Quarantined files cannot be fetched in the AV log page if the file was already quarantined under another protocol.

Files fail to open in some CIFS setups where FortiOS cannot generate a signature.

DNS proxy is holding 60% memory caused by retransmitted DNS messages sent from DNS clients, which causes the FortiGate to enter conserve mode.

Proxy policy destination address set to none allows all traffic.

Web proxy users are disconnected due to external resource update flushing the user even if they do not have an authentication rule using the related proxy address or IP list.

Proxy traffic failed after modifying resource setting in external connector.

Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7.

SNAT is using low ports below 1023 for NTP.

Any changes to the security policy table causes the hit count to reset.

Challenge ACK is being dropped.

In NGFW policy mode, sessions are not re-validated when security policies are changed.

No hit counts on policy for DHCP broadcast packets in transparent mode.

Firewall schedule settings are not following daylight saving time.

Dynamic traffic shapers are not consistent in their idle time limit.

FGSP synchronized UDP sessions may be blocked in NGFW policy mode when asymmetric routing is used due to a policy matching failure. Other types of traffic may also be affected (such as TCP) in the case of failover of the reply direction traffic to a different FortiGate in the FGSP cluster.

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

On Traffic Shaping Policy list page, right-click option to show matching logs does not work.

An address created by the VPN wizard cannot save changes due to an incorrect validation check for parentheses, (), in the Comments field.

Add support for case-insensitive inspecting the username of an email address.

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

On SD-WAN Rules page, the GUI does not indicate which outgoing interface is active. This is due to auto-discovery VPN routing changes.

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not.

When performed from the primary FortiGate, using the GUI to change a firewall policy action from accept to deny does not disable the IP pool setting, causing the HA cluster to be out of sync. Updating the policy via the CLI does not have this issue.

After upgrading firmware, the CLI script action has a required administrator profile to restrict capabilities. This profile cannot exceed the current administrator's permissions. When configuring a stitch, an administrator can only choose a CLI script that has equal or lesser permissions that the current administrator.

On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows the connecting IP address instead of the configured IP address.

There is no way to add a line break when using the GUI to edit the replacement message for pre_admin-disclaimer-text. One must use the CLI with the Shift + Enter keys to insert a line break.

When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI.

When multiple favorite menus are configured, the new features video pops up after each GUI login, even though user previously selected Don't show again.

When editing a DoS policy, users were able to click OK twice as there was a small delay until the dialog was saved and closed. Clicking twice would cause unwanted changes to the policy. This has been corrected as Submit buttons are now disabled while a dialog is submitting. This fix covers all policy dialogs.

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed.

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

On the SD-WAN Rules page, the default implicit rule shows a destination address of Route tag: undefined.

The list of firewall schedules displays time based on the browser time, even though the global time preference is set to use the FortiGate system time. The Edit Schedule page does not have this issue.

On the SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient provisioning does not support showing domain name for VPN gateway.

Log viewer should use relative timestamps for dates less than seven days old.

Unable to change System Settings when in split VDOM mode; the error Administration settings failed to save is displayed.

When a FortiGate with VDOM and explicit proxy enabled has an access profile with packet capture set to none, administrators with this access profile are not able to create an explicit proxy policy.

The Firewall Address and Service pages cannot load on a downstream FortiGate if Fabric Synchronization is enabled, but the downstream FortiGate cannot reach the root FortiGate.

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

When the FortiGate is managed by FortiManager, an administrator that selects Login Read-Only is incorrectly allowed to select Update firmware in System > Firmware, browse for an image, and install it.

Items added to Favorites are lost after a logout or reboot.

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

When editing the WAF profile in the GUI, changes to the WAF default-allowed-methods are not committed. The CLI must be used.

When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size.

Add column for Absolute Date/Time to the GUI Log Viewer.

When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile.

Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI.

Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI.

The HA secondary cannot synchronize a new virtual switch configuration from the primary.

Management access not working in transparent mode cluster after upgrade.

FortiGate in standalone mode has a virtual MAC address.

IPv6 link local address is not generated in FGCP.

Malicious certificate database is not getting updated on the secondary unit.

The interfaces on NP6 platforms are down when doing a configuration revert in HA mode.

