Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 6.4.6. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Application Control

Bug ID

Description

701926 Stress test with application control only results in packet drops.

787130

Application control does not block FTP traffic on an explicit proxy.

Endpoint Control

Bug ID

Description

685549

Need to check EMSC entitlement periodically inside fcnacd.

687320

When using FortiClient EMS, renaming the imported CA results in an authentication error. This error does not occur if the CA is not renamed.

Explicit Proxy

Bug ID

Description

733863

Get 504 gateway timeout error when trying to access proxy.pac from remote users using dialup IPsec VPN.

Firewall

Bug ID

Description

694284

In transparent mode when HA is enabled, if the packet passes through the FortiGate more than once time, the MAC address could be different from main session.

707854

FortiGate is not able to resolve FQDNs without DNS suffix for firewall address objects.

709832

When there are multiple internet services configured that match a certain IP, port, or protocol, it may cause the wrong policy to be matched.

714198

When in transparent mode with AV and IPS, the original and reply direction traffic should be redirected only one time.

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

716317

IPS user quarantine ban event is marking the sessions as dirty.

719925

Load balancing is not allowed with a flow-based policy, even if the server type is configured as IP or TCP.

FortiView

Bug ID

Description

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

722543

The Used Quota cannot be sorted on the FortiGuard Quota Monitor. The Used Quota column has now been split into two sortable columns: Used Traffic Quota and Used Time Quota.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

589231

When using the GUI to edit an IP/Wildcard Mask that was created using the CLI, the error message Invalid IP/Wildcard mask. is displayed.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

697482

If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

719694

When there is a connection issue between the FortiGate and a managed FortiSwitch, httpsd may crash when navigating between Switch Controller related GUI pages.

721710

Data fails to load when the Security Fabric is enabled for a downstream FortiGate that has an upstream PPPoE interface to connect to the root.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

724394

When a RADIUS server address is defined as an FQDN, GUI tests for connectivity and user credentials fail.

727035

Unable to change FortiSwitch port status when native VLAN is empty.

727644

When the first row of sequence group in a policy table is deleted, the sequence group disappears.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

739543

On the Network > Interfaces page, unable to create or edit a VLAN switch as the VLAN ID validation incorrectly fails.

Workaround: use the CLI.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

763925

GUI shows user as expired after entering a comment in guest management.

HA

Bug ID

Description

669301

When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory.

678145

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

692384

High memory usage of hasync process on FGCP passive device.

695067

When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.

Workaround: do not use the HA interface as a heartbeat interface.

697066

When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary.

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

703719

hasync is busy when receiving ARP when there is a huge number of ARPs in the network.

708928

The set override disable setting changes to enabled on main virtual cluster after rebooting (flag of second virtual cluster remains disabled).

710236

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group |memory> after HA hbdev configuration changes.

721720

Performance degradation of session synchronization after upgrading.

722284

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

723130

diagnose sys ha reset-uptime on the secondary devices triggers a failover on a cluster with more than two members.

779180

FGSP does not synchronize the helper-pmap expectation session.

Intrusion Prevention

Bug ID

Description

654307

Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.

680501

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

699834

ESP errors are logged with incorrect SPI value.

Log & Report

Bug ID

Description

745310

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

768626

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

Proxy

Bug ID

Description

520176

Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds.

604681

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

615391

Reusing the buffer region causes frequent WAD crashes.

690387

wad_proto_stats crashes a few times.

712584

WAD memory leak causes device to go into conserve mode.

714610

Explicit proxy policy (ISDB and IP pool) cannot be set in the GUI or CLI.

716400

Certificate inspection is not working as expected when an external proxy is used.

719681

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

722481

Proxy-based inspection causes browser to show ERR_CONNECTION_CLOSED message.

725628

WAD HTTP parser string leak for hostname and scheme with trace-auth-no-rsp enabled.

727349

Traffic is stuck if HTTP POST does not have an end of boundary.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

Routing

Bug ID

Description

661270

OSPF is stuck in loading state when there is a large amount of OSPF interfaces.

683742

DNS local out traffic cannot match SD-WAN rule when its member is not in VRF 0.

693396

hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel.

706237

ICMP Destination Host Unreachable responses are sent in reverse order.

712586

SNAT sessions on the original preferred SD-WAN member will be flushed after the preferred SD-WAN member changes, so existing SNAT traffic will be interrupted.

730208

Traffic is not going through when the returning interface is changed.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

687238

FortiManager cannot install a policy due to conflict with certificate synchronization from the Security Fabric.

718581

If HA management interface is configured, the Kubernetes connector fails to connect.

