timeout value for system session-ttl on FortiGate-HV.

628841

Internet service entry not detected due to some IP ranges being duplicated.

633856

Sessions are marked as dirty when a route change happens, but the route still exists.

635007

Updates causing conserve mode.

635074

Firewall policy dstaddr does not show virtual server available based on virtual WAN link member.

643841

DCE RPC helper cannot parse fragmented EPM packet.

644638

Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor.

644865

Query string parameters omitted (HTTP redirect, SSL offloading).

645075

Real server byte counter resetting.

FortiView

Bug ID

Description

573138

When the data source is FortiGate Cloud, there is no paging to load sessions; only entries 1-499 are rendered.

615524

FortiView > All Sessions should be supported as a standalone dashboard widget in navigation bar.

639109

Top Countries/Regions by Bytes widget keeps trying to load.

640759

Unable to filter FortiView sessions in FortiOS 6.4.x.

GUI

Bug ID

Description

513694

User cannot log in to GUI when password change is required and has pre-login or post-login banner enabled or FIPS mode.

516031

The following behaviors regarding security profiles have changed:

  • Remove the Feature Visibility > Multiple Security Profiles option.
  • All security profiles will allow multiple profiles by default.
  • All security profile pages will be a list of profiles.

528145

BGP configuration gets applied on the wrong VDOM if user switches VDOM selection in between operations (slow GUI).

541042

Log viewer Forward Traffic does not support multiple filters for one field.

547697

Inconsistency/confusion regarding Hostname field in FortiOS web filter log.

567936

Saved SMS phone number is missing + for country code.

577991

Dotted line shown between FortiGate and second tier switch in Managed FortiSwitch topology.

592073

LED indications for FortiSwitch ports do not auto-reflect the changes made on PoE.

594534

GUI shows Invalid LDAP server error while LDAP query successfully finished.

594702

When sorting the interface list by the Name column, the ports are not always in the correct order (port10 appears before port2).

594991

New service group for explicit proxy could not be saved from GUI.

598222

After upgrading to 6.4.x from 6.2.5 and earlier, users must clear the browser cache for the best user experience with the new firmware.

601568

Interface status is not displayed on faceplate when viewed from System > HA page.

601879

When logging in to the dashboard after a factory reset, the dashboard displays The web page cannot be found.

604682

GUI takes two minutes to load VPN > IPsec Tunnels for 1483 tunnels.

605030

Send Logs to FortiCloud and Cloud Logging options not available in GUI for FG-900D.

605496

Configured overlapped subnet on GUI still shows error message after enabling subnet overlap.

606967

One-time schedules are not displayed correctly in Safari browser.

607296

Firewall address keeps loading addresses with read-write permission.

607549

GUI CMDB API to support case sensitive/insensitive filtering.

612236

RADIUS test fails from the GUI as it does not use the configured Authentication method, and authentication fails; test passes on the CLI.

615267

In Firefox, SAML SSO admin cannot create additional SSO admins or normal admins via the GUI.

616878

DHCP relay IP address not showing on Network > Interfaces page for VLAN interface.

618379

Option for TLS in Fortinet FSSO connector does not change port to CA TLS port 8001.

618617

CLI parser error: shaper-profile default class with 0% bandwidth guarantee only possible in GUI.

620854

GUI should not add speed to virtual switch member port (FG-101F).

621902

Default gateway address of DHCP server setting does not follow the interface address when Same as Interface IP is selected.

623109

IPS Filter Details column is empty when All is used.

623939

Interface bandwidth widgets for WAN, PPPoE and VDOM link interfaces are not loading.

624050

FortiGuard page does not open with custom read-write permission in the account profile (403 forbidden error).

624551

On POE devices, several sections of the GUI take over 15 seconds to fully load.

624662

CLI panel allows read-only managed device to be configured by read-only admin.

628373

Software switch members and their VLANs are not visible in the GUI interfaces list.

629139

Security Rating reports should not run as a dependent of Topology reports on downstream FortiGates.

630638

Add a warning when Capture Packets is enabled in policy dialog.

631734

GUI not displaying PoE total power budget on FOS 6.2.3.

