Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved issues

The following issues have been fixed in version 6.4.3. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

560044

Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series.

635365

FortiGate enters conserve mode.

Application Control

Bug ID

Description

651019

For Google.Drive_File.Sharing signature, if it is set to deny in NGFW policy mode and followed by another policy with allow all, the client can still share file.

Data Leak Prevention

Bug ID

Description

616918

DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS.

DNS Filter

Bug ID

Description

649985

Random SDNS rating timeout events on 6K/7K SLBC with FGSP.

Explicit Proxy

Bug ID

Description

644121

Explicit proxy error 504, DNS fails for a specific domain.

650540

FortiGate sends traffic to an incorrect port using a wrong source NAT IP address.

654211

When the category proxy address is applied in a proxy policy, if SOCKS traffic passes through the web proxy, when matching the SOCKS traffic with the proxy address, the WAD will crash with signal 11 at wad_url_choose_cate. Browsers may send SOCKS traffic in the background from time to time.

660703

Using the HTTP explicit proxy denies access to non-HTTP traffic and displays a policy violation.

Firewall

Bug ID

Description

586764

Abnormal prolonged CPU spike with cmdbsvr and WAD processes when making change to large policy list (10 000+ policies).

586995

Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary.

609027

SCTP secondary path not working in ECMP context; incorrect expectation session created from auxiliary session.

616220

ICMP reply packets dropped by the FortiGate.

635074

Firewall policy dstaddr does not show virtual server available based on virtual WAN link member.

643446

Fragmented UDP traffic is silently dropped when fragments have different ECN values.

644225

Challenge ACK is being dropped.

647410

append command allows mixing VIP and firewall address as destination objects in a firewall policy.

648951

External threat feed entry 0.0.0.0/0 shows as invalid but it blocks traffic.

650700

There should be an event log when there are internet service remove/merge entries.

650867

Firewall does not track UDP sessions on the same port.

656678

Different ciphers for SSL/HTTPS virtual servers.

659142

TNS connection request limited to 500 per second when client is trying to reach database server through the firewall.

660461

Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU in a large, complex configuration.

FortiView

Bug ID

Description

643198

Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data.

GUI

Bug ID

Description

446427

Using the GUI to update a VDOM license fails when the new license has a lower VDOM count than the current license.

543192

Source IP is not used when using the GUI to query the FortiGuard filtering service.

547123

The help message for gui-dynamic-profile-display is not correct.

561889

When creating a firewall with an invalid subnet mask, an error is not generated.

588159

When disabling Allow Endpoint Registration on the VPN Creation Wizard, the action succeeds, but the error Unable to setup VPN is incorrectly displayed.

606814

When creating a profile group with an SSL/SSH profile of no-inspection, the profile group correctly displays this, but when you edit the profile, certificate-inspection is displayed.

612066

GUI does not allow user to select SSL VPN tunnel when configuring Multicast routing.

634550

GARP is not sent when using the GUI to move a VDOM from one virtual cluster to another. GARP is sent when using the CLI.

638752

FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface.

638822

On Dashboard Setup page, changes made by super administrator and administrator of multiple VDOMs should be reflected in all managed VDOMs.

645441

FortiAnalyzer Cloud card on the Fabric Connectors page shows a connected icon when it is not connected.

645606

GUI does not allow users to select SD-WAN as a destination interface in an SSL VPN policy while CLI does.

646327

Web filter profile dialog cannot load URL filter table if there are a lot of URL filters.

649027

The FortiLink Interface pane incorrectly displays high CPU usage and poor health.

650307

GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt list.

650800

Unable to delete multiple phase 2 selectors at the same time from the VPN IPsec tunnels dialog.

651412

Unable to print user data for guest management.

651711

Unable to select an address group when configuring Source IP Pools for an SSL VPN portal.

652975

Cannot access FortiGate GUI over IPv6 after configuring IPv6 for the first time.

653240

When refreshing the FortiGuard page, connectivity status for Web Filtering and Anti-Spam incorrectly changes from up to down.

653422

When VDOM is enabled, the GUI cannot be used to edit a remote user group from within the Administrators dialog.

654018

When there are more than 600 quarantined IP addresses, the Quarantine Monitor (GUI and CLI) will not properly display them.

654186

The top charts of the Device Inventory Monitor dashboard are empty when the visualization is set to table view.

654250

Firewall users cannot change their password via web captive portal when password renewal is enforced by the firewall policy for remote users.

654256

GUI interface speed test fails when there are multiple VDOMs.

654339

GUI search does not work in the interface list if DHCP client and range columns are present.

654626

Unable to change the action setting of Freeware and Software Downloads using the FortiGuard Category Based Filter of the DNS filter profile.

655255

FortiGuard resource retrieval delay causes GUI pages to respond slowly. Affected pages include: Firewall Policy, Settings (log and system), Explicit Proxy (web and FTP), System Global, and System CSF.

655568

Users cannot deselect Administrative Access options for VLAN interfaces from the GUI; the CLI must be used.

655891

Web CLI console cannot load due to Connection lost if port 8080 is used (HTTP).

656139

When editing the Interface column from the Multicast Policy page, an empty column appears when the any entry is selected from Select Entries and applied. The same occurs from the NAT64 and NAT46 policy pages.

656429

Intermittent GUI process crash if a managed FortiSwitch returns a reset status.

656974

ip6-mode was changed from delegated to static after the interface was edited from the GUI.

657322

For AV profiles, the outbreak-prevention setting on enabled protocols is not automatically configured when enabling Use External Malware Block List.

657545

Enabling the Dynamic Gateway toggle for a static route fails without warning when the configuration is incorrect.

661582

Date/Time filter does not work on FortiGate Cloud logs.

663737

Re-add the FortiView facets filtering bar to full screen or standalone mode.

663818

When filtering log view entries by IP address range, entries higher than the upper limit of the range are shown.

