Fortinet black logo

Resolved issues

Resolved issues

The following issues have been fixed in version 6.4.6. To inquire about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

650160 When using email filter profile, emails are being queued due to IMAP proxy being in stuck state.

Anti Virus

Bug ID

Description

524571

Quarantined files cannot be fetched in the AV log page if the file was already quarantined under another protocol.

683835

Files fail to open in some CIFS setups where FortiOS cannot generate a signature.

707186

Scanunit crashes with signal 11 when users attach files in the Outlook Web App.

Application Control

Bug ID

Description

576727

Unknown Applications category is not present in NGFW policy-based mode.

DNS Filter

Bug ID

Description

682060

DNS proxy is holding 60% memory caused by retransmitted DNS messages sent from DNS clients, which causes the FortiGate to enter conserve mode.

693551

DNS filter is not working on active VDOM in second HA unit in virtual cluster environment.

Endpoint Control

Bug ID

Description

691477

EMS dynamic address synchronization delay in FortiGate IPv4 policy.

Explicit Proxy

Bug ID

Description

654455

Proxy policy destination address set to none allows all traffic.

681054

Web proxy users are disconnected due to external resource update flushing the user even if they do not have an authentication rule using the related proxy address or IP list.

689002

Proxy traffic failed after modifying resource setting in external connector.

697566

Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7.

700451

Wrong source IP used intermittently when FortiGate has SD-WAN and is transparently proxy forwarding to explicit proxy.

Firewall

Bug ID

Description

474612

SNAT is using low ports below 1023 for NTP.

595949

Any changes to the security policy table causes the hit count to reset.

644225

Challenge ACK is being dropped.

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

683426

No hit counts on policy for DHCP broadcast packets in transparent mode.

683669

Firewall schedule settings are not following daylight saving time.

694154

Dynamic traffic shapers are not consistent in their idle time limit.

696619

FGSP synchronized UDP sessions may be blocked in NGFW policy mode when asymmetric routing is used due to a policy matching failure. Other types of traffic may also be affected (such as TCP) in the case of failover of the reply direction traffic to a different FortiGate in the FGSP cluster.

699785

Firewall performance may degrade when thousands of VIPs are configured.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

673225

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

683413

Some FortiView pages/widgets fail to query data from FortiAnalyzer Cloud if the local FortiAnalyzer is not enabled.

Affected pages/widgets: Compromised Hosts, FortiView Cloud Applications, FortiView VPN, FortiView Web Categories, Top Admin Logins, Top Endpoint Vulnerabilities, Top Failed Authentication, Top System Events, Top Threats, Top Threats - WAN, and Top Vulnerable Endpoint Devices.

GUI

Bug ID

Description

561420

On Traffic Shaping Policy list page, right-click option to show matching logs does not work.

592854

An address created by the VPN wizard cannot save changes due to an incorrect validation check for parentheses, (), in the Comments field.

599815

Add support for case-insensitive inspecting the username of an email address.

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

636208

On SD-WAN Rules page, the GUI does not indicate which outgoing interface is active. This is due to auto-discovery VPN routing changes.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

647431

After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not.

652522

When performed from the primary FortiGate, using the GUI to change a firewall policy action from accept to deny does not disable the IP pool setting, causing the HA cluster to be out of sync. Updating the policy via the CLI does not have this issue.

656599

After upgrading firmware, the CLI script action has a required administrator profile to restrict capabilities. This profile cannot exceed the current administrator's permissions. When configuring a stitch, an administrator can only choose a CLI script that has equal or lesser permissions that the current administrator.

656668

On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows the connecting IP address instead of the configured IP address.

665111

There is no way to add a line break when using the GUI to edit the replacement message for pre_admin-disclaimer-text. One must use the CLI with the Shift + Enter keys to insert a line break.

665597

When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI.

665712

When multiple favorite menus are configured, the new features video pops up after each GUI login, even though user previously selected Don't show again.

670026

When editing a DoS policy, users were able to click OK twice as there was a small delay until the dialog was saved and closed. Clicking twice would cause unwanted changes to the policy. This has been corrected as Submit buttons are now disabled while a dialog is submitting. This fix covers all policy dialogs.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

674548

When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

680804

On the SD-WAN Rules page, the default implicit rule shows a destination address of Route tag: undefined.

680805

The list of firewall schedules displays time based on the browser time, even though the global time preference is set to use the FortiGate system time. The Edit Schedule page does not have this issue.

682008

On the SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient provisioning does not support showing domain name for VPN gateway.

682077

Log viewer should use relative timestamps for dates less than seven days old.

682547

Unable to change System Settings when in split VDOM mode; the error Administration settings failed to save is displayed.

684904

When a FortiGate with VDOM and explicit proxy enabled has an access profile with packet capture set to none, administrators with this access profile are not able to create an explicit proxy policy.

688076

The Firewall Address and Service pages cannot load on a downstream FortiGate if Fabric Synchronization is enabled, but the downstream FortiGate cannot reach the root FortiGate.

688994

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

689605

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

697667

When the FortiGate is managed by FortiManager, an administrator that selects Login Read-Only is incorrectly allowed to select Update firmware in System > Firmware, browse for an image, and install it.

701742

Items added to Favorites are lost after a logout or reboot.

702065

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

703955

When editing the WAF profile in the GUI, changes to the WAF default-allowed-methods are not committed. The CLI must be used.

704209

When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size.

704638

Add column for Absolute Date/Time to the GUI Log Viewer.

