Fortinet black logo

Known issues

Known issues

The following issues have been identified in version 6.4.4. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Explicit Proxy

Bug ID

Description

664380

When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error.

Firewall

Bug ID

Description

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

675353

Security policy (NGFW mode) flow-based UTM logs are still generated when policy traffic log is disabled.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

673478

Some FortiView graphs and drilldown views show empty data due to filtering issue. Affected graphs/views: Top System Events, Top Authentication Failures, Policy View, and Compromised Host View.

683413

Some FortiView pages/widgets fail to query data from FortiAnalyzer Cloud if the local FortiAnalyzer is not enabled.

Affected pages/widgets: Compromised Hosts, FortiView Cloud Applications, FortiView VPN, FortiView Web Categories, Top Admin Logins, Top Endpoint Vulnerabilities, Top Failed Authentication, Top System Events, Top Threats, Top Threats - WAN, and Top Vulnerable Endpoint Devices.

683654

FortiView pages with a FortiAnalyzer source incorrectly display Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. This error should only show on the new VDOM view.

GUI

Bug ID

Description

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

652522

When performed from the primary FortiGate, using the GUI to change a firewall policy action from accept to deny does not disable the IP pool setting, causing the HA cluster to be out of sync. Updating the policy via the CLI does not have this issue.

656668

On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows the connecting IP address instead of the configured IP address.

664007

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

665111

There is no way to add a line break when using the GUI to edit the replacement message for pre_admin-disclaimer-text. One must use the CLI with the Shift + Enter keys to insert a line break.

665712

When multiple favorite menus are configured, the new features video pops up after each GUI login, even though user previously selected Don't show again.

666999

When editing the Poll Active Directory Server page, the configured LDAP server saved in FSSO polling is not displayed. Users must use the CLI to modify the setting.

668470

FortiGuard DDNS setting incorrectly displays truncated unique location and empty server selection after saving changes.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

673496

When editing phase 2 configurations, clicking Complete Section results in a red highlight around the phase 2 configuration GUI box, and users cannot click OK to save configuration changes.

676165

Script pushed from FortiManager 6.4.2 to FortiOS 6.4.2 to add address objects and an address group only pushes the address group.

680805

The list of firewall schedules displays time based on the browser time, even though the global time preference is set to use the FortiGate system time. The Edit Schedule page does not have this issue.

682008

On SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient provisioning does not support showing a domain name for the VPN gateway.

682440

On Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

688076

Firewall Address and Service pages cannot load on downstream FortiGate if Fabric Synchronization is enabled but the downstream FortiGate cannot reach the root FortiGate.

688994

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

689605

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

702065

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

HA

Bug ID

Description

678309

Cluster is out of sync because of config vpn certificate ca after upgrade.

Intrusion Prevention

Bug ID

Description

654307

Incorrect direction and banned location by quarantine action for ICMP.Oversized.Packet signature in NGFW policy mode.

668631

IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates.

Workaround: disable CP or disable the extended database.

config ips global
    set database regular
    set cp-accel-mode none
end

IPsec VPN

Bug ID

Description

652774

OCVPN spoke-to-spoke communication intermittently fails with mixed topology where some spokes have two ISPs and some have one, but the hubs have two.

655895

Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).

682374

Traffic logs not forwarded correctly to syslog server in CEF format.

687749

iked HA sync crashed on secondary with authenticated user group in firewall policy. Affected models: all except NP7 platforms (FG-180xF, FG-260xF, FG-420xF, FG-440xF).

Log & Report

Bug ID

Description

661040

Cyrillic characters not displayed properly in local reports.

667274

FortiGate does not have log disk auto scan failure status log.

675347

When searching for some rarely-found logs within a large volume of logs, there is a long period of time before the results are returned. During the waiting period, if any new requests arrive, the old search session cannot be cleared. There is then a risk that multiple processes exist together, which may cause performance issues.

677540

First TCP connection to syslog server is not stable.

Proxy

Bug ID

Description

658257

StartTLS-SMTP traffic gets blocked by the firewall when certificate inspection (proxy mode) and the IPS sensor are enabled in a policy.

675525

No WAD sessions displayed when running diagnose wad filter.

680651

Memory leak when retrieving the thumbnailPhoto information from the LDAP server.

684168

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

Routing

Bug ID

Description

687034

bgpd memory leak if running BGP on 6.2.7 and 6.4.4.

Workaround: enable SD-WAN to avoid BGP memory leaking.

In 6.4:

config system sdwan
    set status enable
end

In 6.2:

config system virtual-wan-link
    set status enable
end

693238

OSPF neighbor cannot form with spoke in ADVPN setup if the interface has a parent link and it is a tunnel.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

SSL VPN

Bug ID

Description

684012

SSL VPN crashed with signal 11 (segmentation fault) uri_search because of rules set for a special case.

System

Bug ID

Description

607565

Interface emac-vlan feature does not work on SoC4 platform.

648085

Link status on peer device is not down when the admin port is down on the FG-500E.

649937

The diagnose geoip geoip-query command fails when fortiguard-anycast is disabled.

651103

FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN.

666664

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

672183

UDP 4500 inter-VDOM traffic not offloaded, causing BFD/IPsec to drop.

675508

When provisioning FortiGate and FortiSwitch with enforced 6.4.2 firmware in FortiManager, the physical port for FortiLink is down and cannot connect to the FortiSwitch.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

705734

FWF-40F has random kernel panic with 6.4.4 firmware.

User & Authentication

Bug ID

Description

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

682420

Dialup IPsec tunnel from Azure may not be re-established after HA failover.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

Web Filter

Bug ID

Description

675436

YouTube channel home page on blocklist is not blocked when directed from a YouTube search result.