663956

Unable to load web CLI console for LDAP admin with a login name that contains a space.

668646

FortiSwitch topology is not shown on Managed FortiSwitch page topology view.

HA

Bug ID

Description

421335

Get one-time hasync crash when running HA scripts for FIPS-CC.

583059

In Hyper-V HA, CLI will falsely report can not set mac address when MAC address is set.

637711

CSR on cluster primary is generating out-of-sync alerts on secondary and tertiary units.

640327

Duplicate logs are created by both primary and secondary devices for IPsec VPN.

643958

Inconsistent data from FFDB caused several confsyncd crashes.

647679

Inconsistent values for HA cluster inside the SNMP.

651177

When secondary device reboots, it adds an interface to the virtual switch. Secondary cannot synchronize after it starts, as that interface disappears in system interface and virtual-switch.

651674

Long sessions lost on new primary after HA failover.

654341

The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM.

656099

The mgmt interfaces are excluded for heartbeat interfaces (even if dedicate-mgmt is not enabled).

657376

VLAN interfaces are created on a different virtual cluster primary instead of the root primary do not sync.

662893

HA cluster goes out of sync if SAML SSO admin logs in to the device.

Intrusion Prevention

Bug ID

Description

655371

Logging is intermittent for FortiGate IDS passive in one-armed sniffer mode.

660111

SSL VPN web mode IPS detection with HTTP does not work, even though it works with HTTPS.

IPsec VPN

Bug ID

Description

592361

Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.

614483

Add IKEv2 phase 2 initiator traffic selector narrowing for Cisco compatibility.

638352

In extreme situations when thousands of tunnels are negotiating simultaneously (IKEv2), iked process gets exhausted and stuck.

638573

FortiGate is not deleting the shortcut tunnel for ISPA (primary ISP) when ISPA is down.

639806

User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject.

646012

DHCP over IPsec randomly works when net-device is disabled.

647285

IKE HA sync IPsec SA fails on receiver when ESP null crypto algorithm is used.

650599

IKE HA sync truncates phase 2 option flags after the first eight bits.

655739

local-gw is replaced with primary IP on a secondary device when the secondary IP is used as a local-gw.

659535

Setting same phase1-interface in SD-WAN member and SD-WAN zone causes iked watchdog timeout.

660472

Could not locate phase 1 configuration for IPv6 dialup IPsec VPN.

666693

If NAT-T IP changes, the dynamic IPsec spoke add route entry is stuck on hub.

668554

Upon upgrading to FortiOS 6.4.2, a device with IPsec configured may experience IKE process crashes when any configuration change is made or an address change occurs on a dynamic interface.

Log & Report

Bug ID

Description

642941

For URLs over 66 characters, the FortiGate replaces remaining characters with dots (.) in dstname field when forwarded to syslog/FortiAnalyzer.

643840

vwlservice should log the SD-WAN rule and not an internet service; impacts FortiAnalyzer SD-WAN monitor widgets and reports.

645914

Move eventtime field to the beginning of the log to save performance on Splunk or other logging systems.

647741

On FG-60F, logging and FortiCloud reporting incorrect IPv6 bandwidth usage for sessions with NPU offload.

650325

miglogd crashes with signal 11.

651581

FortiGate tried to connect to FortiGate Cloud with the primary IP after reboot, although the secondary IP is the source in the FortiGuard log.

654363

Traffic log shows Policy violation for traffic hitting the allow policy in NGFW policy mode.

658665

Cannot retrieve logs from FortiAnalyzer on non-root VDOM.

Proxy

Bug ID

Description

550350

Should not be able to set inspection-mode proxy with IPS-enabled only policy.

579902

Proxy deep inspection fails if server chooses to sign with ECDSA-SHA1.

619707

When Kerberos (negotiate without NTLM) authentication method is used for web proxy user authentication, there may be a rare memory leak issue. This memory leak issue may eventually cause the FortiGate to go into conserve mode once it occurs after many users are authenticated by Kerberos repeatedly over time.

633108

When FOH server is disconnected from a HTTP session, the HTTP session client port peer is not cleared. After this, the HTTP client port shutdown causes a crash because the peer port is freed.

638039

Delete validation is not working for Protecting SSL Server profile.

648831

WAD memory leak caused by Kerberos proxy authentication.

653099

Wildcard URL filter in proxy mode with ? and * not always handled properly.

655356, 660857

Proxy deep inspection fails if server uses TLS 1.3 cookies or record padding.

656830

FortiGate should be in SSL bypass mode for TLS 1.2 certificate inspection with client certificate request.

658654

Cannot access specific website using proxy-based UTM with certification inspection due to delays from the server in replying to ClientHello message when a second connection from the same IP is also waiting for ClientHello.

663088

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

666522, 666686

Proxy mode is blocking web browsing for some websites due to certificate inspection.

Routing

Bug ID

Description

585816

SD-WAN route selection does not use the most specific route in the routing table when selecting the egress path.

613716

Local-out TCP traffic changes output interface when irrelevant interface is flapping and causes disconnections.

639884

diagnose ip proute match gives wrong result when VRF is configured.

641050

Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route.

644461

Unable to redistribute BGP into OSPF based on community (in VRF 0).

649558

ISDB policy routes are not removed when the SD-WAN member is down.

653096

PMTU calculation for VPN interfaces is not working. FortiGate ignores ICMP type 3 code 4 messages and does not update the routing cache.

654482

SD-WAN route tag is removed with multiple BGP paths in place.

655447

BGP prefix lifetime resets every 60 seconds when scanning BGP RIB.

655480

Upgrading to FortiOS 6.4.2 breaks all SD-WAN performance SLAs that use HTTP.

660285

Editing an existing route map rule to add set-weight 0 results in unset set-weight behavior.

660300

Application vwl signal 11 (segmentation fault) received when HA receives 0 bytes of data.