Sessions timeout after traffic failover goes back and forth on a transparent FGSP cluster.

hasync crashes with signal 11 in ha_same_fosver_with_manage_master.

ipshelper CPU spikes when configuration changes are made.

BZIP2 file including EICAR is detected in the original direction of the flow mode firewall policy even though scan-bzip2 is disabled.

Flow-Based AV scanning does not send specific extension files to FortiSandbox.

Signature false positives causing outage after IPS database update.

IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading.

When the SA is about to expire, before it is removed it is not offloaded so the traffic may not go through.

NP6Lite platforms may enter conserve mode because the get/put reference count for pinfo is not reasonable. When there is an inbound SA update, the old pinfo is not freed.

ADVPN shortcut is flapping when spokes are behind one-to-one NAT.

Creating or updating a user with two-factor authentication causes dialup VPN traffic to stop.

When multiple dialup phase 1 gateways are configured on the hub that are nearly identical, when using peer group authentication after fnbam verification, the IKE gateway could switch from one to another even if two gateways have a different network ID.

Issue establishing IPsec and L2TP tunnel with Chromebook behind NAT.

Duplicate IP assigned by IKE Mode Config due to static gateway being out of sync after HA flapping. The tunnel that is out of sync cannot receive the deletion from the hub and holds on to an IP that has already been released.

Cyrillic characters not displayed properly in local reports.

First TCP connection to syslog server is not stable.

No event log generated when log disk needs format.

In rare cases, reportd crashes when the number of items can be zero, but the pie chart is still generated successfully.

Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode.

WAD crash on reconnect bypass. With a special timing, when the server triggers error handling that results in the WAD bypassing the SSL connection, the server-side TCP port is already closed, and the wad_sched_event object is already freed.

Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination.

Proxy deep inspection workaround needed for sites that require psk_key_exchange_modes.

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

WAD IPS crashes because task is scheduled after closing.

Transparent proxy implicit deny policy is not blocking access.

WAD crashes at wad_client_cert_req_act_get when SSL layer configuration is cleaned up after policy matching.

Cannot access Java-based application in proxy mode.

A coding error can cause integer overflow on crafted HTTP requests and read out-of-boundary memory. Sometimes, PCRE match crashes due to this out-of-boundary memory access.

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

REST API /api/v2/monitor/firewall/security-policy adds UUID data for security policy statistics.

REST API unable to change status of interface when VDOMs are enabled.

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

VRF configuration in WWAN interface has no effect after reboot.

Traffic is forwarded out to the wrong interface if an LTE interface is an SD-WAN member. The LTE interface may lose its SD-WAN flag during modem initialization.

OSPFv3 routes are missing from routing table when unsetting or setting the ASBR table.

ADVPN and SD-WAN reply direction randomly chooses ECMP path rather than following shortcut.

FortiGuard DDNS does not follow FortiGuard interface select method, and it does not support HA failover functionality.

Return packets are not always sent back through the correct path.

BGP daemon consumes high CPU in ADVPN setup when disconnecting after socket writing error.

OSPF neighbor cannot form with spoke in ADVPN setup if the interface has a parent link and it is a tunnel.

SD-WAN rules not working for FortiAnalyzer settings because the interface-select-method is implemented on a remote device FortiAnalyzer/FDS but not added to FortiView/log viewing API.

FortiCloud activation does not honor the set interface-select-method command under config system fortiguard.

OSPF area range routes lost during HA failover.

GRE configuration fails on MAP-E interface (vne.root).

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

In some WAD proxy cases, the WAD local session cannot get the SYN-ACK packet.

Reply direction keeps flapping between different tunnels after unrelated FIB update.

SD-WAN rules are not working with route tags and VRF.

FortiGate crashes when doing ping6 on VDOM link interface.

The policy script-src 'self' will block the SSL VPN proxy URL.

SSL VPN web mode gets error when accessing internal website at https://st***.st***.ca/.

SSL VPN disconnects all connections after adding new address to IP pool.

SSL VPN web mode cannot load web page https://jira.ca.ob***.com properly based on Jira application.

There are potential cases where the UDP redirect port is used by other parts of the system, which causes SSL VPN to restart.