SSL VPN

Bug ID

Description

550819

guacd is consuming too much memory and CPU resources during operation.

662615

FG-80F series should support a total of 96 WTP entries (48 normal).

677548

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

677668

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

686425

When accessing an application in SSL VPN web mode (Sage HR), images fail to load for http://S-***.ro***.de/mp***/.

687433

Webpage is not loading via SSL VPN web mode bookmark.

689901

SharePoint links (su***.com) not working properly on webpage launched by SSL VPN web portal.

693347

Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic.

693691

VPN logs do not show any bandwidth utilization in SSL web tunnel statistics when only using RDP.

695404

WALLIX personal bookmark issue in SSL VPN portal.

695763

FortiClient iOS 6.4.5 has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

699587

SSL VPN policy matching problem when a local user has the same name as a pure remote user.

699619

SSL VPN web mode fails to access to https://www.we***.org.

702493

CMS URLs incorrectly rewritten by SSL VPN proxy in web mode.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

717193

Website cannot be accessed in SSL VPN web mode.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

718142

The map integrated in the public site is not visible when using SSL VPN web mode.

718159

Webpage, http://10.3.24.8/ma***, is not displaying correctly in SSL VPN web mode.

720290

Internal webpage, https://172.3**.***.164/ce***/, is not loading in SSL VPN web mode.

724830

FortiGate sends authentication request to all RADIUS servers instead of only those in the default realm.

726641

Unable to load pi***.vi***-ga***.org in SSL VPN web mode.

736822

Non-US keyboard layout in RDP session with SSL VPN web mode does not work correctly.

Switch Controller

Bug ID

Description

682430

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

717506

Unable to add description on shared FortiSwitch port.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

607565

Interface emac-vlan feature does not work on SoC4 platform.

627734

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

648085

Link status on peer device is not down when the admin port is down on the FortiGate.

674616

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

681791

Install preview does not show all changes performed on the FortiGate.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, install the policy package via FortiManager.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

698204

SNMP query for firewall policy statistics in non-root VDOM returns a 0.

699358

Cannot change FEC (forward error correction) on port group 13-16.

699902

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

700314

ARP reply sent out by FortiGate but was not received on neighbor device.

702135

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

705734

FWF-40F has random kernel panic with 6.4.4 firmware.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

709513

SD-WAN reports phantom packet loss.

714256

A softirq happened in an unprotected session read lock and caused a self-deadlock.

714402

FortiGate crashes after reboot (kernel BUG at drivers/net/macvlan.c:869).

714711

NP offloading is blocking backup traffic.

715571

config match command is not available in the user group configuration within the root VDOM when split-task VDOM is used.

716483

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

717203

When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file.

721733

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

722273

SA is freed while its timer is still pending, which leads to a kernel crash.

724085

Traffic fails over EMAC VLAN interface with parent interface in another VDOM on FG-2600F.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

729636

FTLC1122RDNL transceiver is showing as not certified by Fortinet on FG-3800D.

731821

MAP-E DDNS update request is not sent after booting up the device.

741944

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

747508

Default FortiLink configuration on FG-81F running versions 6.4.6 to 6.4.8 does not work as expected.

Upgrade

Bug ID

Description

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

688989

Two-factor authentication can be bypassed with some configurations.

691556

Get CLI error when setting auto-regenerate-days option for local certificate.

698716

RADIUS password encoding does not work.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end
config system global
    set admin-server-cert <scep_certificate>
end

707868

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

709303

SAML user-name and group-name configuration values are limited to only 35 characters.

710212

RADIUS accounting port is occasionally missing.

725056

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

687925

Hardware checksum failure encountered on Azure FG-VM.

714682

GENEVE tunnel with loopback interface is not working.

715750

EIP information is not automatically updated after instance reboot.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

Web Filter

Bug ID

Description

677234

Unable to block webpages present in the external list when accessing them through the Google Translate URL.

WiFi Controller

Bug ID

Description

502080

TARGET ASSERT error in WiFi driver causes kernel panic.

662615

FG-80F series should support a total of 96 WTP entries (48 normal).

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

680527

Clients fails to authenticate to SSID due to MPSK client limit being reached when the actual connected clients are below the limit.

685593

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

693973

Captive portal/disclaimer is not shown for SSIDs not belonging to the default VRF.

700356

CAPWAP daemon crashing due to IoT detection.

709824

Dynamic VLAN SSID traffic cannot pass through VDOM link when capwap-offload is enabled.

720674

cw_acd is crashing on FG-40F.