660311

Application vwl signal 6 (aborted) received due to wrong memory allocation for SD-WAN service when creating an ADVPN shortcut.

661769

SD-WAN rule disappears when an SD-WAN member experiences a dynamic change, such as during a dynamic PPPoE interface update.

662655

The OSPF neighborship cannot be established; get MD5 authentication error when the wrong MD5 key is deleted after modifying the key.

662696

If a session is initiated from the server side, SD-WAN application control does not work as expected.

662845

HA secondary also sends SD-WAN sla-fail-log-period to FortiAnalyzer.

663057

IPv6 routing does not work properly to be a dual stack.

666829

Application bfdd crashes.

668218

SD-WAN HTTP health check does not work for URLs longer than 35 characters.

Security Fabric

Bug ID

Description

649344

When viewing CSF child Dashboard > WiFi from parent FortiGate, GUI reports, Cannot read property 'spectrum_analysis' of undefined.

652737

FortiGate does not send interface configuration to FortiIPAM.

653368

Root FortiGate fails to load Fabric topology if HA downstream device has a trusted device in both primary and secondary FortiGates.

660250

The ipamd process is causing high memory usage after a few days as the JSON was not freed.

662128

Security Rating Summary trigger is not available in multi-VDOM mode.

SSL VPN

Bug ID

Description

548599

SSL VPN crashes on parsing some special URLs.

613733

Access problem for website.

615453

WebSocket using Socket.IO could not be established through SSL VPN web mode.

620793

A page inside a bookmark not opening in SSL VPN web mode.

620946

All sslvpnd daemons use 99.9% CPU when policy is being updated.

630771

SSL VPN rewrites the URL inside the emails sent in Outlook (webmail).

637217

Internal webpage, di***, is not loading in web mode.

641379

Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal.

642838

Redirected URLs do not work in web mode for am***.com.

645973

Content from internal Microsoft Dynamics CRM cr***.local portal is not loading properly in SSL VPN web mode.

646295

When DNS domain is configured, requests with NTLM of host name-only bookmark could not get response from server.

647202

fas crashes when using FortiToken Cloud to access SSL VPN tunnel.

648433

Internal website loading issue in SSL VPN web portal for ca***.fr.

649130

SSL VPN log entries display users from other VDOMs.

651942

For RADIUS server, all-usergroup does not work if there is a same remote user created but not used by SSL VPN.

652060

BMC Remedy Mid Tier 9.1 web app is not displayed properly in SSL VPN web mode.

652070

BMC Remedy Mid Tier 8.1 web application elements are not displayed properly in SSL VPN web mode.

652762

SSL VPN web mode HTTPS bookmark fails to load (times out).

652880

SSL VPN crashes in a scenario where a large number of groups is sent to fnbam for authentication.

653349

SSL VPN web mode not working for Ec***re website.

654534

SAML authentications occurring through SSL VPN web mode are not completing.

655374

SSL VPN web portal bookmark not loading internal web page after login credentials are entered.

656208

Users with explicit web proxy authentication lose their proxy authentication group.

657689

The system allows enabling split tunnel when the SSL VPN policy is configured with destination all. It is not consistent with 5.6.x and 6.0.x.

657890

Internal website, https://*.da***.cz, is not working correctly in SSL VPN web mode due to source link error.

658036

When adding an FTP link to download FortiClient and accessing it through the portal, the colon is dropped from the string.

659234

FortiGate keeps replying to an ARP request for an IP address that was once assigned to an SSL VPN user, who has already disconnected and been deleted.

659312

Unable to load HTTPS bookmark in Safari (TypeError: 'text/html').

659481

Internal websites not displayed successfully in SSL VPN web portal.

661372

SSL VPN incorrectly rewrites the script URL.

661835

ASUS ASMB9-iKVM application shows blank page in SSL VPN web mode.

662042

The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.

663298

The internal website is not working properly using SSL VPN.

663433

SSL VPN web mode cannot open DFS shared subdirectories, get Invalid HTTP request error as sslvpnd adds NT.

664121

SCM VPN disconnects when performing an SVN checkout.

664804

User cannot use column header for data sorting (bookmark issue).

665879

When sslvpn processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML.

666194

WALLIX Manager GUI interface is not loading through SSL VPN web mode.

Switch Controller

Bug ID

Description

649913

HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager.

652745

Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber.

System

Bug ID

Description

581496

FG-201E stops sending out packets and NP6lite is stuck.

582536

Link monitor behavior is different between FGCP and SLBC clusters.

585882

Error in log, msg="Interface 12345678001-ext:64 not found in the list!", while creating a long name VDOM in FG-SVM.

594577

Out-of-order packets for an offloaded multicast stream.

598464

Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.

603194

NP multicast session remains after the kernel session is deleted.

609660

NPU offloading enabled dropping traffic from IPsec VPN tunnel remote gateway.

627236

TCP traffic disruption when traffic shaper takes effect with NP offloading enabled.

627269

Wildcard FQDN not resolved on the secondary unit.

630146

FG-100F memory configuration check.

631132

Symantec connector does not work if management VDOM is not root vdom and root VDOM has no network connection.

631296

Forward or local bi-directional traffic from NPU inter-VDOM links through separate VDOMs is subject to high latency.

631689

FG-100F cannot forward fragmented packets between hardware switch ports.

633827

Errors during fuzzy tests on FG-1500D.

636999

LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models.

637014

FortiGate in LENC mode unable to pass firmware signature verification and shows as uncertified after GUI upgrade.

637983

FG-100F memory configuration check fails because of wrong threshold.

642005

FortiGate does not send service-account-id to FortiManager via fgfm tunnel when FortiCloud is activated directly on the FortiGate.

642327

FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant interface with non-NPU port.

642958

FG-80E terminates the firewall session abruptly when the end-users download large files.

644380

FG-40F/60F kernel panic if upgrading from 6.4.0 due to configuration file having a name conflict of fortilink as both aggregate interface and virtual switch name.

