Need to check EMSC entitlement periodically inside fcnacd.

In transparent mode when HA is enabled, if the packet passes through the FortiGate more than once time, the MAC address could be different from main session.

FortiGate is not able to resolve FQDNs without DNS suffix for firewall address objects.

When there are multiple internet services configured that match a certain IP, port, or protocol, it may cause the wrong policy to be matched.

When in transparent mode with AV and IPS, the original and reply direction traffic should be redirected only one time.

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

IPS user quarantine ban event is marking the sessions as dirty.

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

When using the GUI to edit an IP/Wildcard Mask that was created using the CLI, the error message Invalid IP/Wildcard mask. is displayed.

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F.

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

When there is a connection issue between the FortiGate and a managed FortiSwitch, httpsd may crash when navigating between Switch Controller related GUI pages.

Data fails to load when the Security Fabric is enabled for a downstream FortiGate that has an upstream PPPoE interface to connect to the root.

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

When a RADIUS server address is defined as an FQDN, GUI tests for connectivity and user credentials fail.

Unable to change FortiSwitch port status when native VLAN is empty.

When the first row of sequence group in a policy table is deleted, the sequence group disappears.

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

On the Network > Interfaces page, unable to create or edit a VLAN switch as the VLAN ID validation incorrectly fails.

Workaround: use the CLI.

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory.

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

High memory usage of hasync process on FGCP passive device.

When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.

Workaround: do not use the HA interface as a heartbeat interface.

When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary.

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

hasync is busy when receiving ARP when there is a huge number of ARPs in the network.

The set override disable setting changes to enabled on main virtual cluster after rebooting (flag of second virtual cluster remains disabled).

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group |memory> after HA hbdev configuration changes.

Performance degradation of session synchronization after upgrading.

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

diagnose sys ha reset-uptime on the secondary devices triggers a failover on a cluster with more than two members.

Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds.

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

Reusing the buffer region causes frequent WAD crashes.

wad_proto_stats crashes a few times.

WAD memory leak causes device to go into conserve mode.

Explicit proxy policy (ISDB and IP pool) cannot be set in the GUI or CLI.

Certificate inspection is not working as expected when an external proxy is used.

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

Proxy-based inspection causes browser to show ERR_CONNECTION_CLOSED message.

WAD HTTP parser string leak for hostname and scheme with trace-auth-no-rsp enabled.

Traffic is stuck if HTTP POST does not have an end of boundary.

OSPF is stuck in loading state when there is a large amount of OSPF interfaces.

DNS local out traffic cannot match SD-WAN rule when its member is not in VRF 0.

hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel.

ICMP Destination Host Unreachable responses are sent in reverse order.

SNAT sessions on the original preferred SD-WAN member will be flushed after the preferred SD-WAN member changes, so existing SNAT traffic will be interrupted.

Slow GUI performance in large Fabric topology with over 50 downstream devices.

FortiManager cannot install a policy due to conflict with certificate synchronization from the Security Fabric.

guacd is consuming too much memory and CPU resources during operation.

FG-80F series should support a total of 96 WTP entries (48 normal).

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

When accessing an application in SSL VPN web mode (Sage HR), images fail to load for http://S-***.ro***.de/mp***/.

Webpage is not loading via SSL VPN web mode bookmark.

SharePoint links (su***.com) not working properly on webpage launched by SSL VPN web portal.

Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic.

VPN logs do not show any bandwidth utilization in SSL web tunnel statistics when only using RDP.

WALLIX personal bookmark issue in SSL VPN portal.

FortiClient iOS 6.4.5 has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

SSL VPN policy matching problem when a local user has the same name as a pure remote user.

SSL VPN web mode fails to access to https://www.we***.org.

CMS URLs incorrectly rewritten by SSL VPN proxy in web mode.

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

Website cannot be accessed in SSL VPN web mode.

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

The map integrated in the public site is not visible when using SSL VPN web mode.

Webpage, http://10.3.24.8/ma***, is not displaying correctly in SSL VPN web mode.

Internal webpage, https://172.3**.***.164/ce***/, is not loading in SSL VPN web mode.

FortiGate sends authentication request to all RADIUS servers instead of only those in the default realm.

Unable to load pi***.vi***-ga***.org in SSL VPN web mode.

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

Interface emac-vlan feature does not work on SoC4 platform.

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

Link status on peer device is not down when the admin port is down on the FortiGate.

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

Install preview does not show all changes performed on the FortiGate.

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, install the policy package via FortiManager.

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

SNMP query for firewall policy statistics in non-root VDOM returns a 0.

Cannot change FEC (forward error correction) on port group 13-16.

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

ARP reply sent out by FortiGate but was not received on neighbor device.

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

FWF-40F has random kernel panic with 6.4.4 firmware.

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

SD-WAN reports phantom packet loss.

A softirq happened in an unprotected session read lock and caused a self-deadlock.

FortiGate crashes after reboot (kernel BUG at drivers/net/macvlan.c:869).

NP offloading is blocking backup traffic.

config match command is not available in the user group configuration within the root VDOM when split-task VDOM is used.

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file.

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

SA is freed while its timer is still pending, which leads to a kernel crash.

Traffic fails over EMAC VLAN interface with parent interface in another VDOM on FG-2600F.

DHCP discovery dropped on virtual wire pair when UTM is enabled.

FTLC1122RDNL transceiver is showing as not certified by Fortinet on FG-3800D.

MAP-E DDNS update request is not sent after booting up the device.

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

Two-factor authentication can be bypassed with some configurations.

Get CLI error when setting auto-regenerate-days option for local certificate.

RADIUS password encoding does not work.

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end

config system global
    set admin-server-cert <scep_certificate>
end

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

SAML user-name and group-name configuration values are limited to only 35 characters.

RADIUS accounting port is occasionally missing.

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

FG-VMX manager not showing all the nodes deployed.

Autoscale GCP health check is not successful (port 8443 HTTPS).

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

Hardware checksum failure encountered on Azure FG-VM.

GENEVE tunnel with loopback interface is not working.

EIP information is not automatically updated after instance reboot.

TARGET ASSERT error in WiFi driver causes kernel panic.

FG-80F series should support a total of 96 WTP entries (48 normal).

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

Clients fails to authenticate to SSID due to MPSK client limit being reached when the actual connected clients are below the limit.

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

Captive portal/disclaimer is not shown for SSIDs not belonging to the default VRF.

CAPWAP daemon crashing due to IoT detection.

Dynamic VLAN SSID traffic cannot pass through VDOM link when capwap-offload is enabled.