Fortinet black logo

Known issues

Copy Link
Copy Doc ID 6e222398-e103-11eb-97f7-00505692583a:532364
Download PDF

Known issues

The following issues have been identified in Hyperscale firewall for FortiOS 6.4.6 Build 5868. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.6 release notes also apply to Hyperscale firewall for FortiOS 6.4.6 Build 5868.

Bug ID

Description

704851

The config system session-ttl command is a VDOM command, configured from a VDOM. However, options set by this command apply to all CGNAT VDOMs and not just the VDOM in which they are set.

720247

MAC filter drops sometimes appear on SIP traffic.

727145

Some CPUs or NP7 processors may get stuck from fifo deadlocks and hw/sw session conflicts.

727391

For optimal performance, the following option should be set to disable if your configuration includes 256 or more VLANs:

config system npu

set vlan-lookup-cache {disable | enable}

end

Enabling or disabling vlan-lookup-cache requires a system restart. So you should only change this setting during a maintenance window.

728299

If you disable all hyperscale firewall policies in a VDOM and then enable them in random order, SNMP queries about these policies will show incorrect policy IDs.

729627

After an HA failover, sessions in the new primary FortiGate are incorrectly labeled as native sessions when they are sync-over sessions.

729645

In some cases, left over UDP IPv4 sessions are not cleared from the sessions list.

731041

Hyperscale firewall sessions using fixed allocation IP pools may be dropped during an FGCP HA failover.

725502

Traffic passing through virtual network interfaces is not offloaded to NP7 processors.

730238

Configurations with large number of VDOMs may cause NPD UNKNOW ERRNO errors.

730441

Processing large amounts of IPv6 multicast traffic over extended time periods may cause the FortiGate to restart.

727277

Error messages may appear on the CLI console after adding or deleting transparent mode VDOMs.

729443

NAT64 hyperscale firewall policies will be lost after upgrading from FortiOS 6.2.7 build 7105 to 6.4.6 Build 5868, if the NAT64 policies are configured to send hardware log messages to a log server with an IPv4 IP address. You can work around this issue by replacing the IPv4 log server with an IPv6 log server before upgrading.

729616

The GUI and CLI allow you to incorrectly configure IPv4 hyperscale firewall policies that include a hardware logging server with an IPv6 IP address. For more information, see Hardware logging server IP address restrictions.

728583

WCCP firewall policies will block traffic if an IPS sensor has been added to the policy and np-accleration is also enabled. The traffic is blocked because of an issue with NTurbo. You can work around this issue by disabling np-acceleration.

727283

The GUI menu of an FGCP HA cluster can show duplicate Dashboard > Status entries.

728629

Hyperscale sessions matched with policy routes may not be successfully offloaded if the source address of the policy route is added to the IP/Netmask field. Sessions accepted by policy routes where the source address is one or more firewall address added to the Addresses field should work as expected.

729062

Including IPv4 and IPv6 firewall addresses in the same hyperscale firewall policy will not work as intended. Instead, you should create separate IPv4 and IPv6 hyperscale firewall policies.

728439

ECMP load balancing may not work as expected in the reply direction. Instead of traffic being load balanced between multiple destinations, all traffic uses the same destination.

728307

When viewing information about a hardware log server from the GUI, the Ref. column does not contain a list of the policies that the hardware log server has been added to.

728202

The srcaddr-negate and distaddr-negate hyperscale firewall policy options have no effect.

728506

NAT46 and NAT64 hyperscale firewall policies do not include a Name field.

727889

NAT46 and NAT64 UDP packets can intermittently be dropped.

724964

Configuring load balancing by creating multiple policy routes with the same priority and destination does not work as expected. Traffic is not load balanced, but all traffic uses one of the policy routes.

728011

The secondary FortiGate in an FGCP HA cluster displays debug messages on the CLI console when the FortiGate is added to a cluster.

728136

For an FGCP HA cluster, the output of the diagnose sys npu-session stat command always indicates that the hit count is 0.

727052

In some cases, user TCP sessions expire counters are not updated in a hyperscale firewall VDOM when the sessions receive new traffic. As a result, the session expires and has to be restarted.

727465

Transparent mode hyperscale firewall VDOMs may behave in unexpected ways leading to some or all traffic being dropped.

727219

IPv6 UDP traffic may be forwarded by the secondary FortiGate in an FGCP HA A-P cluster.

727288

In some cases, the diagnose sys npu-session list command takes longer than normal to display results and may display incorrect information.

718693

In some configurations, fragmented packets are unexpectedly sent to the CPU instead of NP7 processors.

718442 SNMP queries for NAT64 session counts may not return any data.

706696

SNMP UDP traffic passing through a FortiGate may be dropped when NP7 hardware acceleration is enabled.

724336

Disabling service-negate when editing a hyperscale firewall policy can cause error messages to appear on the CLI console.

724334

In some cases, some sessions are not removed from the secondary FortiGate in an FGCP HA cluster when they expire on the primary FortiGate.

718717

Packets may not be fragmented when they leave an inter-VDOM link interface and the packets are larger than the MTU of the interface.

724085

Traffic fails over an EMAC VLAN interface when the source interface is in another VDOM.

730898

TCP traffic may be incorrectly blocked by a specific policy that doesn't match the traffic, but has been added above a general policy that would accept the traffic.