645723

Cannot set overlap IP on global level if allow-subnet-overlap on management VDOM is disabled.

648014, 661784

FortiDDNS is unable to update the renewed public IP address to FortiGuard server in some error conditions.

648083

cmdbsvr may crash with signal 11 (segmentation fault) when frequently changing firewall policies.

650878

DHCP relay will honor the broadcast flag set to 0 (unicast) in only one VDOM at a time in a multi-VDOM environment.

653289

FortiExtender virtual interface cannot get IP after rebooting the system.

654159

NP6Xlite traffic not sent over the tunnel when NPU is enabled.

654624

Error message shown (get_ha_sync_obj_sig_4dir delete broken symbolic link /etc/cert/ca/5c44d531.0) when upgrading from 6.4.1.

656412

The interface speed setting should be kept after deleting the virtual switch.

656504

Kernel panic happened on FWF-61F and FWF-40F.

657632

IPv6 passes though the DNS filter with application control enabled.

659539

FortiGate running 6.4.2 GA cannot validate license via FortiManager due to FortiManager hardware missing Fortinet_CA2 and Fortinet_SUBCA2001.

662208

Configuration changes take a long time and cmdbsrv processes use up to 100% CPU.

662239

FGR-60F-3G4G hardware switch span does not work.

663603

The maximum number of IPS supported by each NTurbo load balancer should be 7 instead of 8 on FG-3300E and FG-3301E.

663815

Low IPS HTTP throughput on SoC4 platforms.

665000

HA LED off issue on FG-1100E/1101E models.

Upgrade

Bug ID

Description

646877

FortiOS allows the elimination of interfaces, although it still has a VIP reference used in firewall policies.

656869

FG-100F/101F may continuously boot upon upgrading from FortiOS 6.4.0.

Workaround: back up the 6.4.0 configuration, perform a clean install via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration.

User & Authentication

Bug ID

Description

643191

FSSO TS-Agent is not working properly when FortiGates use NGFW policy-based mode.

655422

A space after a comma within CN is incorrectly removed during the bind request causing authentication failure (LDAP).

656118

Password displayed as clear text in FortiManager installation log when resetting the system admin user password via FortiManager.

658228

The authd and foauthd processes may crash due to crypto functions being set twice.

658794

FortiGate sent CSR certificate instead of signed certificate to FortiManager when retrieve is performed.

659456

REST API authentication fails for API user with PKI group enabled due to fnbamd crash.

662391

Persistent sessions for de-authenticated FSSO users.

663399

interface-select-method not working for RADIUS configuration.

VM

Bug ID

Description

637376

In FG-VM64-HV, 802.1Q does not work on interfaces with DPDK enabled.

640532

ESXi 6.0 gets Kernel panic - not syncing: Attempted to kill init! message.

645798

In FG-VM64-HV, portX: can not set mac address(16). error displayed in console after HA is enabled and all interfaces lose connections.

647800

Merge FIPS ciphers to 6.4.3 and 7.0 trunk (visible to AWS and Azure only).

652416

AWS Fabric connector always uses root VDOM even though it is not a management VDOM.

657785

On FG-AWS, changing health check protocol to tcp-connect causes kernel panic and reboot.

662969

Azure SDN connector filter count is not showing a stable value.

663276

After cloning the OCI instance, the OCID does not refresh to the new OCID.

663487

Should add router policy in vdom-exception list.

664312

Support vfNIC driving for Broadcom 100G NIC.

668131

EIP is not updating properly on FG-VM Azure.

670166

FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5.

Web Filter

Bug ID

Description

587018

Add URL flow filter counters to SNMP.

610553

User browser gets URL block page instead of warning page when using HTTPS IP URL.

650916

Loopback interface as source IP is not getting applied to FortiGuard web filter rating.

654160

Web filter profile count decreased after upgrading to 6.4.0 on FG-100F.

654675

Unable to get complete output of diagnose test application ipsufd 1.

655972

Custom category action set to allow in web filter profile causes the URL to use the FortiGuard category rather than the custom category.

661713

Global web filter profile is not applied after changes to allowed/blocked categories.

WiFi Controller

Bug ID

Description

609549

In the CLI, the WTP profile for radio-2 802.11ac and 80 MHz channels does not match the syntax collection files.

647703

HTTPS server certificate is not presented when WiFi controller feature is disabled in Feature Visibility.

655689

Wireless hostapd daemon crashes upon WPA3-SAE connection.

656804

Spectrum analysis disable/enable command removed in CLI from wtp-profile and causing a bottleneck for APs, such as FAP-222C/223C at 100% CPU.

657391

FG-600E has cw_acd crash with *** signal 8 (Floating point exception) received *** in 6.2.4.

660991

FAP-U431F cannot view what channel is operating, and the override channel setting must be unset to change to a different channel.

665766

Client failed to connect SSID with WPA2-Enterprise and user group authentication.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

649193

FortiOS 6.4.3 is no longer vulnerable to the following CVE references:

  • CVE-2020-9497
  • CVE-2020-9498

Resolved issues

The following issues have been fixed in version 6.4.3. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

560044

Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series.

635365

FortiGate enters conserve mode.

Application Control

Bug ID

Description

651019

For Google.Drive_File.Sharing signature, if it is set to deny in NGFW policy mode and followed by another policy with allow all, the client can still share file.

Data Leak Prevention

Bug ID

Description

616918

DLP cannot detect attached ZIP and PDF files when receiving emails via MAPI over HTTPS.

DNS Filter

Bug ID

Description

649985

Random SDNS rating timeout events on 6K/7K SLBC with FGSP.

Explicit Proxy

Bug ID

Description

644121

Explicit proxy error 504, DNS fails for a specific domain.

650540

FortiGate sends traffic to an incorrect port using a wrong source NAT IP address.