706711

When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile.

710946

Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI.

713580

Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI.

715256

When the Security Fabric Connection is enabled on a VPN interface, the DHCP Server section disappears from the GUI.

HA

Bug ID

Description

659837

The HA secondary cannot synchronize a new virtual switch configuration from the primary.

670331

Management access not working in transparent mode cluster after upgrade.

671288

FortiGate in standalone mode has a virtual MAC address.

684051

IPv6 link local address is not generated in FGCP.

690248

Malicious certificate database is not getting updated on the secondary unit.

692212

The interfaces on NP6 platforms are down when doing a configuration revert in HA mode.

693178

Sessions timeout after traffic failover goes back and forth on a transparent FGSP cluster.

693223

hasync crashes with signal 11 in ha_same_fosver_with_manage_master.

714113

GRE configuration should not be synchronized in multi-AZ HA, but the system does not allow it to be added in the VDOM exception.

Intrusion Prevention

Bug ID

Description

686301

ipshelper CPU spikes when configuration changes are made.

688888

BZIP2 file including EICAR is detected in the original direction of the flow mode firewall policy even though scan-bzip2 is disabled.

689259

Flow-Based AV scanning does not send specific extension files to FortiSandbox.

691395

Signature false positives causing outage after IPS database update.

694777

Application, IPS, and AV databases and engines are not updated by scheduled updates if a security policy is used.

IPsec VPN

Bug ID

Description

578879, 676728

IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading.

658215

When the SA is about to expire, before it is removed it is not offloaded so the traffic may not go through.

659442

NP6Lite platforms may enter conserve mode because the get/put reference count for pinfo is not reasonable. When there is an inbound SA update, the old pinfo is not freed.

690903

ADVPN shortcut is flapping when spokes are behind one-to-one NAT.

691878

Creating or updating a user with two-factor authentication causes dialup VPN traffic to stop.

691929

When multiple dialup phase 1 gateways are configured on the hub that are nearly identical, when using peer group authentication after fnbam verification, the IKE gateway could switch from one to another even if two gateways have a different network ID.

694992

Issue establishing IPsec and L2TP tunnel with Chromebook behind NAT.

709850

Duplicate IP assigned by IKE Mode Config due to static gateway being out of sync after HA flapping. The tunnel that is out of sync cannot receive the deletion from the hub and holds on to an IP that has already been released.

710961

Hub is dropping packets due to Failed to find IPsec Common after upgrading from 6.2.6 to 6.2.7.

Log & Report

Bug ID

Description

661040

Cyrillic characters not displayed properly in local reports.

677540

First TCP connection to syslog server is not stable.

682444

No event log generated when log disk needs format.

696825

In rare cases, reportd crashes when the number of items can be zero, but the pie chart is still generated successfully.

710344

Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode.

711946

FortiAnalyzer cannot process the packet loss field in the log because the field has a % in it.

Proxy

Bug ID

Description

634117

WAD crash on reconnect bypass. With a special timing, when the server triggers error handling that results in the WAD bypassing the SSL connection, the server-side TCP port is already closed, and the wad_sched_event object is already freed.

670339

Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination.

682980

Proxy deep inspection workaround needed for sites that require psk_key_exchange_modes.

684168

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

691468

WAD IPS crashes because task is scheduled after closing.

692462

Transparent proxy implicit deny policy is not blocking access.

693441

WAD crashes at wad_client_cert_req_act_get when SSL layer configuration is cleaned up after policy matching.

693951

Cannot access Java-based application in proxy mode.

695042

A coding error can cause integer overflow on crafted HTTP requests and read out-of-boundary memory. Sometimes, PCRE match crashes due to this out-of-boundary memory access.

700073, 714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

REST API

Bug ID

Description

597707

REST API /api/v2/monitor/firewall/security-policy adds UUID data for security policy statistics.

663441

REST API unable to change status of interface when VDOMs are enabled.

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

579884

VRF configuration in WWAN interface has no effect after reboot.

684378

Traffic is forwarded out to the wrong interface if an LTE interface is an SD-WAN member. The LTE interface may lose its SD-WAN flag during modem initialization.

685871

OSPFv3 routes are missing from routing table when unsetting or setting the ASBR table.

686829

ADVPN and SD-WAN reply direction randomly chooses ECMP path rather than following shortcut.

690164

FortiGuard DDNS does not follow FortiGuard interface select method, and it does not support HA failover functionality.

691687

Return packets are not always sent back through the correct path.

692241

BGP daemon consumes high CPU in ADVPN setup when disconnecting after socket writing error.

693238

OSPF neighbor cannot form with spoke in ADVPN setup if the interface has a parent link and it is a tunnel.

693496

SD-WAN rules not working for FortiAnalyzer settings because the interface-select-method is implemented on a remote device FortiAnalyzer/FDS but not added to FortiView/log viewing API.

697658

FortiCloud activation does not honor the set interface-select-method command under config system fortiguard.

698360

OSPF area range routes lost during HA failover.

700537

GRE configuration fails on MAP-E interface (vne.root).

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

704225, 706448

In some WAD proxy cases, the WAD local session cannot get the SYN-ACK packet.

705470

Reply direction keeps flapping between different tunnels after unrelated FIB update.

705767

SD-WAN rules are not working with route tags and VRF.

706417

FortiGate crashes when doing ping6 on VDOM link interface.

712093

Hub return path does not update after branch SD-WAN SLA failover.