633937

GUI is not displaying DHCP configuration if the interface name includes the \ character.

634677

User group not visible in GUI when editing the user with a single right-click.

635538

In FortiGate SAML authentication with Azure AD, service provider configuration is grayed-out.

638034

Ctrl + V does not paste command in GUI CLI console and Ctrl + C does not copy selected output in CLI console.

638277

Firewall address group object (including interface subnet) is invisible in Accessible Networks.

638615

SSO admin cannot open CLI console.

638911

IPS and application control actions cannot be modified to Quarantine.

639129

IPsec aggregate is not shown in Dashboard > Network > IPsec widget.

639163

GUI does not show user group information on firewall user widget.

639288

No historical sessions can be displayed when FortiView widget opens from Show in FortiView.

639542

The Edit pane for PAC File Content on the Explicit Proxy page cannot be opened.

639617

On Explicit Web Proxy Policy page, unable to change Outgoing Source IP option from IP Pools to Proxy Default or Original Source IP. CLI does not have this issue.

642028

On some platforms (FG-60E-61E/81E), the CLI console in the GUI may not function immediately after bootup.

642402

LCP-1250RJ3SR-K transceiver shows a warning in the GUI even though it is certified.

644999

Fortinet-sold active direct attached cable (SP-CABLE-ADASFP+) is showing as not certified by Fortinet.

HA

Bug ID

Description

595340

hasync process consuming 80-95% CPU.

609631

Simultaneous reboot of both nodes in HA when gtp-enhance-mode enabled or disabled.

627610

When HA primary device is down, a time synchronization with NTP servers will be disabled after failback.

627851

After the HA peer node has been replaced, need a way to reset the HA health status back to OK.

630070

HA is failing over due to cmdbsvr crashes.

631342

FG-100D HA active-passive mode not syncing.

634604

SCTP sessions are not fully synchronized between primary and secondary devices in version 5.6.11 on FG-3240C.

637843

HA secondary device is reporting multiple events (DDNS update failed).

638287

private-data-encryption causes cluster to be periodically out of sync due to customer certificates.

639307

Both primary and secondary consoles keep printing get_ha_sync_obj_sig_4dir: stat /etc/cert/ca/5c44d531.0 error 2.

640428

SSL VPN related auth login user event logs do not require HA to be in sync.

643958

Inconsistent data from FFDB caused several confsyncd crashes.

645293

traceroute not working in asymmetric FGSP environment.

645387

HA pingsvr is in up state in spite of lnkmtd showing it as being in die state.

648073

HA cluster uses physical port MAC address at the time of HA failover.

Intrusion Prevention

Bug ID

Description

582936

IPS traffic log and PCAP archive do not match.

595062

SSL offloading randomly does not work when UTM (AV/IPS) is enabled in firewall policy.

617588

Unable to open TCP application via IPsec tunnel when np-accel-mode is enabled.

631381

RDP NLA authentication blocked by FortiGate when enabling IPS profile in the security group (central NAT).

638235

Some IPS logs do not include direction field.

IPsec VPN

Bug ID

Description

516029

Remove the IPsec global lock.

610203

When an offloaded IPsec SA uses NP6 reserved space, it gets stuck and packets on the tunnel start to drop.

622959

FortiGate does not send framed IPv6 address in RADIUS accounting records.

631804

OCVPN errors showing in logs when OCVPN is disabled.

631968

IKE daemon signal 6 crash when phase1 add-gw-route is enabled.

634883

IKE crashes at ike_hasync__xauth.

635325

Static route for site-to site VPN remains active even when the tunnel is down.

645196

Static routes added by iked in non-root VDOM are not removed when tunnel interface status is set to down by configuration change.

Log & Report

Bug ID

Description

589782

IPS sensor log-attack-context output truncated.

605405

IPS logs are recorded twice with TCP offloading on virtual server.

607449

Log searches being conducted in a FortiGate for logs stored on a FortiAnalyzer are only sent as case-sensitive.

630769

miglogd crashes when the FortiGate does a weekly log purge.

634947

rlogd signal 11 crashes.

