Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.4.3 FortiOS Release Notes
6.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Known issues

Known issues

The following issues have been identified in version 6.4.3. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Endpoint Control

Bug ID

Description

664654

EMS host tags are not synced with the FortiGate when the user connects to a tunnel mode SSID.

Firewall

Bug ID

Description

666612

Get internet service name configuration error on version 7.01011 when FortiGate reboots or upgrades.

669665

All ISDB groups are lost when upgrading from 6.2.5 to 6.4.2.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

683627

FortiView does not display any data when FortiAnalyzer Cloud is the data source.

GUI

Bug ID

Description

567996

Managed FortiSwitch and FortiSwitch Ports pages cannot load when there is a large number of managed FortiSwitches.

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

650708

When the client browser is in a different time zone from the FortiGate, the Guest Management page displays an incorrect expiry time for guest users. The CLI returns the correct expiry.

652394

GUI cannot change action for the web-based email category in DNS filter profile.

656668

On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows

the connecting IP address instead of the configured IP address.

662873

Editing the LDAP server in the GUI removes the line set server-identity-check disable from the configuration.

663351

Connectivity test for RADIUS server using CHAP authentication always returns failure.

664007

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

665444

Log Details does not resize the log columns and covers existing log columns.

665712

When multiple favorite menus are configured, the new features video pops up after each GUI login, even though user previously selected Don't show again.

666999

When editing the Poll Active Directory Server page, the configured LDAP server saved in FSSO polling is not displayed. Users must use the CLI to modify the setting.

668020

Disclaimer users are not shown in the user monitor; they must be displayed in the CLI with diagnose firewall auth list.

668470

FortiGuard DDNS setting incorrectly displays truncated unique location and empty server selection after saving changes.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

672906

GUI does not redirect to the system reboot progress page after successfully restoring a configuration.

673478

Some FortiView graphs and drilldown views show empty data due to filtering issue. Affected graphs/views: Top System Events, Top Authentication Failures, Policy View, and Compromised Host View.

675170

The Applications and Destinations tabs on the Diagnostic and Tools pane show the same data for different clients on the WiFi Clients monitor page.

680805

The list of firewall schedules displays time based on the browser time, even though the global time preference is set to use the FortiGate system time. The Edit Schedule page does not have this issue.

682008

On SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient provisioning does not support showing a domain name for the VPN gateway.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

689605

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

HA

Bug ID

Description

615001

LAG does not come up after link failed signal is triggered.

677246

Unable to contact TACACS+ server when using HA dedicated management interface in 6.4.3.

678309

Cluster is out of sync because of config vpn certificate ca after upgrade.

Intrusion Prevention

Bug ID

Description

654307

Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.

668631

IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates.

Workaround: disable CP or disable the extended database.

config ips global
    set database regular
    set cp-accel-mode none
end

IPsec VPN

Bug ID

Description

652774

OCVPN spoke-to-spoke communication intermittently fails with mixed topology where some spokes have two ISPs and some have one, but the hubs have two.

655895

Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).

663126

Packets for the existing session are still forwarded via the old tunnel after the routing changed on the ADVPN hub.

667129

In ADVPN with SLA mode, traffic does not switch back to the lowest cost link after its recovery.

Log & Report

Bug ID

Description

661040

Cyrillic characters not displayed properly in local reports.

Proxy

Bug ID

Description

657905

Firewall policy with UTM in proxy mode breaks SSL connections in active-active cluster.

684168

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

Routing

Bug ID

Description

654032

SD-WAN IPv6 route tag command is not available in the SD-WAN services.

669380

Router daemons get stuck after rebooting when executing get router info routing-table all.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

666242

Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.

SSL VPN

Bug ID

Description

670803

Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode.

675878

When matching multiple SSL VPN firewall policies, SSL VPN checks the group list from bottom to top, and the user is mapped to the incorrect portal.

684012

SSL VPN crashed with signal 11 (segmentation fault) uri_search because of rules set for a special case.