Internal application server/website bookmark (https://***.***.***.***:****/nexgen/) not working in SSL VPN web mode.

sslvpnd segmentation fault crash due to old DNS entries in cache that cannot be released if the same results were added into the cache but in a different order.

JSON parse error returned SSL VPN web mode for website https://bi***.u***.cat/az.php.

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

Customized replacement messages for SSL VPN login page sometimes cannot be parsed correctly, causing the FortiToken authentication page to not appear.

Internal SolarWinds Orion platform's webpages have issue in SSL VPN web mode.

Unable to access sc***.com in SSL VPN web mode.

Video could not load for https://le***.sm***.ca in SSL VPN web mode.

Changing DNS or WINS server under VPN SSL settings logs off connected users.

SSL VPN bookmark fails to authenticate user through single sign-on for internal website login.

SSL VPN crashed with signal 11 (segmentation fault) uri_search because of rules set for a special case.

Specific content in portal.ag***.com cannot be shown in SSL VPN web mode.

SSL VPN bookmarked website shows empty page after logging in to SSL VPN gateway https://vd***.vi***.com.

When a client is connected to SSL VPN and has an internet outage for more then 15 seconds, the client fails to reconnect.

Unable to display the data in SSL VPN web mode on innovaphone PBX link.

Access through web portal to an Opengear Lighthouse server does not load the login page properly.

SSO login for the bookmark to access FortiAnalyzer GUI does not work.

Certificate authentication does not check PKI users in the expected order.

SSL VPN web mode removes ant-tree components in HTML source.

Tunnel IP pool leak when DTLS tunnel user session is deleted due to timeout (idle or authentication).

Unexpected group to portal matching priority with SAML authentication.

SSL VPN web mode has problem accessing https://mf***.sa***.com.sa/Login.aspx?url=Default.aspx.

OS check for SSL VPN tunnel is not working on macOS Big Sur; the connection is rejected when the action is set to allow.

OWA user details are not showing in SSL VPN web mode.

sslvpnd signal 11 (Segmentation fault) received caused by a pointer arithmetic error.

SSL VPN stuck loading https://el***.***-data.pl when wrong credential was entered.

Unable to de-authorize FortiSwitch, or assign VLAN on FortiSwitch port on a tenant VDOM.

L3 managed FortiSwitch configuration synchronization error due to the empty string parameter in ptp-policy on managed port configuration.

disable-discovery of a FortiSwitch on one VDOM should not make the FortiSwitch disconnect from another VDOM.

A limit is needed to prevent changes to default-virtual-switch-vlan in the tenant VDOM if there already are leased FortiSwitch ports.

When managed switch PTP policy and settings configuration was pushed as part of initial FortiLink configuration, the FortiLink connection is in an error state.

FortiSwitch MAC delete logs are not being generated.

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

VPN throughput dropped when FEC is enabled.

DoS log counters are inaccurate (policy counters, event log entries, packet counts).

Flow-based inspection with virtual wire pair causes MAC to flap.

SSL local certificate can not be imported via CMDB API (api/v2/cmdb/vpn.certificate/local) due to certificate data handling in CMF plugin (vpn.certificate/local).

Unable to sniff LLDP frames on management and TFTP ports.

When a PPPoE interface is enabled, it overwrites the LAN address object that was created.

Fortinet Factory certificate key integrity check failed in diagnose hardware certificate command.

snmpd crashes when sorting a list-based ARP table if it has about 50,000 or more entries.

diagnose sys csum command shows wrong hash on SOC4 appliances (FG- 60F, FG-61F, FG-100F and FG-101F).

SFP interfaces on FG-330xE do not show link light.

Console prints out NP6XLITE: np6xlite_hw_ipl_rw_mem_channel timeout message on SoC4 platforms.

Offloaded traffic passing through two VDOMs connected with EMAC-VLANs is sometimes dropped.

If cfg-save is set to manual (under config system global), it causes problems with the queries made when parsing the internet service database.

CMDB may crash during boot up when querying VPN SSL settings.

UDP 4500 inter-VDOM traffic is not offloaded, causing BFD/IPsec to drop.