Security Fabric

Bug ID

Description

650724

Invalid license data supplied by FortiGuard/FortiCare causes invalid warning in the Security Rating report.

SSL VPN

Bug ID

Description

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

610995

SSL VPN web mode gets error when accessing internal website at https://st***.st***.ca/.

659322

SSL VPN disconnects all connections after adding new address to IP pool.

669506

SSL VPN web mode cannot load web page https://jira.ca.ob***.com properly based on Jira application.

669663

There are potential cases where the UDP redirect port is used by other parts of the system, which causes SSL VPN to restart.

670731

Internal application server/website bookmark (https://***.***.***.***:****/nexgen/) not working in SSL VPN web mode.

672743

sslvpnd segmentation fault crash due to old DNS entries in cache that cannot be released if the same results were added into the cache but in a different order.

675204

JSON parse error returned SSL VPN web mode for website https://bi***.u***.cat/az.php.

677031

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

678996

Customized replacement messages for SSL VPN login page sometimes cannot be parsed correctly, causing the FortiToken authentication page to not appear.

680744

Internal SolarWinds Orion platform's webpages have issue in SSL VPN web mode.

681424

Unable to access sc***.com in SSL VPN web mode.

681764

Video could not load for https://le***.sm***.ca in SSL VPN web mode.

683601

Changing DNS or WINS server under VPN SSL settings logs off connected users.

683963

SSL VPN bookmark fails to authenticate user through single sign-on for internal website login.

684012

SSL VPN crashed with signal 11 (segmentation fault) uri_search because of rules set for a special case.

684866

Specific content in portal.ag***.com cannot be shown in SSL VPN web mode.

688023

SSL VPN bookmarked website shows empty page after logging in to SSL VPN gateway https://vd***.vi***.com.

689616

When a client is connected to SSL VPN and has an internet outage for more then 15 seconds, the client fails to reconnect.

690217

Unable to display the data in SSL VPN web mode on innovaphone PBX link.

690282

Access through web portal to an Opengear Lighthouse server does not load the login page properly.

690507

SSO login for the bookmark to access FortiAnalyzer GUI does not work.

690686

Certificate authentication does not check PKI users in the expected order.

694226

SSL VPN web mode removes ant-tree components in HTML source.

696009

Tunnel IP pool leak when DTLS tunnel user session is deleted due to timeout (idle or authentication).

700673

Unexpected group to portal matching priority with SAML authentication.

703007

SSL VPN web mode has problem accessing https://mf***.sa***.com.sa/Login.aspx?url=Default.aspx.

705695

OS check for SSL VPN tunnel is not working on macOS Big Sur; the connection is rejected when the action is set to allow.

706185

OWA user details are not showing in SSL VPN web mode.

706270

sslvpnd signal 11 (Segmentation fault) received caused by a pointer arithmetic error.

710163

SSL VPN stuck loading https://el***.***-data.pl when wrong credential was entered.

714604

SSL VPN daemon may crash when connection releases.

Switch Controller

Bug ID

Description

690904

Unable to de-authorize FortiSwitch, or assign VLAN on FortiSwitch port on a tenant VDOM.

691985

L3 managed FortiSwitch configuration synchronization error due to the empty string parameter in ptp-policy on managed port configuration.

696405

disable-discovery of a FortiSwitch on one VDOM should not make the FortiSwitch disconnect from another VDOM.

700220

A limit is needed to prevent changes to default-virtual-switch-vlan in the tenant VDOM if there already are leased FortiSwitch ports.

700310

When managed switch PTP policy and settings configuration was pushed as part of initial FortiLink configuration, the FortiLink connection is in an error state.

700842

FortiSwitch MAC delete logs are not being generated.

702942

FortiLink trunk is not formed on FortiSwitch connecting to FortiGate. When managed switches are learned on the software switch and hardware switch, they were deleted from the CLI, and fortilinkd did not clear the states for those switches so new switches were not learned.

System

Bug ID

Description

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

572038

VPN throughput dropped when FEC is enabled.

616576

DoS log counters are inaccurate (policy counters, event log entries, packet counts).

648406

Flow-based inspection with virtual wire pair causes MAC to flap.

650411

SSL local certificate can not be imported via CMDB API (api/v2/cmdb/vpn.certificate/local) due to certificate data handling in CMF plugin (vpn.certificate/local).

655555

Unable to sniff LLDP frames on management and TFTP ports.

660441

When a PPPoE interface is enabled, it overwrites the LAN address object that was created.

663826

Fortinet Factory certificate key integrity check failed in diagnose hardware certificate command.

664279

snmpd crashes when sorting a list-based ARP table if it has about 50,000 or more entries.

666210

diagnose sys csum command shows wrong hash on SOC4 appliances (FG- 60F, FG-61F, FG-100F and FG-101F).

666418

SFP interfaces on FG-330xE do not show link light.

667307

Console prints out NP6XLITE: np6xlite_hw_ipl_rw_mem_channel timeout message on SoC4 platforms.

668856

Offloaded traffic passing through two VDOMs connected with EMAC-VLANs is sometimes dropped.

671972

If cfg-save is set to manual (under config system global), it causes problems with the queries made when parsing the internet service database.

672065

CMDB may crash during boot up when querying VPN SSL settings.

672183

UDP 4500 inter-VDOM traffic is not offloaded, causing BFD/IPsec to drop.

675842

Get Failed on update FortiGuardDDNS error for fortiddns when secondary device becomes primary device in an HA cluster.