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

Known issues

The following issues have been identified in version 6.4.4. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Explicit Proxy

Bug ID

Description

664380

When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error.

Firewall

Bug ID

Description

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

675353

Security policy (NGFW mode) flow-based UTM logs are still generated when policy traffic log is disabled.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

673478

Some FortiView graphs and drilldown views show empty data due to filtering issue. Affected graphs/views: Top System Events, Top Authentication Failures, Policy View, and Compromised Host View.

683413

Some FortiView pages/widgets fail to query data from FortiAnalyzer Cloud if the local FortiAnalyzer is not enabled.

Affected pages/widgets: Compromised Hosts, FortiView Cloud Applications, FortiView VPN, FortiView Web Categories, Top Admin Logins, Top Endpoint Vulnerabilities, Top Failed Authentication, Top System Events, Top Threats, Top Threats - WAN, and Top Vulnerable Endpoint Devices.

683654

FortiView pages with a FortiAnalyzer source incorrectly display Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. This error should only show on the new VDOM view.

GUI

Bug ID

Description

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

652522

When performed from the primary FortiGate, using the GUI to change a firewall policy action from accept to deny does not disable the IP pool setting, causing the HA cluster to be out of sync. Updating the policy via the CLI does not have this issue.

656668

On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows the connecting IP address instead of the configured IP address.

664007

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

665111

There is no way to add a line break when using the GUI to edit the replacement message for pre_admin-disclaimer-text. One must use the CLI with the Shift + Enter keys to insert a line break.

665712

When multiple favorite menus are configured, the new features video pops up after each GUI login, even though user previously selected Don't show again.

666999

When editing the Poll Active Directory Server page, the configured LDAP server saved in FSSO polling is not displayed. Users must use the CLI to modify the setting.

668470

FortiGuard DDNS setting incorrectly displays truncated unique location and empty server selection after saving changes.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

673496

When editing phase 2 configurations, clicking Complete Section results in a red highlight around the phase 2 configuration GUI box, and users cannot click OK to save configuration changes.

676165

Script pushed from FortiManager 6.4.2 to FortiOS 6.4.2 to add address objects and an address group only pushes the address group.

680805

The list of firewall schedules displays time based on the browser time, even though the global time preference is set to use the FortiGate system time. The Edit Schedule page does not have this issue.

682008

On SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient provisioning does not support showing a domain name for the VPN gateway.

682440

On Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

688076

Firewall Address and Service pages cannot load on downstream FortiGate if Fabric Synchronization is enabled but the downstream FortiGate cannot reach the root FortiGate.

688994

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

689605

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

702065

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

HA

Bug ID

Description

678309

Cluster is out of sync because of config vpn certificate ca after upgrade.

Intrusion Prevention

Bug ID

Description

654307

Incorrect direction and banned location by quarantine action for ICMP.Oversized.Packet signature in NGFW policy mode.

668631

IPS is constantly crashing, and ipshelper has high CPU when IPS extended database has too many rules (more than 256) sharing the same pattern. Affected models: SoC3-based FortiGates.

Workaround: disable CP or disable the extended database.

config ips global
    set database regular
    set cp-accel-mode none
end

IPsec VPN

Bug ID

Description

652774

OCVPN spoke-to-spoke communication intermittently fails with mixed topology where some spokes have two ISPs and some have one, but the hubs have two.

655895

Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).

682374

Traffic logs not forwarded correctly to syslog server in CEF format.

687749

iked HA sync crashed on secondary with authenticated user group in firewall policy. Affected models: all except NP7 platforms (FG-180xF, FG-260xF, FG-420xF, FG-440xF).

Log & Report

Bug ID

Description

661040

Cyrillic characters not displayed properly in local reports.

667274

FortiGate does not have log disk auto scan failure status log.

675347

When searching for some rarely-found logs within a large volume of logs, there is a long period of time before the results are returned. During the waiting period, if any new requests arrive, the old search session cannot be cleared. There is then a risk that multiple processes exist together, which may cause performance issues.

677540

First TCP connection to syslog server is not stable.

Proxy

Bug ID

Description

658257

StartTLS-SMTP traffic gets blocked by the firewall when certificate inspection (proxy mode) and the IPS sensor are enabled in a policy.

675525

No WAD sessions displayed when running diagnose wad filter.

680651

Memory leak when retrieving the thumbnailPhoto information from the LDAP server.

684168

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

Routing

Bug ID

Description

687034

bgpd memory leak if running BGP on 6.2.7 and 6.4.4.

Workaround: enable SD-WAN to avoid BGP memory leaking.

In 6.4:

config system sdwan
    set status enable
end

In 6.2:

config system virtual-wan-link
    set status enable
end

693238

OSPF neighbor cannot form with spoke in ADVPN setup if the interface has a parent link and it is a tunnel.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

SSL VPN

Bug ID

Description

684012

SSL VPN crashed with signal 11 (segmentation fault) uri_search because of rules set for a special case.

System

Bug ID

Description

607565

Interface emac-vlan feature does not work on SoC4 platform.

648085

Link status on peer device is not down when the admin port is down on the FG-500E.

649937

The diagnose geoip geoip-query command fails when fortiguard-anycast is disabled.

651103

FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN.

666664

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

672183

UDP 4500 inter-VDOM traffic not offloaded, causing BFD/IPsec to drop.

675508

When provisioning FortiGate and FortiSwitch with enforced 6.4.2 firmware in FortiManager, the physical port for FortiLink is down and cannot connect to the FortiSwitch.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

705734

FWF-40F has random kernel panic with 6.4.4 firmware.

User & Authentication

Bug ID

Description

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

682420

Dialup IPsec tunnel from Azure may not be re-established after HA failover.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

Web Filter

Bug ID

Description

675436

YouTube channel home page on blocklist is not blocked when directed from a YouTube search result.

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.