Fortinet black logo

Resolved issues

Resolved issues

The following issues have been fixed in version 6.4.4. To inquire about a particular bug, please contact Customer Service & Support.

DNS Filter

Bug ID

Description

653581

Cannot pass DNS traffic through FortiGate or DNS traffic originated from FortiGate when external blocklist (threat feed) is updated.

Endpoint Control

Bug ID

Description

664654

EMS host tags are not synced with the FortiGate when the user connects to a tunnel mode SSID.

Explicit Proxy

Bug ID

Description

662931

Browsers change default SameSite cookie settings to Lax, and Kerberos authentication does not work in transparent proxy.

664548

When the FortiGate is configured as an explicit proxy and AV is enabled on the proxy policy, users cannot access certain FTP sites.

File Filter

Bug ID

Description

676485

File filter rule set with the msc file type was removed after upgrading.

Firewall

Bug ID

Description

651321

sflowd is crashing due to invalid custom application category.

653828

When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds.

661777

Source NAT port reuses ports too quickly, and GCP/API fails to establish due to endpoint independence conflict.

665739

HTTP host virtual server does not work well when real server has the same IP but a different port.

666612

Get internet service name configuration error on version 7.01011 when FortiGate reboots or upgrades.

667696

Reputation settings in policies is not working when reputation-minimum is set, and no source or destination address is set.

669665

All ISDB groups are lost when upgrading from 6.2.5 to 6.4.2.

FortiView

Bug ID

Description

683627

FortiView does not display any data when FortiAnalyzer Cloud is the data source.

GUI

Bug ID

Description

490396

Account profile permission override and RADIUS VDOM override features do not work with two-factor authentication for remote admin login via GUI. The feature still works when the admin login is via SSH.

567996

Managed FortiSwitch and FortiSwitch Ports pages cannot load when there is a large number of managed FortiSwitches.

650708

When the client browser is in a different time zone from the FortiGate, the Guest Management page displays an incorrect expiry time for guest users. The CLI returns the correct expiry.

652394

GUI cannot change action for the web-based email category in DNS filter profile.

662873

Editing the LDAP server in the GUI removes the line set server-identity-check disable from the configuration.

663351

Connectivity test for RADIUS server using CHAP authentication always returns failure.

665444

Log Details does not resize the log columns and covers existing log columns.

666500

The Confirm version downgrade warning message is not displayed when a user downgrades firmware between minor patch release versions using the manual upload option. Firmware downgrades from FortiGuard do not have this issue.

668020

Disclaimer users are not shown in the user monitor; they must be displayed in the CLI with diagnose firewall auth list.

672906

GUI does not redirect to the system reboot progress page after successfully restoring a configuration.

675170

The Applications and Destinations tabs on the Diagnostic and Tools pane show the same data for different clients on the WiFi Clients monitor page.

680541

When accessing FortiView > Compromised Hosts, users are unable to drill down when the logtype_mask filter is specified.

HA

Bug ID

Description

615001

LAG does not come up after link failed signal is triggered.

650624

HA GARP sending was delayed due to lots of transceiver reading

653095

Inband management IP connection breaks when failover occurs (only in virtual cluster setup).

677246

Unable to contact TACACS+ server when using HA dedicated management interface in 6.4.3.

Intrusion Prevention

Bug ID

Description

671322

IPS engine reloads, or FortiGate reboots and displays CMDB __bsearch_index() duplicate value insertion errors.

IPsec VPN

Bug ID

Description

566076

IKED process signal 11 crash in an ADVPN and BGP scenario.

663126

Packets for the existing session are still forwarded via the old tunnel after the routing changed on the ADVPN hub.

663648

BGP over dynamic IPsec VPN tunnel with net-device enable not passing through traffic after rebooting.

667129

In ADVPN with SLA mode, traffic does not switch back to the lowest cost link after its recovery.

673258

FortiGate to Cisco IKEv2 tunnel randomly disconnects after rekey.

Log & Report

Bug ID

Description

587916

Logs for local-out DNS query timeout should not be in the DNS filter UTM log category.

670741

Unable to configure syslog filter data size more then 512 characters.

Proxy

Bug ID

Description

657905

Firewall policy with UTM in proxy mode breaks SSL connections in active-active cluster.