677263

When changing the interface speed, some checking is skipped if it is set from FortiManager.

677568

Failed to parse execute restore config properly when the command is from a FortiManager script.

678469

Configuration attribute field in system event logs has length limitation.

678734

GeoIP6 address causes policy to not install properly in the kernel.

680881

Rebooting device causes interface mode to change from static to DHCP.

681478

After reboot, get global.system.interface.npu0_vlink0 config error when VDOM is in transparent mode.

686442

Traffic was stopped because PBA IP pool has the wrong relationship information.

686539

Egress interface-based traffic shaping is not applied if the session is processed by NTurbo.

687519

Bulk changes through the CLI are very slow with 24000 existing policies.

688316

After upgrading from 6.4.2 to 6.4.4, some configurations moved to another VDOM.

689317, 698927

After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0.

689873

Sometimes a VWL service adds a child without a parent, leading to a signal 6 (Aborted) crash received at cmf_query_ses_update_child.

690762

Application lted signal 11 crash on FWF-40F-3G4G.

690797

Huawei E8372h-320 LTE modem does not receive IP on FG-30E.

691858

The newcli process crashes or shows an error when creating a VIP with the same external interface IP but a different source address filter.

692490

When an <entry name> is on the same line as config <setting> <setting> <entry name>, it is not handled properly to send to FortiManager.

693757

Secondary FG-5001D blades in SLBC cluster do not show updated contract dates.

694754

Cloning a firewall policy may cause cmdbsvr to crash.

696517

NPU6 is not able to support WCCP traffic offloading. NTurbo driver received packet, which included additional IPv4 header and WCCP header. NTurbo is unable to process this kind of packets so it dropped.

696622

FortiGate cannot get gateway from built-in LTE modem on all LTE capable FortiGate platforms.

698005

In some environments, host-side DPDK affects the benchmark result.

698014

When running execute speed-test command, it shows all VLAN and SSL interfaces from other VDOMs.

700513

802.1x wiredap does not correctly process the TagID in the Tunnel-Private-Group-ID attribute.

706131

When processing visibility log requests and passively learning FQDNs and wildcard FQDN addresses at a high rate, the CPU usage of dnsproxy can reach 90% or higher.

710807

FGR-60F WAN1 and WAN2 fail to connect to the network due to board ID GPIO assignment being incorrect.

710934

FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer's DHCP server (a router) to fail to assign the only available IP in the pool.

715054

Add downgrade code for DHCP server so it can be used in DHCP relay.

735492

Many processes are in a "D" state due to unregister_netdevice.

Upgrade

Bug ID

Description

725369

After upgrading to 6.4.5, VIP randomly stops working and a find DNAT: IP-0.0.0.0 message appears.

User & Authentication

Bug ID

Description

580391

Unable to create MAC address-based policies in NGFW.

658228

The authd and foauthd processes may crash due to crypto functions being set twice.

662404

Wildcard LDAP users created on FortiToken Cloud have the first character of the username removed.

688973

OCSP verification fails with Can't convert OCSP rsp error after upgrading.

697278

SAML entity ID can only be entered in HTTP format, but as per standard should also support URN.

707578

If a certificate authentication job expires in fnbamd, an error is returned to caller that makes the proxy block client traffic.

712354

Firewall policy does not allow multiple SAML users that reference the same SAML server.

VM

Bug ID

Description

689239

Azure route table is not using the proper subscription ID during failover.

690863

EIP iAzure route table is not using the proper subscription ID during failovers not updating properly with execute update-eip command in Azure with standard SKU public IP in some Canadian regions, like CanadaCentral and CanadaEast.

695957

Azure SDN connector gets an empty IP list when the REST API call fails, which results in IPsec connection being interrupted until the next SDN connector update succeeds (one-minute interval).

698810

Bootstrap does not work with FG-VM on Azure Stack.

700381

FG-VM kernel panicked and reboot after sending through IPv6 traffic.

713279

After rebooting a GCP FortiGate, it takes more than 30 to 40 minutes to come up and affects passthrough traffic during this period.

WAN Optimization

Bug ID

Description

686729

Transparent mode configuration was not learned properly in 6.4.

Web Application Firewall

Bug ID

Description

624452

user-agent setting under config system external-resource does not accept XSS characters.

Web Filter

Bug ID

Description

593203

Cannot enter a name for the web rating override or save it due to name input error.

668325

A hanging FortiGuard connection is not torn down in some situations.

WiFi Controller

Bug ID

Description

529727

The configured MAC address of the VAP interface did not take effect after rebooting.

621346

Dynamic VLAN on SSID cannot pass traffic through FG-100F/101F and FG-60F/61F when offloading is enabled.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

686631

Wireless country setting option needs to remove sanctioned countries and add missing countries.

690483

Wireless default WTP profile not synchronized between FWF-61E with HA A-A mode.

698961

FWF-60F/61F and FWF-40F encounters kernel panic (LR is at capwap_find_sta_by_mac) when one managed FortiAP is authenticating WiFi clients.

699187

SSH session shows periodical cw_ac_wl_cfg_2_dinfo.

699905

FAP-421E does not come online over IPsec tunnel and shows a certificate error.

707635

AP with MAC E0-23-FF not coming online through mesh with FortiWiFi radio set to root.

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

677844

FortiOS 6.4.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-26092

Resolved issues

The following issues have been fixed in version 6.4.6. To inquire about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

650160 When using email filter profile, emails are being queued due to IMAP proxy being in stuck state.

Anti Virus

Bug ID

Description

524571

Quarantined files cannot be fetched in the AV log page if the file was already quarantined under another protocol.