Known issues

The following issues have been identified in version 6.4.6. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Application Control

Bug ID

Description

701926 Stress test with application control only results in packet drops.

787130

Application control does not block FTP traffic on an explicit proxy.

Endpoint Control

Bug ID

Description

685549

Need to check EMSC entitlement periodically inside fcnacd.

687320

When using FortiClient EMS, renaming the imported CA results in an authentication error. This error does not occur if the CA is not renamed.

Explicit Proxy

Bug ID

Description

733863

Get 504 gateway timeout error when trying to access proxy.pac from remote users using dialup IPsec VPN.

Firewall

Bug ID

Description

694284

In transparent mode when HA is enabled, if the packet passes through the FortiGate more than once time, the MAC address could be different from main session.

707854

FortiGate is not able to resolve FQDNs without DNS suffix for firewall address objects.

709832

When there are multiple internet services configured that match a certain IP, port, or protocol, it may cause the wrong policy to be matched.

714198

When in transparent mode with AV and IPS, the original and reply direction traffic should be redirected only one time.

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

716317

IPS user quarantine ban event is marking the sessions as dirty.

719925

Load balancing is not allowed with a flow-based policy, even if the server type is configured as IP or TCP.

FortiView

Bug ID

Description

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

722543

The Used Quota cannot be sorted on the FortiGuard Quota Monitor. The Used Quota column has now been split into two sortable columns: Used Traffic Quota and Used Time Quota.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

589231

When using the GUI to edit an IP/Wildcard Mask that was created using the CLI, the error message Invalid IP/Wildcard mask. is displayed.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

697482

If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

719694

When there is a connection issue between the FortiGate and a managed FortiSwitch, httpsd may crash when navigating between Switch Controller related GUI pages.

721710

Data fails to load when the Security Fabric is enabled for a downstream FortiGate that has an upstream PPPoE interface to connect to the root.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

724394

When a RADIUS server address is defined as an FQDN, GUI tests for connectivity and user credentials fail.

727035

Unable to change FortiSwitch port status when native VLAN is empty.

727644

When the first row of sequence group in a policy table is deleted, the sequence group disappears.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

739543

On the Network > Interfaces page, unable to create or edit a VLAN switch as the VLAN ID validation incorrectly fails.

Workaround: use the CLI.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

763925

GUI shows user as expired after entering a comment in guest management.

HA

Bug ID

Description

669301

When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory.

678145

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

692384

High memory usage of hasync process on FGCP passive device.

695067

When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.

Workaround: do not use the HA interface as a heartbeat interface.

697066

When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary.

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

703719

hasync is busy when receiving ARP when there is a huge number of ARPs in the network.

708928

The set override disable setting changes to enabled on main virtual cluster after rebooting (flag of second virtual cluster remains disabled).

710236

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group |memory> after HA hbdev configuration changes.

721720

Performance degradation of session synchronization after upgrading.

722284

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

723130

diagnose sys ha reset-uptime on the secondary devices triggers a failover on a cluster with more than two members.

779180

FGSP does not synchronize the helper-pmap expectation session.

Intrusion Prevention

Bug ID

Description

654307

Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.

680501

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

699834

ESP errors are logged with incorrect SPI value.

Log & Report

Bug ID

Description

745310

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

768626

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

Proxy

Bug ID

Description

520176

Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds.

604681

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

615391

Reusing the buffer region causes frequent WAD crashes.

690387

wad_proto_stats crashes a few times.

712584

WAD memory leak causes device to go into conserve mode.

714610

Explicit proxy policy (ISDB and IP pool) cannot be set in the GUI or CLI.

716400

Certificate inspection is not working as expected when an external proxy is used.

719681

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

722481

Proxy-based inspection causes browser to show ERR_CONNECTION_CLOSED message.

725628

WAD HTTP parser string leak for hostname and scheme with trace-auth-no-rsp enabled.

727349

Traffic is stuck if HTTP POST does not have an end of boundary.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

Routing

Bug ID

Description

661270

OSPF is stuck in loading state when there is a large amount of OSPF interfaces.

683742

DNS local out traffic cannot match SD-WAN rule when its member is not in VRF 0.

693396

hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel.

706237

ICMP Destination Host Unreachable responses are sent in reverse order.

712586

SNAT sessions on the original preferred SD-WAN member will be flushed after the preferred SD-WAN member changes, so existing SNAT traffic will be interrupted.

730208

Traffic is not going through when the returning interface is changed.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

687238

FortiManager cannot install a policy due to conflict with certificate synchronization from the Security Fabric.