635013

FortiOS gives wrong time stamp when querying FortiGate Cloud log view.

637117

Incomplete log field returned from CEF formatted syslog message.

639807

PBA logs show only 0 or 1 duration in logs; cannot answer data requests from law enforcement.

641450

miglogd processes bound to busy CPUs even though there are other completely idle CPUs available.

Proxy

Bug ID

Description

586281

WAD memory corruption.

603195

Multiple WAD crashes with signal 11.

623108

FTP-TP reaches high memory usage and triggers conserve mode.

624245

WAD crashes when all of these conditions are met: policy is doing deep inspection, SNI in client hello is in the exempt list, server certificate CNAME is not in the exempt list.

631542

WAD signal 11 crash logs SSL/TLS errors and disconnects with the OCSP stapling.

633175

WAD crash observed, wad_http_pattern_match_response + 0x0045, on FG-80E-POE during regression testing.

636508

FortiGate blocks traffic in transparent proxy policy, even if the traffic matches the proxy address.

637389

The WAD process is crashing multiple times.

640427

Web proxy WAD crash under WAN Opt auto-active mode.

643725

The IMAP proxy crashes with signal 7 (SIGBUS).

645943

Memory usage spike (all WAD workers) without bandwidth spike.

Routing

Bug ID

Description

624621

Log traffic to remote servers does not follow SD-WAN rules.

627951

NTP and FSSO not following SD-WAN rules.

628896

DHCP relay does not match the SD-WAN policy route.

632160

FortiGuard GeoIP queries (TCP/443) and FortiSandbox Cloud traffic do not follow policy route/SD-WAN rule.

632285

Health check SLA status log shows configured bandwidth value instead of used bandwidth value.

633463

DRother firewall in OSPFv3 generates neighbor state is less than Exchange log for the LSA update from a DCother neighbor.

633600

BGP hold time and keepalive timers are not updated on spokes after changing on the hub side.

635716

FortiGuard web filter traffic also needs to follow SD-WAN service.

639834

Inconsistency in source IP-based ECMP for IPv6.

641022

Kernel does not remove duplicate routes generated by SD-WAN health checks when hostname IP changes.

641928

When BGP's recursive next hop can be resolved by multiple routes, the recursive distance is not taken into account when installing the routes. Multiple ECMP paths can be installed with different recursive distances to the next hop.

646418

SD-WAN information available in session list is confusing.

Security Fabric

Bug ID

Description

619696

Automation stitch traffic is sent via mgmt with ha-direct to AWS Lambda after upgrading from 6.0.9 to 6.2.3

622032

SSH as automation action is not working as expected.

626691

FG-60F unable to join Security Fabric, unknown CA.

629723

SDN dynamic address import is too slow, and HA sync may miss endpoints in high scale and stress conditions.

631607

CSF root FortiGate cannot listen to loopback interface.

637464

FortiMail appears as Unknown fabric device when multi-vdom is enabled.

638512

User sees a Failed to send request error when generating access token for FortiMail under multi-VDOM FortiGate.

641006

Automation stitch causes HA sync failure.

SSL VPN

Bug ID

Description

505986

On IE 11, SSL VPN web portal displays blank page titled {{::data.portal.heading}} after authentication.

573853

TX packet drops on SSL root interface.

604772

SSL VPN tunnel is unexpectedly down sometimes when certificate bundle is updated.

608464

Get 305 error when browsing website through SSL VPN web mode bookmark and sslvpnd crashes.

611498

SMB/CIFS traffic via SSL VPN web mode not using correct SNAT IP (IP pool).

613612

Important GUI pages in 6.4.0 are not rendered well by SSL VPN portal.

620508

CLI command get vpn ssl monitor displays users from other VDOM.

622110

SSL VPN disconnected when importing or renaming CA certificates.

623076

Add memory protection for web mode SSL VPN child process (guacd).

623217

Website pop-up error using SSL VPN web mode.

623379

Memory corrupt in some DNS callback cases causes SSL VPN crash.

624283

Customer has to manually add domain in SMB share login through SSL VPN portal.