Switch Controller

Bug ID

Description

671135

flcfg crashes while configuring FortiSwitches through FortiLink.

System

Bug ID

Description

607565

Interface emac-vlan feature does not work on SoC4 platform.

630861

Support FortiManager when private-data-encryption is enabled in FortiOS.

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

651103

FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN.

657629

ARM-based platforms do not have sensor readings included in SNMP MIBs.

662681

Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes.

663083

Offloaded traffic from IPsec crossing the NPU VDOM link is dropped.

666030

Empty firewall objects after pushing several policy deletes.

666205

High CPU on L2TP process caused by loop.

User & Authentication

Bug ID

Description

643583

radius-vdom-override and accprofile-override do not work when administrator has 2FA enabled.

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

669822

Hot adding multiple CPUs at once to Xen-flavored VMs can result in a kernel panic crash.

Workaround: add one CPU at a time. Alternatively, shut down the VM, add the CPUs, and restart the VM.

671279

FG-VM64-AZURE-PAYG license/serial number get lost after downgrading to 6.2.6 from 6.4.3.

672312

Azure SDN connector does not offer all service tags.

WiFi Controller

Bug ID

Description

643854

Client traffic was dropped by CAPWAP offloading when it connected from a mesh leaf Forti-AP managed by a FWF-61F local radio.

672920

CAPWAP tunnel traffic is dropped when offloading is enabled (with FAP managed by a VLAN interface). There are three workarounds:

  • Disable capwap-offload in system npu and reboot.

  • Set dtls-policy dtls enabled in wireless-controller wtp-profile. This may cause traffic to slow.

  • Enable UTM in the firewall policy (does not require reboot). This workaround cannot be applied on NP6Xlite FortiGates (FG-6xF and FG-10xF).

    config firewall policy
    edit <id>
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "g-default"
    next
end

673211

CAPWAP traffic drops on FG-300E when FortiAP is managed by VLAN interface.

674342

The cw_acd crashes after upgrading to 6.4.3 at cwAcLocal.
Previous
Next

Known issues

The following issues have been identified in version 6.4.3. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Endpoint Control

Bug ID

Description

664654

EMS host tags are not synced with the FortiGate when the user connects to a tunnel mode SSID.

Firewall

Bug ID

Description

666612

Get internet service name configuration error on version 7.01011 when FortiGate reboots or upgrades.

669665

All ISDB groups are lost when upgrading from 6.2.5 to 6.4.2.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

683627

FortiView does not display any data when FortiAnalyzer Cloud is the data source.

GUI

Bug ID

Description

567996

Managed FortiSwitch and FortiSwitch Ports pages cannot load when there is a large number of managed FortiSwitches.

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

650708

When the client browser is in a different time zone from the FortiGate, the Guest Management page displays an incorrect expiry time for guest users. The CLI returns the correct expiry.

652394

GUI cannot change action for the web-based email category in DNS filter profile.

656668

On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows

the connecting IP address instead of the configured IP address.

662873

Editing the LDAP server in the GUI removes the line set server-identity-check disable from the configuration.

663351

Connectivity test for RADIUS server using CHAP authentication always returns failure.

664007

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

665444

Log Details does not resize the log columns and covers existing log columns.

665712

When multiple favorite menus are configured, the new features video pops up after each GUI login, even though user previously selected Don't show again.

666999

When editing the Poll Active Directory Server page, the configured LDAP server saved in FSSO polling is not displayed. Users must use the CLI to modify the setting.

668020

Disclaimer users are not shown in the user monitor; they must be displayed in the CLI with diagnose firewall auth list.

668470

FortiGuard DDNS setting incorrectly displays truncated unique location and empty server selection after saving changes.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

672906

GUI does not redirect to the system reboot progress page after successfully restoring a configuration.

673478

Some FortiView graphs and drilldown views show empty data due to filtering issue. Affected graphs/views: Top System Events, Top Authentication Failures, Policy View, and Compromised Host View.