683835

Files fail to open in some CIFS setups where FortiOS cannot generate a signature.

707186

Scanunit crashes with signal 11 when users attach files in the Outlook Web App.

Application Control

Bug ID

Description

576727

Unknown Applications category is not present in NGFW policy-based mode.

DNS Filter

Bug ID

Description

682060

DNS proxy is holding 60% memory caused by retransmitted DNS messages sent from DNS clients, which causes the FortiGate to enter conserve mode.

693551

DNS filter is not working on active VDOM in second HA unit in virtual cluster environment.

Endpoint Control

Bug ID

Description

691477

EMS dynamic address synchronization delay in FortiGate IPv4 policy.

Explicit Proxy

Bug ID

Description

654455

Proxy policy destination address set to none allows all traffic.

681054

Web proxy users are disconnected due to external resource update flushing the user even if they do not have an authentication rule using the related proxy address or IP list.

689002

Proxy traffic failed after modifying resource setting in external connector.

697566

Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7.

700451

Wrong source IP used intermittently when FortiGate has SD-WAN and is transparently proxy forwarding to explicit proxy.

Firewall

Bug ID

Description

474612

SNAT is using low ports below 1023 for NTP.

595949

Any changes to the security policy table causes the hit count to reset.

644225

Challenge ACK is being dropped.

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

683426

No hit counts on policy for DHCP broadcast packets in transparent mode.

683669

Firewall schedule settings are not following daylight saving time.

694154

Dynamic traffic shapers are not consistent in their idle time limit.

696619

FGSP synchronized UDP sessions may be blocked in NGFW policy mode when asymmetric routing is used due to a policy matching failure. Other types of traffic may also be affected (such as TCP) in the case of failover of the reply direction traffic to a different FortiGate in the FGSP cluster.

699785

Firewall performance may degrade when thousands of VIPs are configured.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

673225

FortiView Top Traffic Shaping widget does not show data for outbound traffic if the source interface's role is WAN. Data is displayed if the source interface's role is LAN, DMZ, or undefined.

683413

Some FortiView pages/widgets fail to query data from FortiAnalyzer Cloud if the local FortiAnalyzer is not enabled.

Affected pages/widgets: Compromised Hosts, FortiView Cloud Applications, FortiView VPN, FortiView Web Categories, Top Admin Logins, Top Endpoint Vulnerabilities, Top Failed Authentication, Top System Events, Top Threats, Top Threats - WAN, and Top Vulnerable Endpoint Devices.

GUI

Bug ID

Description

561420

On Traffic Shaping Policy list page, right-click option to show matching logs does not work.

592854

An address created by the VPN wizard cannot save changes due to an incorrect validation check for parentheses, (), in the Comments field.

599815

Add support for case-insensitive inspecting the username of an email address.

602102

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

636208

On SD-WAN Rules page, the GUI does not indicate which outgoing interface is active. This is due to auto-discovery VPN routing changes.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

647431

After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not.

652522

When performed from the primary FortiGate, using the GUI to change a firewall policy action from accept to deny does not disable the IP pool setting, causing the HA cluster to be out of sync. Updating the policy via the CLI does not have this issue.

656599

After upgrading firmware, the CLI script action has a required administrator profile to restrict capabilities. This profile cannot exceed the current administrator's permissions. When configuring a stitch, an administrator can only choose a CLI script that has equal or lesser permissions that the current administrator.

656668

On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows the connecting IP address instead of the configured IP address.

665111

There is no way to add a line break when using the GUI to edit the replacement message for pre_admin-disclaimer-text. One must use the CLI with the Shift + Enter keys to insert a line break.

665597

When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI.

665712

When multiple favorite menus are configured, the new features video pops up after each GUI login, even though user previously selected Don't show again.

670026

When editing a DoS policy, users were able to click OK twice as there was a small delay until the dialog was saved and closed. Clicking twice would cause unwanted changes to the policy. This has been corrected as Submit buttons are now disabled while a dialog is submitting. This fix covers all policy dialogs.

672599

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

674548

When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

680804

On the SD-WAN Rules page, the default implicit rule shows a destination address of Route tag: undefined.

680805

The list of firewall schedules displays time based on the browser time, even though the global time preference is set to use the FortiGate system time. The Edit Schedule page does not have this issue.

682008

On the SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient provisioning does not support showing domain name for VPN gateway.

682077

Log viewer should use relative timestamps for dates less than seven days old.

682547

Unable to change System Settings when in split VDOM mode; the error Administration settings failed to save is displayed.

684904

When a FortiGate with VDOM and explicit proxy enabled has an access profile with packet capture set to none, administrators with this access profile are not able to create an explicit proxy policy.

688076

The Firewall Address and Service pages cannot load on a downstream FortiGate if Fabric Synchronization is enabled, but the downstream FortiGate cannot reach the root FortiGate.

688994

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

689605

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

697667

When the FortiGate is managed by FortiManager, an administrator that selects Login Read-Only is incorrectly allowed to select Update firmware in System > Firmware, browse for an image, and install it.

701742

Items added to Favorites are lost after a logout or reboot.

702065

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

703955

When editing the WAF profile in the GUI, changes to the WAF default-allowed-methods are not committed. The CLI must be used.

704209

When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size.

704638

Add column for Absolute Date/Time to the GUI Log Viewer.