654211

When the category proxy address is applied in a proxy policy, if SOCKS traffic passes through the web proxy, when matching the SOCKS traffic with the proxy address, the WAD will crash with signal 11 at wad_url_choose_cate. Browsers may send SOCKS traffic in the background from time to time.

660703

Using the HTTP explicit proxy denies access to non-HTTP traffic and displays a policy violation.

Firewall

Bug ID

Description

586764

Abnormal prolonged CPU spike with cmdbsvr and WAD processes when making change to large policy list (10 000+ policies).

586995

Cluster VDOM policy statistics data is not correct when VFID is different for same VDOM on primary/secondary.

609027

SCTP secondary path not working in ECMP context; incorrect expectation session created from auxiliary session.

616220

ICMP reply packets dropped by the FortiGate.

635074

Firewall policy dstaddr does not show virtual server available based on virtual WAN link member.

643446

Fragmented UDP traffic is silently dropped when fragments have different ECN values.

644225

Challenge ACK is being dropped.

647410

append command allows mixing VIP and firewall address as destination objects in a firewall policy.

648951

External threat feed entry 0.0.0.0/0 shows as invalid but it blocks traffic.

650700

There should be an event log when there are internet service remove/merge entries.

650867

Firewall does not track UDP sessions on the same port.

656678

Different ciphers for SSL/HTTPS virtual servers.

659142

TNS connection request limited to 500 per second when client is trying to reach database server through the firewall.

660461

Configuration changes take a long time, and ipsmonitor and cmdbsrv processes go up to 100% of CPU in a large, complex configuration.

FortiView

Bug ID

Description

643198

Threats drilldown for Sources, Destinations, and Country/Region (1 hour, 24 hours, 7 days) gives the error, Failed to retrieve FortiView data.

GUI

Bug ID

Description

446427

Using the GUI to update a VDOM license fails when the new license has a lower VDOM count than the current license.

543192

Source IP is not used when using the GUI to query the FortiGuard filtering service.

547123

The help message for gui-dynamic-profile-display is not correct.

561889

When creating a firewall with an invalid subnet mask, an error is not generated.

588159

When disabling Allow Endpoint Registration on the VPN Creation Wizard, the action succeeds, but the error Unable to setup VPN is incorrectly displayed.

606814

When creating a profile group with an SSL/SSH profile of no-inspection, the profile group correctly displays this, but when you edit the profile, certificate-inspection is displayed.

612066

GUI does not allow user to select SSL VPN tunnel when configuring Multicast routing.

634550

GARP is not sent when using the GUI to move a VDOM from one virtual cluster to another. GARP is sent when using the CLI.

638752

FortiGates in an HA A-P configuration may lose GUI access to the HA secondary device after a period of 8 days of inactivity, when at least one static IPv6 address is configured on an interface.

638822

On Dashboard Setup page, changes made by super administrator and administrator of multiple VDOMs should be reflected in all managed VDOMs.

645441

FortiAnalyzer Cloud card on the Fabric Connectors page shows a connected icon when it is not connected.

645606

GUI does not allow users to select SD-WAN as a destination interface in an SSL VPN policy while CLI does.

646327

Web filter profile dialog cannot load URL filter table if there are a lot of URL filters.

649027

The FortiLink Interface pane incorrectly displays high CPU usage and poor health.

650307

GUI does not show the configured external FortiGuard category in the SSL-SSH profile's exempt list.

650800

Unable to delete multiple phase 2 selectors at the same time from the VPN IPsec tunnels dialog.

651412

Unable to print user data for guest management.

651711

Unable to select an address group when configuring Source IP Pools for an SSL VPN portal.

652975

Cannot access FortiGate GUI over IPv6 after configuring IPv6 for the first time.

653240

When refreshing the FortiGuard page, connectivity status for Web Filtering and Anti-Spam incorrectly changes from up to down.

653422

When VDOM is enabled, the GUI cannot be used to edit a remote user group from within the Administrators dialog.

654018

When there are more than 600 quarantined IP addresses, the Quarantine Monitor (GUI and CLI) will not properly display them.

654186

The top charts of the Device Inventory Monitor dashboard are empty when the visualization is set to table view.

654250

Firewall users cannot change their password via web captive portal when password renewal is enforced by the firewall policy for remote users.

654256

GUI interface speed test fails when there are multiple VDOMs.

654339

GUI search does not work in the interface list if DHCP client and range columns are present.

654626

Unable to change the action setting of Freeware and Software Downloads using the FortiGuard Category Based Filter of the DNS filter profile.

655255

FortiGuard resource retrieval delay causes GUI pages to respond slowly. Affected pages include: Firewall Policy, Settings (log and system), Explicit Proxy (web and FTP), System Global, and System CSF.

655568

Users cannot deselect Administrative Access options for VLAN interfaces from the GUI; the CLI must be used.

655891

Web CLI console cannot load due to Connection lost if port 8080 is used (HTTP).

656139

When editing the Interface column from the Multicast Policy page, an empty column appears when the any entry is selected from Select Entries and applied. The same occurs from the NAT64 and NAT46 policy pages.

656429

Intermittent GUI process crash if a managed FortiSwitch returns a reset status.

656974

ip6-mode was changed from delegated to static after the interface was edited from the GUI.

657322

For AV profiles, the outbreak-prevention setting on enabled protocols is not automatically configured when enabling Use External Malware Block List.

657545

Enabling the Dynamic Gateway toggle for a static route fails without warning when the configuration is incorrect.

661582

Date/Time filter does not work on FortiGate Cloud logs.

663737

Re-add the FortiView facets filtering bar to full screen or standalone mode.

663818

When filtering log view entries by IP address range, entries higher than the upper limit of the range are shown.

663956

Unable to load web CLI console for LDAP admin with a login name that contains a space.

668646

FortiSwitch topology is not shown on Managed FortiSwitch page topology view.

HA

Bug ID

Description

421335

Get one-time hasync crash when running HA scripts for FIPS-CC.

