Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

Known issues

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.6 Build 1783. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.6 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.6 Build 1783.

Bug ID

Description

647254 716930 748532

After an HA failover, routes are sometimes not successfully synchronized to all FPCs or FPMs of the new Primary FortiGate-6000 or 7000. This can result in a number of problems including SD-WAN not load balancing traffic evenly between SD-WAN links, duplicate routes existing on some FPCs or FPMs, or FPCs or FPMs having different routing tables. To work around this problem you can log into each FPC or FPM that is not synchronized and enter the command diagnose test application chlbd 3 to cause the FPC or FPM to re-download routes from the primary FPC or FPM.

727886

Some configuration elements may remain after resetting the configuration of an FPM to factory defaults.

732456 SD- WAN traffic information, including packet statistics, policy hit counts, and so on is not supported for IPsec VPN SD-WAN members.
735634 SD-WAN health checking is not supported for IPsec VPN SD-WAN members.
736381 FortiGate-6000 mgmt interfaces can't get an IP address or other configuration from a DHCP server.
737312 In some cases, regular (non-wildcard) FQDN IP addresses may take longer than expected to be synchronized to all FPCs or FPMs.
739546 When FortiGate-7121F FPM traffic interface LAG members are modified, traffic fails and doesn't recover until the system is restarted.
739614 On a FortiGate-7000E, in some cases, wildcard FQDN IP addresses are not synchronized to the kernel FQDN list.
740563 Wildcard FQDN IP address can be synchronized from the secondary FortiGate-6000 or 7000 to the primary FortiGate-6000 or 7000 in an FGCP HA configuration.

740707

When consolidated firewall mode is enabled, policy statistics such as the number of active sessions, packets, bytes, and so on are not available from the management board or primary FIM. The management board GUI and primary FIM GUI do not display policy statistics and REST API calls and SNMP queries to the management board or primary FIM for policy statistics return with no information. Policy statics are available from individual FPC or FPMs. For information about consolidated firewall mode, see Combined IPv4 and IPv6 policy.

742265 In some cases, during the upgrade process the GUI may display incorrect FortiOS version and build numbers.
747523 747335

The FortiGate-7121F does not reassemble fragmented packets correctly if ip-ressembly is enabled using the following command:

config system npu

config ip-reassembly

set status enable

end

747839 On a FortiGate-7121F, if FIM2 (the FIM in slot 2) is the primary FIM, when you run the execute reboot command from the FIM2 CLI, the entire chassis should restart. Instead, only FIM2 restarts.

757844

A FortiGate-6000 FGCP HA cluster cannot send traffic log messages to FortiAnalyzer if the cluster is configured to use mgmt1 and or mgmt2 as dedicated HA management interfaces and you have added a custom gateway to the dedicated HA management interface configuration. For example:

config system ha

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "mgmt1"

set gateway <ip-address>

end

edit 2

set interface "mgmt2"

set gateway <ip-address>

end

As a temporary workaround to allow traffic log messages to be sent to FortiAnalyzer, you can disable and then re-enable ha-mgmt-status. You can also remove and then re-configure the gateway IP address of each configured HA management interface. You have to perform these operations on both FortiGate-6000s in the HA cluster since these options are not synchronized by the FGCP. In addition, you must perform these operations each time the FortiGate-6000s restart.

Fortinet recommends performing these operations from a console session since making these changes can interrupt management access.

767742 Because of a limitation of the FIM-7921F switch hardware, the FortiGate-7121F with FIM-7921Fs does not support adding VLANs to flow rules. The vlan setting of the config load-balance flow-rule command is ignored.

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.6 Build 1783. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.6 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.6 Build 1783.

Bug ID

Description

647254 716930 748532

After an HA failover, routes are sometimes not successfully synchronized to all FPCs or FPMs of the new Primary FortiGate-6000 or 7000. This can result in a number of problems including SD-WAN not load balancing traffic evenly between SD-WAN links, duplicate routes existing on some FPCs or FPMs, or FPCs or FPMs having different routing tables. To work around this problem you can log into each FPC or FPM that is not synchronized and enter the command diagnose test application chlbd 3 to cause the FPC or FPM to re-download routes from the primary FPC or FPM.

727886

Some configuration elements may remain after resetting the configuration of an FPM to factory defaults.

732456 SD- WAN traffic information, including packet statistics, policy hit counts, and so on is not supported for IPsec VPN SD-WAN members.
735634 SD-WAN health checking is not supported for IPsec VPN SD-WAN members.
736381 FortiGate-6000 mgmt interfaces can't get an IP address or other configuration from a DHCP server.
737312 In some cases, regular (non-wildcard) FQDN IP addresses may take longer than expected to be synchronized to all FPCs or FPMs.
739546 When FortiGate-7121F FPM traffic interface LAG members are modified, traffic fails and doesn't recover until the system is restarted.
739614 On a FortiGate-7000E, in some cases, wildcard FQDN IP addresses are not synchronized to the kernel FQDN list.
740563 Wildcard FQDN IP address can be synchronized from the secondary FortiGate-6000 or 7000 to the primary FortiGate-6000 or 7000 in an FGCP HA configuration.

740707

When consolidated firewall mode is enabled, policy statistics such as the number of active sessions, packets, bytes, and so on are not available from the management board or primary FIM. The management board GUI and primary FIM GUI do not display policy statistics and REST API calls and SNMP queries to the management board or primary FIM for policy statistics return with no information. Policy statics are available from individual FPC or FPMs. For information about consolidated firewall mode, see Combined IPv4 and IPv6 policy.

742265 In some cases, during the upgrade process the GUI may display incorrect FortiOS version and build numbers.
747523 747335

The FortiGate-7121F does not reassemble fragmented packets correctly if ip-ressembly is enabled using the following command:

config system npu

config ip-reassembly

set status enable

end

747839 On a FortiGate-7121F, if FIM2 (the FIM in slot 2) is the primary FIM, when you run the execute reboot command from the FIM2 CLI, the entire chassis should restart. Instead, only FIM2 restarts.

757844

A FortiGate-6000 FGCP HA cluster cannot send traffic log messages to FortiAnalyzer if the cluster is configured to use mgmt1 and or mgmt2 as dedicated HA management interfaces and you have added a custom gateway to the dedicated HA management interface configuration. For example:

config system ha

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "mgmt1"

set gateway <ip-address>

end

edit 2

set interface "mgmt2"

set gateway <ip-address>

end

As a temporary workaround to allow traffic log messages to be sent to FortiAnalyzer, you can disable and then re-enable ha-mgmt-status. You can also remove and then re-configure the gateway IP address of each configured HA management interface. You have to perform these operations on both FortiGate-6000s in the HA cluster since these options are not synchronized by the FGCP. In addition, you must perform these operations each time the FortiGate-6000s restart.

Fortinet recommends performing these operations from a console session since making these changes can interrupt management access.

767742 Because of a limitation of the FIM-7921F switch hardware, the FortiGate-7121F with FIM-7921Fs does not support adding VLANs to flow rules. The vlan setting of the config load-balance flow-rule command is ignored.