661063

If a client sends an RST to a WAD proxy, the proxy can close the connection to the server. In this case, the relatively long session expiration (which is usually 120 seconds by default) could lead to session number spikes in some tests.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

628896

DHCP relay does not match the SD-WAN policy route.

653096

PMTU calculation for VPN interfaces is not working. FortiGate ignores ICMP type 3 code 4 messages and does not update the routing cache.

654032

SD-WAN IPv6 route tag command is not available in the SD-WAN services.

659409

FortiGate blocks IPv6 but allows IPv4 for traffic that looks asymmetric with asymroute is disabled.

663396

SD-WAN route changes and packet drops during HTTP communication, even though preserve-session-route is enabled.

667469

SD-WAN members and OIFs keep reordering despite the health check status being stable in an HA setup.

668982

Possible memory leak when BGP table version increases.

669380

Router daemons get stuck after rebooting when executing get router info routing-table all.

670017

FortiGate as first hop router sometimes does not send register messages to the RP.

673603

Only the interface IP in the management VDOM can be specified as the health check source IP.

675442

Weight-based load-balance algorithm causes local-in reply traffic egress from wrong interface.

676685

VRRP does not consider VRF when looking up destination in routing table.

Security Fabric

Bug ID

Description

660624

FortiAnalyzer Cloud should be taken into consideration when doing CLI check for CSF setting.

666242

Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.

669436

Filter lookup for Azure connector in Subnet and Virtual Network sections only shows results for VMSS instance.

SSL VPN

Bug ID

Description

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

615453

WebSocket using Socket.IO could not be established through SSL VPN web mode.

646339

SSL-SSH inspection profile changes to no-inspection after device reboots.

653349

SSL VPN web mode not working for Ec***re website.

661290

https://mo***.be site is non-accessible in SSL VPN web mode.

662871

SSL VPN web mode has problem accessing some pages on FortiAnalyzer 6.2.

664276

SSL VPN host check validation not working for SAML user.

665330

SDT application can no longer load secondary menu elements in SSL VPN web mode.

665408

Occasionally, 2FA SSL VPN users are unable to log in when two remote authentication servers with the same IP are used.

666855

FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients.

667780

Policy check cache should include user or group information.

667828

SSL VPN web mode authentication problem when accessing li***.com.

668574

Unable to load a video in SSL VPN web mode

669144

HTTPS access to ERP Sage X3 through web mode fails.

669497

Cannot view TIFF files in SSL VPN web mode.

669685

Split tunneling is not adding FQDN addresses to the routes.

669707

The jstor.org webpage is not loading via SSL VPN bookmark.

670042

Internal website, http://si***.ar, does not load a report over SSL VPN web portal.

670803

Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode.

675878

When matching multiple SSL VPN firewall policies, SSL VPN checks the group list from bottom to top, and the user is mapped to the incorrect portal.

676345

SSL VPN web mode is unable to open some webpages on the internal site, https://vi***.se, portal.

677167

SSL VPN web mode has problem accessing Sapepronto server.

Switch Controller

Bug ID

Description

671135

flcfg crashes while configuring FortiSwitches through FortiLink.

System

Bug ID

Description

521213

Read-only administrators should be able to run diagnose sniffer packet command.

606360

HQIP loopback test failed with configured software switch.

627236

TCP traffic disruption when traffic shaper takes effect with NP offloading enabled.

630861

Support FortiManager when private-data-encryption is enabled in FortiOS.

634202

STP does not work in transparent mode.

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

651420

Fixed interface-based traffic shaping performance degradation issue by enabling NP offloading.

657629

ARM-based platforms do not have sensor readings included in SNMP MIBs.

660709

The sflowd process has high CPU usage when application control is enabled.

662681

Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes.

662687

Asynchronous SDK call may take a long time and cause HA A-P to have Kernel panic - not syncing error.

663083

Offloaded traffic from IPsec crossing the NPU VDOM link is dropped.

664268

No filename setting on BOOTP response when option 67 is set on the DHCP server.

664478

Kernel crash caused race condition on vlif accessing.

666030

Empty firewall objects after pushing several policy deletes.

666205

High CPU on L2TP process caused by loop.

666852

FortiGate local-out system DNS traffic for host names lookup continuously generates timeout DNS log if the primary server cannot resolve them.

668217

Space character in table name caused FortiManager retrieve to fail.

668410

NP6lite SoC3 adapter drops packets after handed from kernel.

670838

It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%.

