Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.4.5 FortiOS Release Notes
6.4.5
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Known issues

Known issues

The following issues have been identified in version 6.4.5. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Firewall

Bug ID

Description

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

719311

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

GUI

Bug ID

Description

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

Workaround: manage the option in the CLI.

697482

If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

701742

Items added to Favorites are lost after a logout or reboot.

702065

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

763925

GUI shows user as expired after entering a comment in guest management.

IPsec VPN

Bug ID

Description

691929

When multiple dialup phase 1 gateways are configured on the hub that are nearly identical, when using peer group authentication after fnbam verification, the IKE gateway could switch from one to another even if two gateways have a different network ID.

Log & Report

Bug ID

Description

661040

Cyrillic characters not displayed properly in local reports.

677540

First TCP connection to syslog server is not stable.

Proxy

Bug ID

Description

684168

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

695042

A coding error can cause integer overflow on crafted HTTP requests and read out-of-boundary memory. Sometimes, PCRE match crashes due to this out-of-boundary memory access.

714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

686829

ADVPN and SD-WAN reply direction randomly chooses ECMP path rather than following shortcut.

691687

Return packets are not always sent back through the correct path.

693238

OSPF neighbor cannot form with spoke in ADVPN setup if the interface has a parent link and it is a tunnel.

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

704225, 706448

In some WAD proxy cases, the WAD local session cannot get the SYN-ACK packet.

705470

Reply direction keeps flapping between different tunnels after unrelated FIB update.

706417

FortiGate crashes when doing ping6 on VDOM link interface.

712093

Hub return path does not update after branch SD-WAN SLA failover.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

SSL VPN

Bug ID

Description

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

607565

Interface emac-vlan feature does not work on SoC4 platform.

648085

Link status on peer device is not down when the admin port is down on the FG-500E.

666664

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

672183

UDP 4500 inter-VDOM traffic is not offloaded, causing BFD/IPsec to drop.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

705734

FWF-40F has random kernel panic with 6.4.4 firmware.

Upgrade

Bug ID

Description

725369

After upgrading to 6.4.5, VIP randomly stops working and a find DNAT: IP-0.0.0.0 message appears.

User & Authentication

Bug ID

Description

580391

Unable to create MAC address-based policies in NGFW.

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

698961

FWF-60F/61F and FWF-40F encounters kernel panic (LR is at capwap_find_sta_by_mac) when one managed FortiAP is authenticating WiFi clients.

Workaround: disable CAPWAP offloading, then reboot for the change to take effect.

config system npu
    set capwap-offload disable
end

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.
Previous
Next

Known issues

The following issues have been identified in version 6.4.5. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Firewall

Bug ID

Description

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

719311

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

GUI

Bug ID

Description

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

Workaround: manage the option in the CLI.

697482

If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

701742

Items added to Favorites are lost after a logout or reboot.

702065

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

763925

GUI shows user as expired after entering a comment in guest management.

IPsec VPN

Bug ID

Description

691929

When multiple dialup phase 1 gateways are configured on the hub that are nearly identical, when using peer group authentication after fnbam verification, the IKE gateway could switch from one to another even if two gateways have a different network ID.

Log & Report

Bug ID

Description

661040

Cyrillic characters not displayed properly in local reports.

677540

First TCP connection to syslog server is not stable.

Proxy

Bug ID

Description

684168

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

695042

A coding error can cause integer overflow on crafted HTTP requests and read out-of-boundary memory. Sometimes, PCRE match crashes due to this out-of-boundary memory access.

714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

686829

ADVPN and SD-WAN reply direction randomly chooses ECMP path rather than following shortcut.

691687

Return packets are not always sent back through the correct path.

693238

OSPF neighbor cannot form with spoke in ADVPN setup if the interface has a parent link and it is a tunnel.

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

704225, 706448

In some WAD proxy cases, the WAD local session cannot get the SYN-ACK packet.

705470

Reply direction keeps flapping between different tunnels after unrelated FIB update.

706417

FortiGate crashes when doing ping6 on VDOM link interface.

712093

Hub return path does not update after branch SD-WAN SLA failover.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

SSL VPN

Bug ID

Description

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

607565

Interface emac-vlan feature does not work on SoC4 platform.

648085

Link status on peer device is not down when the admin port is down on the FG-500E.

666664

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

672183

UDP 4500 inter-VDOM traffic is not offloaded, causing BFD/IPsec to drop.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

705734

FWF-40F has random kernel panic with 6.4.4 firmware.

Upgrade

Bug ID

Description

725369

After upgrading to 6.4.5, VIP randomly stops working and a find DNAT: IP-0.0.0.0 message appears.

User & Authentication

Bug ID

Description

580391

Unable to create MAC address-based policies in NGFW.

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

698961

FWF-60F/61F and FWF-40F encounters kernel panic (LR is at capwap_find_sta_by_mac) when one managed FortiAP is authenticating WiFi clients.

Workaround: disable CAPWAP offloading, then reboot for the change to take effect.

config system npu
    set capwap-offload disable
end

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.
Previous
Next