624899

Log entry for tunnel stats shows wrong tunnel ID when using RDP bookmark.

624904

The company website is not shown properly in SSL VPN web mode.

626228

Bookmark does not load though SSL VPN web mode.

626237

SAP portal link is not working in SSL VPN web mode.

626822

SSL VPN denies login after receiving FortiToken Cloud token and entering token.

627150

SSL VPN web mode unable to load custom web application JavaScript parts.

627456

Traffic cannot pass when SAML user logs in to SSL VPN portal with group match.

628059

SSL VPN web mode gets redirected out of SSL VPN proxy.

628597

Unable to load the SSL VPN bookmark internal website https://fi***.

628801

Internal web application is not opened after the login.

628821

Internal aixws7test2 portal is not loading in SSL VPN web mode.

629190

After SSL VPN proxy, some JS files of hapi website could not work.

629373

SAML login button is lost on SSL VPN portal.

630432

Slides in website https://re***.nz are displayed in SSL VPN web mode.

631050

ERR_EMPTY_RESPONSE while accessing internal portal's webpages in SSL VPN web mode.

631130

Internal site http://va***.com not completely loading through SSL VPN web mode bookmark.

631402

Website (https://uj***) is not accessible in SSL VPN web mode.

631510

Some internal servers do not provide any content type or content length in response header; sslvpnd treats it as HTML file to handle and has problem to finish it.

631809

Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.

633047

Cannot load local 1C application through web mode.

633114

Cannot access internal website pl***.fr using SSL VPN web mode.

633812

For guacd daemon generated for RDP session, it would sometimes be in an unknown state with 100% CPU and could not be released.

634210

SSL VPN daemon crash due to limit-user-login.

634991

Internal server error 500 while accessing contolavdip portal in SSL VPN web mode.

635307

Map could not be displayed correctly in SSL VPN web mode.

635341

SSL VPN not assigning IP from local IP pool when framed IP address is received with value 0xFFFFFFFE.

635608

Map could not be displayed correctly in SSL VPN web mode.

635896

The sa***.org website is not shown properly in SSL VPN web mode.

635899

SharePoint portal URL links for Office documents are not redirected over SSL VPN web mode in Firefox.

635907

AM*** website is not shown properly using SSL VPN web mode.

636332

With SSL VPN proxy JIRA web application, get one wrong URL without proxy path.

636984

Website (pr***.com) not loading properly in SSL VPN web mode.

637018

After the upgrade to 6.0.10/6.2.4/6.4.0, SSL VPN portal mapping/remote authentication is matching user into the incorrect group.

637164

The customer's website (https://vpn.***.org) is not shown properly using SSL VPN web mode.

638733

Internal website hosted in bookmark https://in***.cat is not loading completely in SSL VPN web mode.

639431

Three of the internal applications/portal bookmarks do not load/partially work with SSL VPN web mode.

639768

Log in page loading with delays in web mode.

639789

Apache Guacamole page is redirected to direct link in SSL VPN web mode.

640167

The Run*** website is not displayed properly using SSL VPN web mode.

642225

The IC*** internal website is not displayed properly using SSL VPN web mode.

643598

Application is not working using SSL VPN web mode.

643749

SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters the wrong password.

644506

Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password.

644607

Sco*** internal portal webpage is not loading after logging in with web mode.

645276

After SSL VPN web mode proxy, some JS files of sthlm04 SCA*** website have problems.

646429

Update Telnet idle timeout setting and fix issue of Telnet not working.

647296

SSL VPN web mode problem with https://de***.com.

648192

DTLS tunnel performance improvements by allowing multiple packets to be read from the kernel driver, and redistributing the UDP packets to several worker processes in the kernel.

648369

Some JS files of ji***.v** could not run in SSL VPN web mode.

649197

Unable to use editor in Atlassian internal Confluence portal over SSL VPN web mode.

649466

SSL VPN authentication fails when all-usergroup is enabled in RADIUS server.

Switch Controller

Bug ID

Description

620718

FortiSwitch port goes down and up too quickly when bounce-nac-port is enabled, and the device interface does not get the new DHCP IP.