706711

When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile.

710946

Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI.

713580

Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI.

715256

When the Security Fabric Connection is enabled on a VPN interface, the DHCP Server section disappears from the GUI.

HA

Bug ID

Description

659837

The HA secondary cannot synchronize a new virtual switch configuration from the primary.

670331

Management access not working in transparent mode cluster after upgrade.

671288

FortiGate in standalone mode has a virtual MAC address.

684051

IPv6 link local address is not generated in FGCP.

690248

Malicious certificate database is not getting updated on the secondary unit.

692212

The interfaces on NP6 platforms are down when doing a configuration revert in HA mode.

693178

Sessions timeout after traffic failover goes back and forth on a transparent FGSP cluster.

693223

hasync crashes with signal 11 in ha_same_fosver_with_manage_master.

714113

GRE configuration should not be synchronized in multi-AZ HA, but the system does not allow it to be added in the VDOM exception.

Intrusion Prevention

Bug ID

Description

686301

ipshelper CPU spikes when configuration changes are made.

688888

BZIP2 file including EICAR is detected in the original direction of the flow mode firewall policy even though scan-bzip2 is disabled.

689259

Flow-Based AV scanning does not send specific extension files to FortiSandbox.

691395

Signature false positives causing outage after IPS database update.

694777

Application, IPS, and AV databases and engines are not updated by scheduled updates if a security policy is used.

IPsec VPN

Bug ID

Description

578879, 676728

IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading.

658215

When the SA is about to expire, before it is removed it is not offloaded so the traffic may not go through.

659442

NP6Lite platforms may enter conserve mode because the get/put reference count for pinfo is not reasonable. When there is an inbound SA update, the old pinfo is not freed.

690903

ADVPN shortcut is flapping when spokes are behind one-to-one NAT.

691878

Creating or updating a user with two-factor authentication causes dialup VPN traffic to stop.

691929

When multiple dialup phase 1 gateways are configured on the hub that are nearly identical, when using peer group authentication after fnbam verification, the IKE gateway could switch from one to another even if two gateways have a different network ID.

694992

Issue establishing IPsec and L2TP tunnel with Chromebook behind NAT.

709850

Duplicate IP assigned by IKE Mode Config due to static gateway being out of sync after HA flapping. The tunnel that is out of sync cannot receive the deletion from the hub and holds on to an IP that has already been released.

710961

Hub is dropping packets due to Failed to find IPsec Common after upgrading from 6.2.6 to 6.2.7.

Log & Report

Bug ID

Description

661040

Cyrillic characters not displayed properly in local reports.

677540

First TCP connection to syslog server is not stable.

682444

No event log generated when log disk needs format.

696825

In rare cases, reportd crashes when the number of items can be zero, but the pie chart is still generated successfully.

710344

Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode.

711946

FortiAnalyzer cannot process the packet loss field in the log because the field has a % in it.

Proxy

Bug ID

Description

634117

WAD crash on reconnect bypass. With a special timing, when the server triggers error handling that results in the WAD bypassing the SSL connection, the server-side TCP port is already closed, and the wad_sched_event object is already freed.

670339

Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination.

682980

Proxy deep inspection workaround needed for sites that require psk_key_exchange_modes.

684168

WAD process consumes memory and crashes because of a memory leak that happened due to a coding error when calling the FortiAP API. The API misbehaves when there are no FortiAP appliances in the cluster.

691468

WAD IPS crashes because task is scheduled after closing.

692462

Transparent proxy implicit deny policy is not blocking access.

693441

WAD crashes at wad_client_cert_req_act_get when SSL layer configuration is cleaned up after policy matching.

693951

Cannot access Java-based application in proxy mode.

695042

A coding error can cause integer overflow on crafted HTTP requests and read out-of-boundary memory. Sometimes, PCRE match crashes due to this out-of-boundary memory access.

700073, 714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

REST API

Bug ID

Description

597707

REST API /api/v2/monitor/firewall/security-policy adds UUID data for security policy statistics.

663441

REST API unable to change status of interface when VDOMs are enabled.

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

579884

VRF configuration in WWAN interface has no effect after reboot.

684378

Traffic is forwarded out to the wrong interface if an LTE interface is an SD-WAN member. The LTE interface may lose its SD-WAN flag during modem initialization.

685871

OSPFv3 routes are missing from routing table when unsetting or setting the ASBR table.

686829

ADVPN and SD-WAN reply direction randomly chooses ECMP path rather than following shortcut.

690164

FortiGuard DDNS does not follow FortiGuard interface select method, and it does not support HA failover functionality.

691687

Return packets are not always sent back through the correct path.

692241

BGP daemon consumes high CPU in ADVPN setup when disconnecting after socket writing error.

693238

OSPF neighbor cannot form with spoke in ADVPN setup if the interface has a parent link and it is a tunnel.

693496

SD-WAN rules not working for FortiAnalyzer settings because the interface-select-method is implemented on a remote device FortiAnalyzer/FDS but not added to FortiView/log viewing API.

697658

FortiCloud activation does not honor the set interface-select-method command under config system fortiguard.

698360

OSPF area range routes lost during HA failover.

700537

GRE configuration fails on MAP-E interface (vne.root).

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

704225, 706448

In some WAD proxy cases, the WAD local session cannot get the SYN-ACK packet.

705470

Reply direction keeps flapping between different tunnels after unrelated FIB update.

705767

SD-WAN rules are not working with route tags and VRF.