Get Failed on update FortiGuardDDNS error for fortiddns when secondary device becomes primary device in an HA cluster.

When changing the interface speed, some checking is skipped if it is set from FortiManager.

Failed to parse execute restore config properly when the command is from a FortiManager script.

Configuration attribute field in system event logs has length limitation.

GeoIP6 address causes policy to not install properly in the kernel.

Rebooting device causes interface mode to change from static to DHCP.

After reboot, get global.system.interface.npu0_vlink0 config error when VDOM is in transparent mode.

Traffic was stopped because PBA IP pool has the wrong relationship information.

Egress interface-based traffic shaping is not applied if the session is processed by NTurbo.

Bulk changes through the CLI are very slow with 24000 existing policies.

After upgrading from 6.4.2 to 6.4.4, some configurations moved to another VDOM.

After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0.

Sometimes a VWL service adds a child without a parent, leading to a signal 6 (Aborted) crash received at cmf_query_ses_update_child.

Application lted signal 11 crash on FWF-40F-3G4G.

Huawei E8372h-320 LTE modem does not receive IP on FG-30E.

The newcli process crashes or shows an error when creating a VIP with the same external interface IP but a different source address filter.

When an <entry name> is on the same line as config <setting> <setting> <entry name>, it is not handled properly to send to FortiManager.

Secondary FG-5001D blades in SLBC cluster do not show updated contract dates.

Cloning a firewall policy may cause cmdbsvr to crash.

NPU6 is not able to support WCCP traffic offloading. NTurbo driver received packet, which included additional IPv4 header and WCCP header. NTurbo is unable to process this kind of packets so it dropped.

FortiGate cannot get gateway from built-in LTE modem on all LTE capable FortiGate platforms.

In some environments, host-side DPDK affects the benchmark result.

When running execute speed-test command, it shows all VLAN and SSL interfaces from other VDOMs.

802.1x wiredap does not correctly process the TagID in the Tunnel-Private-Group-ID attribute.

When processing visibility log requests and passively learning FQDNs and wildcard FQDN addresses at a high rate, the CPU usage of dnsproxy can reach 90% or higher.

FGR-60F WAN1 and WAN2 fail to connect to the network due to board ID GPIO assignment being incorrect.

FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer's DHCP server (a router) to fail to assign the only available IP in the pool.

Add downgrade code for DHCP server so it can be used in DHCP relay.

Unable to create MAC address-based policies in NGFW.

The authd and foauthd processes may crash due to crypto functions being set twice.

Wildcard LDAP users created on FortiToken Cloud have the first character of the username removed.

OCSP verification fails with Can't convert OCSP rsp error after upgrading.

SAML entity ID can only be entered in HTTP format, but as per standard should also support URN.

If a certificate authentication job expires in fnbamd, an error is returned to caller that makes the proxy block client traffic.

Azure route table is not using the proper subscription ID during failover.

EIP iAzure route table is not using the proper subscription ID during failovers not updating properly with execute update-eip command in Azure with standard SKU public IP in some Canadian regions, like CanadaCentral and CanadaEast.

Azure SDN connector gets an empty IP list when the REST API call fails, which results in IPsec connection being interrupted until the next SDN connector update succeeds (one-minute interval).

Bootstrap does not work with FG-VM on Azure Stack.

FG-VM kernel panicked and reboot after sending through IPv6 traffic.

Cannot enter a name for the web rating override or save it due to name input error.

The configured MAC address of the VAP interface did not take effect after rebooting.

Dynamic VLAN on SSID cannot pass traffic through FG-100F/101F and FG-60F/61F when offloading is enabled.

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

Wireless country setting option needs to remove sanctioned countries and add missing countries.

Wireless default WTP profile not synchronized between FWF-61E with HA A-A mode.

FWF-60F/61F and FWF-40F encounters kernel panic (LR is at capwap_find_sta_by_mac) when one managed FortiAP is authenticating WiFi clients.

SSH session shows periodical cw_ac_wl_cfg_2_dinfo.

FAP-421E does not come online over IPsec tunnel and shows a certificate error.

AP with MAC E0-23-FF not coming online through mesh with FortiWiFi radio set to root.