672011

LTE DHCP IP addressing not installed in the routing table.

673263

High memory issue is caused by heavy traffic on the VDOM link.

673918

Read-only administrator with packet capture read-write permission cannot run diagnose sniffer command.

675418

FortiManager CLI script for 2FA FortiToken mobile push does not trigger activation code email.

User & Authentication

Bug ID

Description

643583

radius-vdom-override and accprofile-override do not work when administrator has 2FA enabled.

658794

FortiGate sent CSR certificate instead of signed certificate to FortiManager when retrieve is performed.

663685

The authd process truncates user names to a length of 35 characters (this breaks RADIUS accounting and logging for very long user names).

665391

The authd process gets stuck with high CPU due to slow route lookup when the routing table is big. FSSO stops processing new authentication events.

666268

The authd process may crash if the FSSO server connection is disconnected.

VM

Bug ID

Description

641038

SSL VPN performance problem on OCI due to driver.

656701

FG-VMX service manager enters conserve mode; cmdbsvr has high memory utilization.

659333

Slow route change for HA failover in GCP cloud.

669822

Hot adding multiple CPUs at once to Xen-flavored VMs can result in a kernel panic crash.

671279

FG-VM64-AZURE-PAYG license/serial number get lost after downgrading to 6.2.6 from 6.4.3.

672312

Azure SDN connector does not offer all service tags.

WiFi Controller

Bug ID

Description

643854

Client traffic was dropped by CAPWAP offloading when it connected from a mesh leaf Forti-AP managed by a FWF-61F local radio.

672920

CAPWAP tunnel traffic is dropped when offloading is enabled (with FAP managed by a VLAN interface).

673211

CAPWAP traffic drops on FG-300E when FortiAP is managed by VLAN interface.

674342

The cw_acd crashes after upgrading to 6.4.3 at cwAcLocal.

680503

The current Fortinet_Wifi certificate will expire on 2021-02-11.

Resolved issues

The following issues have been fixed in version 6.4.4. To inquire about a particular bug, please contact Customer Service & Support.

DNS Filter

Bug ID

Description

653581

Cannot pass DNS traffic through FortiGate or DNS traffic originated from FortiGate when external blocklist (threat feed) is updated.

Endpoint Control

Bug ID

Description

664654

EMS host tags are not synced with the FortiGate when the user connects to a tunnel mode SSID.

Explicit Proxy

Bug ID

Description

662931

Browsers change default SameSite cookie settings to Lax, and Kerberos authentication does not work in transparent proxy.

664548

When the FortiGate is configured as an explicit proxy and AV is enabled on the proxy policy, users cannot access certain FTP sites.

File Filter

Bug ID

Description

676485

File filter rule set with the msc file type was removed after upgrading.

Firewall

Bug ID

Description

651321

sflowd is crashing due to invalid custom application category.

653828

When web filter and application control are configured, blocked sessions to play.google.com remain in the session table for 3600 seconds.

661777

Source NAT port reuses ports too quickly, and GCP/API fails to establish due to endpoint independence conflict.

665739

HTTP host virtual server does not work well when real server has the same IP but a different port.

666612

Get internet service name configuration error on version 7.01011 when FortiGate reboots or upgrades.

667696

Reputation settings in policies is not working when reputation-minimum is set, and no source or destination address is set.

669665

All ISDB groups are lost when upgrading from 6.2.5 to 6.4.2.

FortiView

Bug ID

Description

683627

FortiView does not display any data when FortiAnalyzer Cloud is the data source.

GUI

Bug ID

Description

490396

Account profile permission override and RADIUS VDOM override features do not work with two-factor authentication for remote admin login via GUI. The feature still works when the admin login is via SSH.

567996

Managed FortiSwitch and FortiSwitch Ports pages cannot load when there is a large number of managed FortiSwitches.

650708

When the client browser is in a different time zone from the FortiGate, the Guest Management page displays an incorrect expiry time for guest users. The CLI returns the correct expiry.

652394

GUI cannot change action for the web-based email category in DNS filter profile.

662873

Editing the LDAP server in the GUI removes the line set server-identity-check disable from the configuration.

663351

Connectivity test for RADIUS server using CHAP authentication always returns failure.

665444

Log Details does not resize the log columns and covers existing log columns.

666500

The Confirm version downgrade warning message is not displayed when a user downgrades firmware between minor patch release versions using the manual upload option. Firmware downgrades from FortiGuard do not have this issue.