706417

FortiGate crashes when doing ping6 on VDOM link interface.

712093

Hub return path does not update after branch SD-WAN SLA failover.

Security Fabric

Bug ID

Description

650724

Invalid license data supplied by FortiGuard/FortiCare causes invalid warning in the Security Rating report.

SSL VPN

Bug ID

Description

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

610995

SSL VPN web mode gets error when accessing internal website at https://st***.st***.ca/.

659322

SSL VPN disconnects all connections after adding new address to IP pool.

669506

SSL VPN web mode cannot load web page https://jira.ca.ob***.com properly based on Jira application.

669663

There are potential cases where the UDP redirect port is used by other parts of the system, which causes SSL VPN to restart.

670731

Internal application server/website bookmark (https://***.***.***.***:****/nexgen/) not working in SSL VPN web mode.

672743

sslvpnd segmentation fault crash due to old DNS entries in cache that cannot be released if the same results were added into the cache but in a different order.

675204

JSON parse error returned SSL VPN web mode for website https://bi***.u***.cat/az.php.

677031

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

678996

Customized replacement messages for SSL VPN login page sometimes cannot be parsed correctly, causing the FortiToken authentication page to not appear.

680744

Internal SolarWinds Orion platform's webpages have issue in SSL VPN web mode.

681424

Unable to access sc***.com in SSL VPN web mode.

681764

Video could not load for https://le***.sm***.ca in SSL VPN web mode.

683601

Changing DNS or WINS server under VPN SSL settings logs off connected users.

683963

SSL VPN bookmark fails to authenticate user through single sign-on for internal website login.

684012

SSL VPN crashed with signal 11 (segmentation fault) uri_search because of rules set for a special case.

684866

Specific content in portal.ag***.com cannot be shown in SSL VPN web mode.

688023

SSL VPN bookmarked website shows empty page after logging in to SSL VPN gateway https://vd***.vi***.com.

689616

When a client is connected to SSL VPN and has an internet outage for more then 15 seconds, the client fails to reconnect.

690217

Unable to display the data in SSL VPN web mode on innovaphone PBX link.

690282

Access through web portal to an Opengear Lighthouse server does not load the login page properly.

690507

SSO login for the bookmark to access FortiAnalyzer GUI does not work.

690686

Certificate authentication does not check PKI users in the expected order.

694226

SSL VPN web mode removes ant-tree components in HTML source.

696009

Tunnel IP pool leak when DTLS tunnel user session is deleted due to timeout (idle or authentication).

700673

Unexpected group to portal matching priority with SAML authentication.

703007

SSL VPN web mode has problem accessing https://mf***.sa***.com.sa/Login.aspx?url=Default.aspx.

705695

OS check for SSL VPN tunnel is not working on macOS Big Sur; the connection is rejected when the action is set to allow.

706185

OWA user details are not showing in SSL VPN web mode.

706270

sslvpnd signal 11 (Segmentation fault) received caused by a pointer arithmetic error.

710163

SSL VPN stuck loading https://el***.***-data.pl when wrong credential was entered.

714604

SSL VPN daemon may crash when connection releases.

Switch Controller

Bug ID

Description

690904

Unable to de-authorize FortiSwitch, or assign VLAN on FortiSwitch port on a tenant VDOM.

691985

L3 managed FortiSwitch configuration synchronization error due to the empty string parameter in ptp-policy on managed port configuration.

696405

disable-discovery of a FortiSwitch on one VDOM should not make the FortiSwitch disconnect from another VDOM.

700220

A limit is needed to prevent changes to default-virtual-switch-vlan in the tenant VDOM if there already are leased FortiSwitch ports.

700310

When managed switch PTP policy and settings configuration was pushed as part of initial FortiLink configuration, the FortiLink connection is in an error state.

700842

FortiSwitch MAC delete logs are not being generated.

702942

FortiLink trunk is not formed on FortiSwitch connecting to FortiGate. When managed switches are learned on the software switch and hardware switch, they were deleted from the CLI, and fortilinkd did not clear the states for those switches so new switches were not learned.

System

Bug ID

Description

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

572038

VPN throughput dropped when FEC is enabled.

616576

DoS log counters are inaccurate (policy counters, event log entries, packet counts).

648406

Flow-based inspection with virtual wire pair causes MAC to flap.

650411

SSL local certificate can not be imported via CMDB API (api/v2/cmdb/vpn.certificate/local) due to certificate data handling in CMF plugin (vpn.certificate/local).

655555

Unable to sniff LLDP frames on management and TFTP ports.

660441

When a PPPoE interface is enabled, it overwrites the LAN address object that was created.

663826

Fortinet Factory certificate key integrity check failed in diagnose hardware certificate command.

664279

snmpd crashes when sorting a list-based ARP table if it has about 50,000 or more entries.

666210

diagnose sys csum command shows wrong hash on SOC4 appliances (FG- 60F, FG-61F, FG-100F and FG-101F).

666418

SFP interfaces on FG-330xE do not show link light.

667307

Console prints out NP6XLITE: np6xlite_hw_ipl_rw_mem_channel timeout message on SoC4 platforms.

668856

Offloaded traffic passing through two VDOMs connected with EMAC-VLANs is sometimes dropped.

671972

If cfg-save is set to manual (under config system global), it causes problems with the queries made when parsing the internet service database.

672065

CMDB may crash during boot up when querying VPN SSL settings.

672183

UDP 4500 inter-VDOM traffic is not offloaded, causing BFD/IPsec to drop.