583059

In Hyper-V HA, CLI will falsely report can not set mac address when MAC address is set.

637711

CSR on cluster primary is generating out-of-sync alerts on secondary and tertiary units.

640327

Duplicate logs are created by both primary and secondary devices for IPsec VPN.

643958

Inconsistent data from FFDB caused several confsyncd crashes.

647679

Inconsistent values for HA cluster inside the SNMP.

651177

When secondary device reboots, it adds an interface to the virtual switch. Secondary cannot synchronize after it starts, as that interface disappears in system interface and virtual-switch.

651674

Long sessions lost on new primary after HA failover.

654341

The new join-in secondary chassis failed to sync, while primary chassis has 6K policies in one VDOM.

656099

The mgmt interfaces are excluded for heartbeat interfaces (even if dedicate-mgmt is not enabled).

657376

VLAN interfaces are created on a different virtual cluster primary instead of the root primary do not sync.

662893

HA cluster goes out of sync if SAML SSO admin logs in to the device.

Intrusion Prevention

Bug ID

Description

655371

Logging is intermittent for FortiGate IDS passive in one-armed sniffer mode.

660111

SSL VPN web mode IPS detection with HTTP does not work, even though it works with HTTPS.

IPsec VPN

Bug ID

Description

592361

Cannot pass traffic over ADVPN if: tunnel-search is set to nexthop, net-device disable, mode-cfg enable, and add-route disable.

614483

Add IKEv2 phase 2 initiator traffic selector narrowing for Cisco compatibility.

638352

In extreme situations when thousands of tunnels are negotiating simultaneously (IKEv2), iked process gets exhausted and stuck.

638573

FortiGate is not deleting the shortcut tunnel for ISPA (primary ISP) when ISPA is down.

639806

User name log empty when IPsec dialup IKEv2 has client RSA certificate with empty subject.

646012

DHCP over IPsec randomly works when net-device is disabled.

647285

IKE HA sync IPsec SA fails on receiver when ESP null crypto algorithm is used.

650599

IKE HA sync truncates phase 2 option flags after the first eight bits.

655739

local-gw is replaced with primary IP on a secondary device when the secondary IP is used as a local-gw.

659535

Setting same phase1-interface in SD-WAN member and SD-WAN zone causes iked watchdog timeout.

660472

Could not locate phase 1 configuration for IPv6 dialup IPsec VPN.

666693

If NAT-T IP changes, the dynamic IPsec spoke add route entry is stuck on hub.

668554

Upon upgrading to FortiOS 6.4.2, a device with IPsec configured may experience IKE process crashes when any configuration change is made or an address change occurs on a dynamic interface.

Log & Report

Bug ID

Description

642941

For URLs over 66 characters, the FortiGate replaces remaining characters with dots (.) in dstname field when forwarded to syslog/FortiAnalyzer.

643840

vwlservice should log the SD-WAN rule and not an internet service; impacts FortiAnalyzer SD-WAN monitor widgets and reports.

645914

Move eventtime field to the beginning of the log to save performance on Splunk or other logging systems.

647741

On FG-60F, logging and FortiCloud reporting incorrect IPv6 bandwidth usage for sessions with NPU offload.

650325

miglogd crashes with signal 11.

651581

FortiGate tried to connect to FortiGate Cloud with the primary IP after reboot, although the secondary IP is the source in the FortiGuard log.

654363

Traffic log shows Policy violation for traffic hitting the allow policy in NGFW policy mode.

658665

Cannot retrieve logs from FortiAnalyzer on non-root VDOM.

Proxy

Bug ID

Description

550350

Should not be able to set inspection-mode proxy with IPS-enabled only policy.

579902

Proxy deep inspection fails if server chooses to sign with ECDSA-SHA1.

619707

When Kerberos (negotiate without NTLM) authentication method is used for web proxy user authentication, there may be a rare memory leak issue. This memory leak issue may eventually cause the FortiGate to go into conserve mode once it occurs after many users are authenticated by Kerberos repeatedly over time.

633108

When FOH server is disconnected from a HTTP session, the HTTP session client port peer is not cleared. After this, the HTTP client port shutdown causes a crash because the peer port is freed.

638039

Delete validation is not working for Protecting SSL Server profile.

648831

WAD memory leak caused by Kerberos proxy authentication.

653099

Wildcard URL filter in proxy mode with ? and * not always handled properly.

655356, 660857

Proxy deep inspection fails if server uses TLS 1.3 cookies or record padding.

656830

FortiGate should be in SSL bypass mode for TLS 1.2 certificate inspection with client certificate request.

658654

Cannot access specific website using proxy-based UTM with certification inspection due to delays from the server in replying to ClientHello message when a second connection from the same IP is also waiting for ClientHello.

663088

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

666522, 666686

Proxy mode is blocking web browsing for some websites due to certificate inspection.

Routing

Bug ID

Description

585816

SD-WAN route selection does not use the most specific route in the routing table when selecting the egress path.

613716

Local-out TCP traffic changes output interface when irrelevant interface is flapping and causes disconnections.

639884

diagnose ip proute match gives wrong result when VRF is configured.

641050

Need support for SSL VPN web mode traffic to follow SD-WAN rules/policy route.

644461

Unable to redistribute BGP into OSPF based on community (in VRF 0).

649558

ISDB policy routes are not removed when the SD-WAN member is down.

653096

PMTU calculation for VPN interfaces is not working. FortiGate ignores ICMP type 3 code 4 messages and does not update the routing cache.

654482

SD-WAN route tag is removed with multiple BGP paths in place.

655447

BGP prefix lifetime resets every 60 seconds when scanning BGP RIB.

655480

Upgrading to FortiOS 6.4.2 breaks all SD-WAN performance SLAs that use HTTP.

660285

Editing an existing route map rule to add set-weight 0 results in unset set-weight behavior.