668020

Disclaimer users are not shown in the user monitor; they must be displayed in the CLI with diagnose firewall auth list.

672906

GUI does not redirect to the system reboot progress page after successfully restoring a configuration.

675170

The Applications and Destinations tabs on the Diagnostic and Tools pane show the same data for different clients on the WiFi Clients monitor page.

680541

When accessing FortiView > Compromised Hosts, users are unable to drill down when the logtype_mask filter is specified.

HA

Bug ID

Description

615001

LAG does not come up after link failed signal is triggered.

650624

HA GARP sending was delayed due to lots of transceiver reading

653095

Inband management IP connection breaks when failover occurs (only in virtual cluster setup).

677246

Unable to contact TACACS+ server when using HA dedicated management interface in 6.4.3.

Intrusion Prevention

Bug ID

Description

671322

IPS engine reloads, or FortiGate reboots and displays CMDB __bsearch_index() duplicate value insertion errors.

IPsec VPN

Bug ID

Description

566076

IKED process signal 11 crash in an ADVPN and BGP scenario.

663126

Packets for the existing session are still forwarded via the old tunnel after the routing changed on the ADVPN hub.

663648

BGP over dynamic IPsec VPN tunnel with net-device enable not passing through traffic after rebooting.

667129

In ADVPN with SLA mode, traffic does not switch back to the lowest cost link after its recovery.

673258

FortiGate to Cisco IKEv2 tunnel randomly disconnects after rekey.

Log & Report

Bug ID

Description

587916

Logs for local-out DNS query timeout should not be in the DNS filter UTM log category.

670741

Unable to configure syslog filter data size more then 512 characters.

Proxy

Bug ID

Description

657905

Firewall policy with UTM in proxy mode breaks SSL connections in active-active cluster.

661063

If a client sends an RST to a WAD proxy, the proxy can close the connection to the server. In this case, the relatively long session expiration (which is usually 120 seconds by default) could lead to session number spikes in some tests.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

628896

DHCP relay does not match the SD-WAN policy route.

653096

PMTU calculation for VPN interfaces is not working. FortiGate ignores ICMP type 3 code 4 messages and does not update the routing cache.

654032

SD-WAN IPv6 route tag command is not available in the SD-WAN services.

659409

FortiGate blocks IPv6 but allows IPv4 for traffic that looks asymmetric with asymroute is disabled.

663396

SD-WAN route changes and packet drops during HTTP communication, even though preserve-session-route is enabled.

667469

SD-WAN members and OIFs keep reordering despite the health check status being stable in an HA setup.

668982

Possible memory leak when BGP table version increases.

669380

Router daemons get stuck after rebooting when executing get router info routing-table all.

670017

FortiGate as first hop router sometimes does not send register messages to the RP.

673603

Only the interface IP in the management VDOM can be specified as the health check source IP.

675442

Weight-based load-balance algorithm causes local-in reply traffic egress from wrong interface.

676685

VRRP does not consider VRF when looking up destination in routing table.

Security Fabric

Bug ID

Description

660624

FortiAnalyzer Cloud should be taken into consideration when doing CLI check for CSF setting.

666242

Automation stitch CLI scripts fail with greater than 255 characters; up to 1023 characters should be supported.

669436

Filter lookup for Azure connector in Subnet and Virtual Network sections only shows results for VMSS instance.

SSL VPN

Bug ID

Description

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

615453

WebSocket using Socket.IO could not be established through SSL VPN web mode.

646339

SSL-SSH inspection profile changes to no-inspection after device reboots.

653349

SSL VPN web mode not working for Ec***re website.

661290

https://mo***.be site is non-accessible in SSL VPN web mode.

662871

SSL VPN web mode has problem accessing some pages on FortiAnalyzer 6.2.

664276

SSL VPN host check validation not working for SAML user.

665330

SDT application can no longer load secondary menu elements in SSL VPN web mode.

665408

Occasionally, 2FA SSL VPN users are unable to log in when two remote authentication servers with the same IP are used.

666855

FortiOS supports verifying client certificates with RSA-PSS series of signature algorithms, which causes problems with certain clients.

667780

Policy check cache should include user or group information.

667828

SSL VPN web mode authentication problem when accessing li***.com.

