Fortinet black logo

Known issues

Known issues

The following issues have been identified in version 6.4.6. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Application Control

Bug ID

Description

787130

Application control does not block FTP traffic on an explicit proxy.

Firewall

Bug ID

Description

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

719311

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

FortiView

Bug ID

Description

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

697482

If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

763925

GUI shows user as expired after entering a comment in guest management.

HA

Bug ID

Description

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

740009

SFP on HA1 and HA2 interfaces on an FG-1800F and FG-1801F cannot come up in 1000full speed.

779180

FGSP does not synchronize the helper-pmap expectation session.

Intrusion Prevention

Bug ID

Description

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

Log & Report

Bug ID

Description

745310

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

768626

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

Proxy

Bug ID

Description

604681

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

712584

WAD memory leak causes device to go into conserve mode.

716400

Certificate inspection is not working as expected when an external proxy is used.

722481

Proxy-based inspection causes browser to show ERR_CONNECTION_CLOSED message.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

SSL VPN

Bug ID

Description

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

607565

Interface emac-vlan feature does not work on SoC4 platform.

648085

Link status on peer device is not down when the admin port is down on the FG-500E.

666664

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

705734

FWF-40F has random kernel panic with 6.4.4 firmware.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

716483

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

Workaround: set the auto-asic-offload option to disable in the firewall policy.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

741944

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

747508

Default FortiLink configuration on FG-81F running versions 6.4.6 to 6.4.8 does not work as expected.

751715

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

Upgrade

Bug ID

Description

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end
config system global
    set admin-server-cert <scep_certificate>
end

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

Known issues

The following issues have been identified in version 6.4.6. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Application Control

Bug ID

Description

787130

Application control does not block FTP traffic on an explicit proxy.

Firewall

Bug ID

Description

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

719311

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

FortiView

Bug ID

Description

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

697482

If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

763925

GUI shows user as expired after entering a comment in guest management.

HA

Bug ID

Description

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

740009

SFP on HA1 and HA2 interfaces on an FG-1800F and FG-1801F cannot come up in 1000full speed.

779180

FGSP does not synchronize the helper-pmap expectation session.

Intrusion Prevention

Bug ID

Description

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

Log & Report

Bug ID

Description

745310

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

768626

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

Proxy

Bug ID

Description

604681

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

712584

WAD memory leak causes device to go into conserve mode.

716400

Certificate inspection is not working as expected when an external proxy is used.

722481

Proxy-based inspection causes browser to show ERR_CONNECTION_CLOSED message.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

SSL VPN

Bug ID

Description

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

607565

Interface emac-vlan feature does not work on SoC4 platform.

648085

Link status on peer device is not down when the admin port is down on the FG-500E.

666664

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

705734

FWF-40F has random kernel panic with 6.4.4 firmware.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

716483

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

Workaround: set the auto-asic-offload option to disable in the firewall policy.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

741944

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

747508

Default FortiLink configuration on FG-81F running versions 6.4.6 to 6.4.8 does not work as expected.

751715

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

Upgrade

Bug ID

Description

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end
config system global
    set admin-server-cert <scep_certificate>
end

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.