660300

Application vwl signal 11 (segmentation fault) received when HA receives 0 bytes of data.

660311

Application vwl signal 6 (aborted) received due to wrong memory allocation for SD-WAN service when creating an ADVPN shortcut.

661769

SD-WAN rule disappears when an SD-WAN member experiences a dynamic change, such as during a dynamic PPPoE interface update.

662655

The OSPF neighborship cannot be established; get MD5 authentication error when the wrong MD5 key is deleted after modifying the key.

662696

If a session is initiated from the server side, SD-WAN application control does not work as expected.

662845

HA secondary also sends SD-WAN sla-fail-log-period to FortiAnalyzer.

663057

IPv6 routing does not work properly to be a dual stack.

666829

Application bfdd crashes.

668218

SD-WAN HTTP health check does not work for URLs longer than 35 characters.

Security Fabric

Bug ID

Description

649344

When viewing CSF child Dashboard > WiFi from parent FortiGate, GUI reports, Cannot read property 'spectrum_analysis' of undefined.

652737

FortiGate does not send interface configuration to FortiIPAM.

653368

Root FortiGate fails to load Fabric topology if HA downstream device has a trusted device in both primary and secondary FortiGates.

660250

The ipamd process is causing high memory usage after a few days as the JSON was not freed.

662128

Security Rating Summary trigger is not available in multi-VDOM mode.

SSL VPN

Bug ID

Description

548599

SSL VPN crashes on parsing some special URLs.

613733

Access problem for website.

615453

WebSocket using Socket.IO could not be established through SSL VPN web mode.

620793

A page inside a bookmark not opening in SSL VPN web mode.

620946

All sslvpnd daemons use 99.9% CPU when policy is being updated.

630771

SSL VPN rewrites the URL inside the emails sent in Outlook (webmail).

637217

Internal webpage, di***, is not loading in web mode.

641379

Internal SharePoint 2019 website cannot be accessed in SSL VPN web portal.

642838

Redirected URLs do not work in web mode for am***.com.

645973

Content from internal Microsoft Dynamics CRM cr***.local portal is not loading properly in SSL VPN web mode.

646295

When DNS domain is configured, requests with NTLM of host name-only bookmark could not get response from server.

647202

fas crashes when using FortiToken Cloud to access SSL VPN tunnel.

648433

Internal website loading issue in SSL VPN web portal for ca***.fr.

649130

SSL VPN log entries display users from other VDOMs.

651942

For RADIUS server, all-usergroup does not work if there is a same remote user created but not used by SSL VPN.

652060

BMC Remedy Mid Tier 9.1 web app is not displayed properly in SSL VPN web mode.

652070

BMC Remedy Mid Tier 8.1 web application elements are not displayed properly in SSL VPN web mode.

652762

SSL VPN web mode HTTPS bookmark fails to load (times out).

652880

SSL VPN crashes in a scenario where a large number of groups is sent to fnbam for authentication.

653349

SSL VPN web mode not working for Ec***re website.

654534

SAML authentications occurring through SSL VPN web mode are not completing.

655374

SSL VPN web portal bookmark not loading internal web page after login credentials are entered.

656208

Users with explicit web proxy authentication lose their proxy authentication group.

657689

The system allows enabling split tunnel when the SSL VPN policy is configured with destination all. It is not consistent with 5.6.x and 6.0.x.

657890

Internal website, https://*.da***.cz, is not working correctly in SSL VPN web mode due to source link error.

658036

When adding an FTP link to download FortiClient and accessing it through the portal, the colon is dropped from the string.

659234

FortiGate keeps replying to an ARP request for an IP address that was once assigned to an SSL VPN user, who has already disconnected and been deleted.

659312

Unable to load HTTPS bookmark in Safari (TypeError: 'text/html').

659481

Internal websites not displayed successfully in SSL VPN web portal.

661372

SSL VPN incorrectly rewrites the script URL.

661835

ASUS ASMB9-iKVM application shows blank page in SSL VPN web mode.

662042

The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.

663298

The internal website is not working properly using SSL VPN.

663433

SSL VPN web mode cannot open DFS shared subdirectories, get Invalid HTTP request error as sslvpnd adds NT.

664121

SCM VPN disconnects when performing an SVN checkout.

664804

User cannot use column header for data sorting (bookmark issue).

665879

When sslvpn processes the HTTP/HTTPS response with content disposition, it will change the response body since the content type is HTML.

666194

WALLIX Manager GUI interface is not loading through SSL VPN web mode.

Switch Controller

Bug ID

Description

649913

HA cluster not synchronizing when configuring an active LACP with MCLAG via FortiManager.

652745

Compatibility issues with FortiGate in 6.0 branch and FortiSwitch 424E-Fiber.

System

Bug ID

Description

581496

FG-201E stops sending out packets and NP6lite is stuck.

582536

Link monitor behavior is different between FGCP and SLBC clusters.

585882

Error in log, msg="Interface 12345678001-ext:64 not found in the list!", while creating a long name VDOM in FG-SVM.

594577

Out-of-order packets for an offloaded multicast stream.

598464

Rebooting FG-1500D in 5.6.x during upgrade causes an L2 loop on the heartbeat interface and VLAN is disabled on the switch side.

603194

NP multicast session remains after the kernel session is deleted.

609660

NPU offloading enabled dropping traffic from IPsec VPN tunnel remote gateway.

627236

TCP traffic disruption when traffic shaper takes effect with NP offloading enabled.

627269

Wildcard FQDN not resolved on the secondary unit.

630146

FG-100F memory configuration check.

631132

Symantec connector does not work if management VDOM is not root vdom and root VDOM has no network connection.

631296

Forward or local bi-directional traffic from NPU inter-VDOM links through separate VDOMs is subject to high latency.

631689

FG-100F cannot forward fragmented packets between hardware switch ports.

633827

Errors during fuzzy tests on FG-1500D.