633842

FortiLink down with LACP mode set to active.

646178

It is possible to view information of shared FortiSwitch ports in a tenant VDOM from the GUI, but there should not be recommended configuration changes in the GUI. Please use CLI for configuration changes.

System

Bug ID

Description

506485

FortiOS get system interface cross-check command improvement.

552788

DSL route not removed when interface is down.

567019

CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120 and device reboots.

572847

The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series.

576323

SFP+ 1G speed should be supported on FG-1100E, FG-1800F, FG-2200E, and FG-3300E series.

594264

NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session TTL expiry.

594871

Potential memory leak triggered by FTP command in WAD.

596209

Device has become unmanageable; receiving errno=Resource temporarily unavailable when trying to update objects.

598928

FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN.

605723

FG-600E stops sending out packets on its SPF and copper port on NP6.

611512

When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE.

612302

FortiOS is not sending out IPv6 router advertisements from the link-local addresses added on the fly.

613017

ip6-extra-addr does not perform router advertisement after reboot in HA.

615586

Incorrect IP/MAC address on ESXi hosts.

617134

Traffic not showing statistics for VLAN interfaces based on hardware switch.

617154

Fortinet_CA is missing in FG-3400E.

618158

DHCP client cannot get IP address when NTP server option in DHCP server settings is set to Same as System NTP.

618762

Fail to detect transceiver on all SFP28/QSFP ports. Affected platforms: FG-3300E and FG-3301E.

626371

Request to blocked signature with SSL mirrored traffic capture causes FG-500E to reboot.

626785

FG-101F should support the same WTP size (128) as the FG-100F.

627054

HTTPSD signal 6 crash in cases of long application lists that are greater or equal to the maximum size of 16.

627409

Cannot create hardware switch on FG-100F.

627629

DHCP client sent invalid DHCP-REQUEST format during INIT state.

628642

Issue when packets from same session are forwarded to each LACP member when NPx offload is enabled.

630658

Auto-script output file size over 400 MB when configured output size is default 10 MB.

632353

Virtual WAN link stops responding after 45 members.

632407

Cannot delete VDOM due to ssl.vdom1 interface after changing mode from split-task VDOM to multi VDOM.

632635

Frame size option in sniffer does not work.

633102

DHCPv6 client's DUID generated on two different FortiGates match.

633298

10G ports x1/x2 cannot be set as interfaces in firewall acl/acl6 policies.

634415

Speed of 100G in get system interface cross-check shown incorrectly as 34464 for Fortinet-authorized FINISAR CORP FTLC9551REPM.

634494

accprofile permission for config system link-monitor is not correct.

634495

accprofile permission for execute ping is not correct.

635308

factoryreset2 does not preserve all interfaces.

636069

Unable to handle kernel NULL pointer dereference at 000000000000008f.

637420

execute shutdown reboots instead of shutting down on SoC4 platforms.

638041

SFP28 port group (ha1, ha2, port1 and port2) missing 1000full speed option. Affected platforms: FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

638738

In VDOM, config log syslogd xxx is not shown in show full-configuration.

639623

Possible conflicts between software switch VLAN setting and its member interface VLAN setting.

641419

FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632).

641708

FTLF8536P4BCV shows This transceiver is not certified by Fortinet, corrupt part number and serial number after HA cluster sync.

643188

Interface forward-error-correction setting not honored after reboot.

644427

Interface forward-error-correction setting not honored after reboot. Affected platforms: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3400E, and FG-3600E.

645363

SNMP monitoring does not provide the SD-WAN member interface name.

647593

After reboot, forward-error-correction value is not maintained as it should be.

647718

VDOM with long name cannot be deleted.

647777

FortiGate not responding to DHCP relay requests from clients behind a DHCP relay.

648977

Sometimes when updating the FortiGate license, there is a certificate verification failure.

649506

Sometimes FortiGate does not boot when restoring configuration using private data encryption.

678809

dhcpd crashes with signal 6 because the timer is not canceled before calling the free release function.