668574

Unable to load a video in SSL VPN web mode

669144

HTTPS access to ERP Sage X3 through web mode fails.

669497

Cannot view TIFF files in SSL VPN web mode.

669685

Split tunneling is not adding FQDN addresses to the routes.

669707

The jstor.org webpage is not loading via SSL VPN bookmark.

670042

Internal website, http://si***.ar, does not load a report over SSL VPN web portal.

670803

Internal website, http://gd***.local/share/page?pt=login, log in page does not load in SSL VPN web mode.

675878

When matching multiple SSL VPN firewall policies, SSL VPN checks the group list from bottom to top, and the user is mapped to the incorrect portal.

676345

SSL VPN web mode is unable to open some webpages on the internal site, https://vi***.se, portal.

677167

SSL VPN web mode has problem accessing Sapepronto server.

Switch Controller

Bug ID

Description

671135

flcfg crashes while configuring FortiSwitches through FortiLink.

System

Bug ID

Description

521213

Read-only administrators should be able to run diagnose sniffer packet command.

606360

HQIP loopback test failed with configured software switch.

627236

TCP traffic disruption when traffic shaper takes effect with NP offloading enabled.

630861

Support FortiManager when private-data-encryption is enabled in FortiOS.

634202

STP does not work in transparent mode.

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

651420

Fixed interface-based traffic shaping performance degradation issue by enabling NP offloading.

657629

ARM-based platforms do not have sensor readings included in SNMP MIBs.

660709

The sflowd process has high CPU usage when application control is enabled.

662681

Policy package push from FortiManager fails the first time, and succeeds the second time if it is blank or has no changes.

662687

Asynchronous SDK call may take a long time and cause HA A-P to have Kernel panic - not syncing error.

663083

Offloaded traffic from IPsec crossing the NPU VDOM link is dropped.

664268

No filename setting on BOOTP response when option 67 is set on the DHCP server.

664478

Kernel crash caused race condition on vlif accessing.

666030

Empty firewall objects after pushing several policy deletes.

666205

High CPU on L2TP process caused by loop.

666852

FortiGate local-out system DNS traffic for host names lookup continuously generates timeout DNS log if the primary server cannot resolve them.

668217

Space character in table name caused FortiManager retrieve to fail.

668410

NP6lite SoC3 adapter drops packets after handed from kernel.

670838

It takes a long time to set the member of a firewall address group when the member size is large. In the GUI, cmdbsvr memory usage goes to 100%. In the CLI, newcli memory usage goes to 100%.

672011

LTE DHCP IP addressing not installed in the routing table.

673263

High memory issue is caused by heavy traffic on the VDOM link.

673918

Read-only administrator with packet capture read-write permission cannot run diagnose sniffer command.

675418

FortiManager CLI script for 2FA FortiToken mobile push does not trigger activation code email.

User & Authentication

Bug ID

Description

643583

radius-vdom-override and accprofile-override do not work when administrator has 2FA enabled.

658794

FortiGate sent CSR certificate instead of signed certificate to FortiManager when retrieve is performed.

663685

The authd process truncates user names to a length of 35 characters (this breaks RADIUS accounting and logging for very long user names).

665391

The authd process gets stuck with high CPU due to slow route lookup when the routing table is big. FSSO stops processing new authentication events.

666268

The authd process may crash if the FSSO server connection is disconnected.

VM

Bug ID

Description

641038

SSL VPN performance problem on OCI due to driver.

656701

FG-VMX service manager enters conserve mode; cmdbsvr has high memory utilization.

659333

Slow route change for HA failover in GCP cloud.

669822

Hot adding multiple CPUs at once to Xen-flavored VMs can result in a kernel panic crash.

671279

FG-VM64-AZURE-PAYG license/serial number get lost after downgrading to 6.2.6 from 6.4.3.

672312

Azure SDN connector does not offer all service tags.

WiFi Controller

Bug ID

Description

643854

Client traffic was dropped by CAPWAP offloading when it connected from a mesh leaf Forti-AP managed by a FWF-61F local radio.

672920

CAPWAP tunnel traffic is dropped when offloading is enabled (with FAP managed by a VLAN interface).

673211

CAPWAP traffic drops on FG-300E when FortiAP is managed by VLAN interface.

674342

The cw_acd crashes after upgrading to 6.4.3 at cwAcLocal.

680503

The current Fortinet_Wifi certificate will expire on 2021-02-11.