675170

The Applications and Destinations tabs on the Diagnostic and Tools pane show the same data for different clients on the WiFi Clients monitor page.

680805

The list of firewall schedules displays time based on the browser time, even though the global time preference is set to use the FortiGate system time. The Edit Schedule page does not have this issue.

682008

On SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient provisioning does not support showing a domain name for the VPN gateway.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

689605

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

HA

Bug ID

Description

615001

LAG does not come up after link failed signal is triggered.

677246

Unable to contact TACACS+ server when using HA dedicated management interface in 6.4.3.

678309

Cluster is out of sync because of config vpn certificate ca after upgrade.

Intrusion Prevention

Bug ID

Description

654307

Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.

668631

IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates.

Workaround: disable CP or disable the extended database.

config ips global
    set database regular
    set cp-accel-mode none
end

IPsec VPN

Bug ID

Description

652774

OCVPN spoke-to-spoke communication intermittently fails with mixed topology where some spokes have two ISPs and some have one, but the hubs have two.

655895

Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).

663126

Packets for the existing session are still forwarded via the old tunnel after the routing changed on the ADVPN hub.

667129

In ADVPN with SLA mode, traffic does not switch back to the lowest cost link after its recovery.

Log & Report

Bug ID

Description

661040

Cyrillic characters not displayed properly in local reports.

Proxy

Bug ID

Description

657905

Firewall policy with UTM in proxy mode breaks SSL connections in active-active cluster.

684168

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

Routing

Bug ID

Description

654032

SD-WAN IPv6 route tag command is not available in the SD-WAN services.

669380

Router daemons get stuck after rebooting when executing get router info routing-table all.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

666242

Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.

SSL VPN

Bug ID

Description

670803

Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode.

675878

When matching multiple SSL VPN firewall policies, SSL VPN checks the group list from bottom to top, and the user is mapped to the incorrect portal.

684012

SSL VPN crashed with signal 11 (segmentation fault) uri_search because of rules set for a special case.

Switch Controller

Bug ID

Description

671135

flcfg crashes while configuring FortiSwitches through FortiLink.

System

Bug ID

Description

607565

Interface emac-vlan feature does not work on SoC4 platform.

630861

Support FortiManager when private-data-encryption is enabled in FortiOS.

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

651103

FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN.

657629

ARM-based platforms do not have sensor readings included in SNMP MIBs.

662681

Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes.

663083

Offloaded traffic from IPsec crossing the NPU VDOM link is dropped.

666030

Empty firewall objects after pushing several policy deletes.

666205

High CPU on L2TP process caused by loop.

User & Authentication

Bug ID

Description

643583

radius-vdom-override and accprofile-override do not work when administrator has 2FA enabled.

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

669822

Hot adding multiple CPUs at once to Xen-flavored VMs can result in a kernel panic crash.

Workaround: add one CPU at a time. Alternatively, shut down the VM, add the CPUs, and restart the VM.

671279

FG-VM64-AZURE-PAYG license/serial number get lost after downgrading to 6.2.6 from 6.4.3.

672312

Azure SDN connector does not offer all service tags.

WiFi Controller

Bug ID

Description

643854

Client traffic was dropped by CAPWAP offloading when it connected from a mesh leaf Forti-AP managed by a FWF-61F local radio.

672920

CAPWAP tunnel traffic is dropped when offloading is enabled (with FAP managed by a VLAN interface). There are three workarounds:

  • Disable capwap-offload in system npu and reboot.

  • Set dtls-policy dtls enabled in wireless-controller wtp-profile. This may cause traffic to slow.

  • Enable UTM in the firewall policy (does not require reboot). This workaround cannot be applied on NP6Xlite FortiGates (FG-6xF and FG-10xF).

    config firewall policy
    edit <id>
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "g-default"
    next
end

673211

CAPWAP traffic drops on FG-300E when FortiAP is managed by VLAN interface.

674342

The cw_acd crashes after upgrading to 6.4.3 at cwAcLocal.
Previous
Next