Upgrade

Bug ID

Description

635589

Upon upgrading to an affected 6.2 or 6.4 firmware, DoS policies configured on interfaces may drop traffic that is passing through the DoS policy configuration. Note that this can occur if the DoS policy is configured in drop or monitor mode.

Workaround: disable the DoS policy.

User & Authentication

Bug ID

Description

597319

In SSL VPN certificate authentication, add auth policies in base of LDAP group.

605838

Device identification scanner crashes on receipt of SSDP search.

620941

Two-factor authentication using FortiClient SSL VPN and FortiToken Cloud is not working due to push notification delay.

625107

No response when using FTM-PUSH because unable to set source IP for FTM-PUSH.

627144

Remote admin LDAP user login has authentication failure when the same LDAP user has local two-factor authentication.

629487

Older FortiGate models do not have CA2 and will cause EMS server authentication to fail.

634580

Peer users are matching every group instead of only groups based on the LDAP group membership.

635385

In HA cluster, RADIUS accounting not working with use-management-vdom enable.

637577

Inconsistent fnbamd LDAP group match result.

638593

Certificate verification fails if any CA in a peer-provided certificate chain expires, but its cross-signed certificate is still valid in the system trust store.

658982

ADVPN IKEv2 certificate authentication does not work with OCSP check when certificates do not contain OCSP path.

663692

FortiOS queries first 10 LDAP servers for user authentication.

VM

Bug ID

Description

587180

FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.

603100

Autoscale not syncing certificate among the cluster members.

623376

Cross-zone HA breaks after upgrading to 6.4.0 because upgrade process does not add relevant items under vdom-exception.

624657

Azure changes FPGA for Accelerated Networking live and VM loses SR-IOV interfaces.

626705

By assigning port1 as the HA management port, the HA secondary unit node is now able to send system information to the Azure portal through waagent so that up-to-date information is displayed on the Azure dashboard.

If port1 is not used as the HA management port, the Azure display and Azure Security Center alerts will not reflect the correct state of the node, which may result in unnecessary alarms.

629709

AWS VM stops processing traffic in some interfaces when running diagnose debug application ike -1.

634245

Dynamic address objects are not resolved to all addresses using Azure SDN connector.

634499

AWS FortiGate NIC gets swapped between port2 and port3 after FortiGate reboots.

637376

In FG-VM64-HV, 802.1Q does not work on interfaces with DPDK enabled.

641038

SSL VPN performance problem on OCI due to driver.

644130

FortiGates in multi-Azure sync their SP addresses for SAML admin authentication.

653567

Admin cannot log in to FortiGate VM GUI after license expired.

VoIP

Bug ID

Description

643548

SIP transfer calls fail when extensions are behind the same FortiGate (spoke).

Web Application Firewall

Bug ID

Description

624452

user-agent setting under config system external-resource does not accept XSS characters.

Web Filter

Bug ID

Description

576862

Update urlfilteridx in traffic log to be webfilter.urlfilter.entry.id.

611501

Clarify meaning of urlfilteridx=0 log field when proxy-based inspection is used.

621807, 625897

Filtering Services Availability status is down on the GUI when HTTP/80 is used for web filtering rating service.

629005

foauthd has signal 11 crashes when FortiGate does authentication for a web filter category.

630232

Certain regex static URL entries stopped working in 6.2.3.

636754

If the last line in a threat feed does not end with \n, it is not parsed and is not displayed in the GUI.

647227

Externally imported list (custom threat feed) is matching incorrectly in web filter remote category.

WiFi Controller

Bug ID

Description

605937

WiFi health monitor Client Count widget shows clients on the wrong band (on local standalone SSID).

625326

FortiAP not coming online on FG-PPPoE interface.

638537

Applications, Destinations, and Policies keep loading for WiFi Clients > Diagnostics and Tools drill-down.

641811

In FG-100F/101F with PPPoE interface, the FortiGate could not manage FortiAP.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

558685

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-12812

600586

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

  • CVE-2019-16151

618238

FortiOS 6.4.2 running AV engine version 6.00145 or later is no longer vulnerable to the following CVE Reference:

  • CVE-2020-9295

633089

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-15937

634975

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

  • CVE-2020-12819