675842

Get Failed on update FortiGuardDDNS error for fortiddns when secondary device becomes primary device in an HA cluster.

677263

When changing the interface speed, some checking is skipped if it is set from FortiManager.

677568

Failed to parse execute restore config properly when the command is from a FortiManager script.

678469

Configuration attribute field in system event logs has length limitation.

678734

GeoIP6 address causes policy to not install properly in the kernel.

680881

Rebooting device causes interface mode to change from static to DHCP.

681478

After reboot, get global.system.interface.npu0_vlink0 config error when VDOM is in transparent mode.

686442

Traffic was stopped because PBA IP pool has the wrong relationship information.

686539

Egress interface-based traffic shaping is not applied if the session is processed by NTurbo.

687519

Bulk changes through the CLI are very slow with 24000 existing policies.

688316

After upgrading from 6.4.2 to 6.4.4, some configurations moved to another VDOM.

689317, 698927

After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0.

689873

Sometimes a VWL service adds a child without a parent, leading to a signal 6 (Aborted) crash received at cmf_query_ses_update_child.

690762

Application lted signal 11 crash on FWF-40F-3G4G.

690797

Huawei E8372h-320 LTE modem does not receive IP on FG-30E.

691858

The newcli process crashes or shows an error when creating a VIP with the same external interface IP but a different source address filter.

692490

When an <entry name> is on the same line as config <setting> <setting> <entry name>, it is not handled properly to send to FortiManager.

693757

Secondary FG-5001D blades in SLBC cluster do not show updated contract dates.

694754

Cloning a firewall policy may cause cmdbsvr to crash.

696517

NPU6 is not able to support WCCP traffic offloading. NTurbo driver received packet, which included additional IPv4 header and WCCP header. NTurbo is unable to process this kind of packets so it dropped.

696622

FortiGate cannot get gateway from built-in LTE modem on all LTE capable FortiGate platforms.

698005

In some environments, host-side DPDK affects the benchmark result.

698014

When running execute speed-test command, it shows all VLAN and SSL interfaces from other VDOMs.

700513

802.1x wiredap does not correctly process the TagID in the Tunnel-Private-Group-ID attribute.

706131

When processing visibility log requests and passively learning FQDNs and wildcard FQDN addresses at a high rate, the CPU usage of dnsproxy can reach 90% or higher.

710807

FGR-60F WAN1 and WAN2 fail to connect to the network due to board ID GPIO assignment being incorrect.

710934

FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer's DHCP server (a router) to fail to assign the only available IP in the pool.

715054

Add downgrade code for DHCP server so it can be used in DHCP relay.

735492

Many processes are in a "D" state due to unregister_netdevice.

Upgrade

Bug ID

Description

725369

After upgrading to 6.4.5, VIP randomly stops working and a find DNAT: IP-0.0.0.0 message appears.

User & Authentication

Bug ID

Description

580391

Unable to create MAC address-based policies in NGFW.

658228

The authd and foauthd processes may crash due to crypto functions being set twice.

662404

Wildcard LDAP users created on FortiToken Cloud have the first character of the username removed.

688973

OCSP verification fails with Can't convert OCSP rsp error after upgrading.

697278

SAML entity ID can only be entered in HTTP format, but as per standard should also support URN.

707578

If a certificate authentication job expires in fnbamd, an error is returned to caller that makes the proxy block client traffic.

712354

Firewall policy does not allow multiple SAML users that reference the same SAML server.

VM

Bug ID

Description

689239

Azure route table is not using the proper subscription ID during failover.

690863

EIP iAzure route table is not using the proper subscription ID during failovers not updating properly with execute update-eip command in Azure with standard SKU public IP in some Canadian regions, like CanadaCentral and CanadaEast.

695957

Azure SDN connector gets an empty IP list when the REST API call fails, which results in IPsec connection being interrupted until the next SDN connector update succeeds (one-minute interval).

698810

Bootstrap does not work with FG-VM on Azure Stack.

700381

FG-VM kernel panicked and reboot after sending through IPv6 traffic.

713279

After rebooting a GCP FortiGate, it takes more than 30 to 40 minutes to come up and affects passthrough traffic during this period.

WAN Optimization

Bug ID

Description

686729

Transparent mode configuration was not learned properly in 6.4.

Web Application Firewall

Bug ID

Description

624452

user-agent setting under config system external-resource does not accept XSS characters.

Web Filter

Bug ID

Description

593203

Cannot enter a name for the web rating override or save it due to name input error.

668325

A hanging FortiGuard connection is not torn down in some situations.

WiFi Controller

Bug ID

Description

529727

The configured MAC address of the VAP interface did not take effect after rebooting.

621346

Dynamic VLAN on SSID cannot pass traffic through FG-100F/101F and FG-60F/61F when offloading is enabled.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

686631

Wireless country setting option needs to remove sanctioned countries and add missing countries.

690483

Wireless default WTP profile not synchronized between FWF-61E with HA A-A mode.

698961

FWF-60F/61F and FWF-40F encounters kernel panic (LR is at capwap_find_sta_by_mac) when one managed FortiAP is authenticating WiFi clients.

699187

SSH session shows periodical cw_ac_wl_cfg_2_dinfo.

699905

FAP-421E does not come online over IPsec tunnel and shows a certificate error.

707635

AP with MAC E0-23-FF not coming online through mesh with FortiWiFi radio set to root.

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

677844

FortiOS 6.4.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-26092