636999

LTE does not connect after upgrading from 6.2.3 on FG-30E-3G4G models.

637014

FortiGate in LENC mode unable to pass firmware signature verification and shows as uncertified after GUI upgrade.

637983

FG-100F memory configuration check fails because of wrong threshold.

642005

FortiGate does not send service-account-id to FortiManager via fgfm tunnel when FortiCloud is activated directly on the FortiGate.

642327

FortiGate unable to boot with kernel panic by cmdbsvr when VLAN is configured on redundant interface with non-NPU port.

642958

FG-80E terminates the firewall session abruptly when the end-users download large files.

644380

FG-40F/60F kernel panic if upgrading from 6.4.0 due to configuration file having a name conflict of fortilink as both aggregate interface and virtual switch name.

645723

Cannot set overlap IP on global level if allow-subnet-overlap on management VDOM is disabled.

648014, 661784

FortiDDNS is unable to update the renewed public IP address to FortiGuard server in some error conditions.

648083

cmdbsvr may crash with signal 11 (segmentation fault) when frequently changing firewall policies.

650878

DHCP relay will honor the broadcast flag set to 0 (unicast) in only one VDOM at a time in a multi-VDOM environment.

653289

FortiExtender virtual interface cannot get IP after rebooting the system.

654159

NP6Xlite traffic not sent over the tunnel when NPU is enabled.

654624

Error message shown (get_ha_sync_obj_sig_4dir delete broken symbolic link /etc/cert/ca/5c44d531.0) when upgrading from 6.4.1.

656412

The interface speed setting should be kept after deleting the virtual switch.

656504

Kernel panic happened on FWF-61F and FWF-40F.

657632

IPv6 passes though the DNS filter with application control enabled.

659539

FortiGate running 6.4.2 GA cannot validate license via FortiManager due to FortiManager hardware missing Fortinet_CA2 and Fortinet_SUBCA2001.

662208

Configuration changes take a long time and cmdbsrv processes use up to 100% CPU.

662239

FGR-60F-3G4G hardware switch span does not work.

663603

The maximum number of IPS supported by each NTurbo load balancer should be 7 instead of 8 on FG-3300E and FG-3301E.

663815

Low IPS HTTP throughput on SoC4 platforms.

665000

HA LED off issue on FG-1100E/1101E models.

Upgrade

Bug ID

Description

646877

FortiOS allows the elimination of interfaces, although it still has a VIP reference used in firewall policies.

656869

FG-100F/101F may continuously boot upon upgrading from FortiOS 6.4.0.

Workaround: back up the 6.4.0 configuration, perform a clean install via TFTP of FortiOS 6.4.2, and restore the 6.4.0 configuration.

User & Authentication

Bug ID

Description

643191

FSSO TS-Agent is not working properly when FortiGates use NGFW policy-based mode.

655422

A space after a comma within CN is incorrectly removed during the bind request causing authentication failure (LDAP).

656118

Password displayed as clear text in FortiManager installation log when resetting the system admin user password via FortiManager.

658228

The authd and foauthd processes may crash due to crypto functions being set twice.

658794

FortiGate sent CSR certificate instead of signed certificate to FortiManager when retrieve is performed.

659456

REST API authentication fails for API user with PKI group enabled due to fnbamd crash.

662391

Persistent sessions for de-authenticated FSSO users.

663399

interface-select-method not working for RADIUS configuration.

VM

Bug ID

Description

637376

In FG-VM64-HV, 802.1Q does not work on interfaces with DPDK enabled.

640532

ESXi 6.0 gets Kernel panic - not syncing: Attempted to kill init! message.

645798

In FG-VM64-HV, portX: can not set mac address(16). error displayed in console after HA is enabled and all interfaces lose connections.

647800

Merge FIPS ciphers to 6.4.3 and 7.0 trunk (visible to AWS and Azure only).

652416

AWS Fabric connector always uses root VDOM even though it is not a management VDOM.

657785

On FG-AWS, changing health check protocol to tcp-connect causes kernel panic and reboot.

662969

Azure SDN connector filter count is not showing a stable value.

663276

After cloning the OCI instance, the OCID does not refresh to the new OCID.

663487

Should add router policy in vdom-exception list.

664312

Support vfNIC driving for Broadcom 100G NIC.

668131

EIP is not updating properly on FG-VM Azure.

670166

FG-VM64-KVM configuration revisions lost after upgrading from 6.2.5.

Web Filter

Bug ID

Description

587018

Add URL flow filter counters to SNMP.

610553

User browser gets URL block page instead of warning page when using HTTPS IP URL.

650916

Loopback interface as source IP is not getting applied to FortiGuard web filter rating.

654160

Web filter profile count decreased after upgrading to 6.4.0 on FG-100F.

654675

Unable to get complete output of diagnose test application ipsufd 1.

655972

Custom category action set to allow in web filter profile causes the URL to use the FortiGuard category rather than the custom category.

661713

Global web filter profile is not applied after changes to allowed/blocked categories.

WiFi Controller

Bug ID

Description

609549

In the CLI, the WTP profile for radio-2 802.11ac and 80 MHz channels does not match the syntax collection files.

647703

HTTPS server certificate is not presented when WiFi controller feature is disabled in Feature Visibility.

655689

Wireless hostapd daemon crashes upon WPA3-SAE connection.

656804

Spectrum analysis disable/enable command removed in CLI from wtp-profile and causing a bottleneck for APs, such as FAP-222C/223C at 100% CPU.

657391

FG-600E has cw_acd crash with *** signal 8 (Floating point exception) received *** in 6.2.4.

660991

FAP-U431F cannot view what channel is operating, and the override channel setting must be unset to change to a different channel.

665766

Client failed to connect SSID with WPA2-Enterprise and user group authentication.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

649193

FortiOS 6.4.3 is no longer vulnerable to the following CVE references:

  • CVE-2020-9497
  • CVE-2020-9498