718581

If HA management interface is configured, the Kubernetes connector fails to connect.

SSL VPN

Bug ID

Description

550819

guacd is consuming too much memory and CPU resources during operation.

662615

FG-80F series should support a total of 96 WTP entries (48 normal).

677548

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

677668

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

686425

When accessing an application in SSL VPN web mode (Sage HR), images fail to load for http://S-***.ro***.de/mp***/.

687433

Webpage is not loading via SSL VPN web mode bookmark.

689901

SharePoint links (su***.com) not working properly on webpage launched by SSL VPN web portal.

693347

Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic.

693691

VPN logs do not show any bandwidth utilization in SSL web tunnel statistics when only using RDP.

695404

WALLIX personal bookmark issue in SSL VPN portal.

695763

FortiClient iOS 6.4.5 has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

699587

SSL VPN policy matching problem when a local user has the same name as a pure remote user.

699619

SSL VPN web mode fails to access to https://www.we***.org.

702493

CMS URLs incorrectly rewritten by SSL VPN proxy in web mode.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

717193

Website cannot be accessed in SSL VPN web mode.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

718142

The map integrated in the public site is not visible when using SSL VPN web mode.

718159

Webpage, http://10.3.24.8/ma***, is not displaying correctly in SSL VPN web mode.

720290

Internal webpage, https://172.3**.***.164/ce***/, is not loading in SSL VPN web mode.

724830

FortiGate sends authentication request to all RADIUS servers instead of only those in the default realm.

726641

Unable to load pi***.vi***-ga***.org in SSL VPN web mode.

736822

Non-US keyboard layout in RDP session with SSL VPN web mode does not work correctly.

Switch Controller

Bug ID

Description

682430

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

717506

Unable to add description on shared FortiSwitch port.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

607565

Interface emac-vlan feature does not work on SoC4 platform.

627734

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

648085

Link status on peer device is not down when the admin port is down on the FortiGate.

674616

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

681791

Install preview does not show all changes performed on the FortiGate.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, install the policy package via FortiManager.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

698204

SNMP query for firewall policy statistics in non-root VDOM returns a 0.

699358

Cannot change FEC (forward error correction) on port group 13-16.

699902

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

700314

ARP reply sent out by FortiGate but was not received on neighbor device.

702135

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

705734

FWF-40F has random kernel panic with 6.4.4 firmware.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

709513

SD-WAN reports phantom packet loss.

714256

A softirq happened in an unprotected session read lock and caused a self-deadlock.

714402

FortiGate crashes after reboot (kernel BUG at drivers/net/macvlan.c:869).

714711

NP offloading is blocking backup traffic.

715571

config match command is not available in the user group configuration within the root VDOM when split-task VDOM is used.

716483

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

717203

When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file.

721733

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

722273

SA is freed while its timer is still pending, which leads to a kernel crash.

724085

Traffic fails over EMAC VLAN interface with parent interface in another VDOM on FG-2600F.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

729636

FTLC1122RDNL transceiver is showing as not certified by Fortinet on FG-3800D.

731821

MAP-E DDNS update request is not sent after booting up the device.

741944

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

747508

Default FortiLink configuration on FG-81F running versions 6.4.6 to 6.4.8 does not work as expected.

Upgrade

Bug ID

Description

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

688989

Two-factor authentication can be bypassed with some configurations.

691556

Get CLI error when setting auto-regenerate-days option for local certificate.

698716

RADIUS password encoding does not work.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end
config system global
    set admin-server-cert <scep_certificate>
end

707868

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

709303

SAML user-name and group-name configuration values are limited to only 35 characters.

710212

RADIUS accounting port is occasionally missing.

725056

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

687925

Hardware checksum failure encountered on Azure FG-VM.

714682

GENEVE tunnel with loopback interface is not working.

715750

EIP information is not automatically updated after instance reboot.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

Web Filter

Bug ID

Description

677234

Unable to block webpages present in the external list when accessing them through the Google Translate URL.

WiFi Controller

Bug ID

Description

502080

TARGET ASSERT error in WiFi driver causes kernel panic.

662615

FG-80F series should support a total of 96 WTP entries (48 normal).

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

680527

Clients fails to authenticate to SSID due to MPSK client limit being reached when the actual connected clients are below the limit.

685593

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

693973

Captive portal/disclaimer is not shown for SSIDs not belonging to the default VRF.

700356

CAPWAP daemon crashing due to IoT detection.

709824

Dynamic VLAN SSID traffic cannot pass through VDOM link when capwap-offload is enabled.

720674

cw_acd is crashing on FG-40F.