740225

In hyperscale VDOMs, traffic may be blocked by NP7 processors if the firewall policy that accepts the traffic includes address groups with ten or more firewall addresses if one or more of the firewall addresses in the address group matches a single IP address. You can workaround this problem by removing the firewall addresses from the address group that match a single IP address and adding these firewall addresses directly to the firewall policy. After making the configuration change, you should restart the FortiGate.

Known issues

The following issues have been identified in Hyperscale firewall for FortiOS 6.4.6 Build 5868. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.6 release notes also apply to Hyperscale firewall for FortiOS 6.4.6 Build 5868.

Bug ID

Description

704851

The config system session-ttl command is a VDOM command, configured from a VDOM. However, options set by this command apply to all CGNAT VDOMs and not just the VDOM in which they are set.

720247

MAC filter drops sometimes appear on SIP traffic.

727145

Some CPUs or NP7 processors may get stuck from fifo deadlocks and hw/sw session conflicts.

727391

For optimal performance, the following option should be set to disable if your configuration includes 256 or more VLANs:

config system npu

set vlan-lookup-cache {disable | enable}

end

Enabling or disabling vlan-lookup-cache requires a system restart. So you should only change this setting during a maintenance window.

728299

If you disable all hyperscale firewall policies in a VDOM and then enable them in random order, SNMP queries about these policies will show incorrect policy IDs.

729627

After an HA failover, sessions in the new primary FortiGate are incorrectly labeled as native sessions when they are sync-over sessions.

729645

In some cases, left over UDP IPv4 sessions are not cleared from the sessions list.

731041

Hyperscale firewall sessions using fixed allocation IP pools may be dropped during an FGCP HA failover.

725502

Traffic passing through virtual network interfaces is not offloaded to NP7 processors.

730238

Configurations with large number of VDOMs may cause NPD UNKNOW ERRNO errors.

730441

Processing large amounts of IPv6 multicast traffic over extended time periods may cause the FortiGate to restart.

727277

Error messages may appear on the CLI console after adding or deleting transparent mode VDOMs.

729443

NAT64 hyperscale firewall policies will be lost after upgrading from FortiOS 6.2.7 build 7105 to 6.4.6 Build 5868, if the NAT64 policies are configured to send hardware log messages to a log server with an IPv4 IP address. You can work around this issue by replacing the IPv4 log server with an IPv6 log server before upgrading.

729616

The GUI and CLI allow you to incorrectly configure IPv4 hyperscale firewall policies that include a hardware logging server with an IPv6 IP address. For more information, see Hardware logging server IP address restrictions.

728583

WCCP firewall policies will block traffic if an IPS sensor has been added to the policy and np-accleration is also enabled. The traffic is blocked because of an issue with NTurbo. You can work around this issue by disabling np-acceleration.

727283

The GUI menu of an FGCP HA cluster can show duplicate Dashboard > Status entries.

728629

Hyperscale sessions matched with policy routes may not be successfully offloaded if the source address of the policy route is added to the IP/Netmask field. Sessions accepted by policy routes where the source address is one or more firewall address added to the Addresses field should work as expected.

729062

Including IPv4 and IPv6 firewall addresses in the same hyperscale firewall policy will not work as intended. Instead, you should create separate IPv4 and IPv6 hyperscale firewall policies.

728439

ECMP load balancing may not work as expected in the reply direction. Instead of traffic being load balanced between multiple destinations, all traffic uses the same destination.

728307

When viewing information about a hardware log server from the GUI, the Ref. column does not contain a list of the policies that the hardware log server has been added to.

728202

The srcaddr-negate and distaddr-negate hyperscale firewall policy options have no effect.

728506

NAT46 and NAT64 hyperscale firewall policies do not include a Name field.

727889

NAT46 and NAT64 UDP packets can intermittently be dropped.

724964

Configuring load balancing by creating multiple policy routes with the same priority and destination does not work as expected. Traffic is not load balanced, but all traffic uses one of the policy routes.

728011

The secondary FortiGate in an FGCP HA cluster displays debug messages on the CLI console when the FortiGate is added to a cluster.

728136

For an FGCP HA cluster, the output of the diagnose sys npu-session stat command always indicates that the hit count is 0.

727052

In some cases, user TCP sessions expire counters are not updated in a hyperscale firewall VDOM when the sessions receive new traffic. As a result, the session expires and has to be restarted.

727465

Transparent mode hyperscale firewall VDOMs may behave in unexpected ways leading to some or all traffic being dropped.

727219

IPv6 UDP traffic may be forwarded by the secondary FortiGate in an FGCP HA A-P cluster.

727288

In some cases, the diagnose sys npu-session list command takes longer than normal to display results and may display incorrect information.

718693

In some configurations, fragmented packets are unexpectedly sent to the CPU instead of NP7 processors.

718442 SNMP queries for NAT64 session counts may not return any data.

706696

SNMP UDP traffic passing through a FortiGate may be dropped when NP7 hardware acceleration is enabled.

724336

Disabling service-negate when editing a hyperscale firewall policy can cause error messages to appear on the CLI console.

724334

In some cases, some sessions are not removed from the secondary FortiGate in an FGCP HA cluster when they expire on the primary FortiGate.

718717

Packets may not be fragmented when they leave an inter-VDOM link interface and the packets are larger than the MTU of the interface.

724085

Traffic fails over an EMAC VLAN interface when the source interface is in another VDOM.

730898

TCP traffic may be incorrectly blocked by a specific policy that doesn't match the traffic, but has been added above a general policy that would accept the traffic.

740225

In hyperscale VDOMs, traffic may be blocked by NP7 processors if the firewall policy that accepts the traffic includes address groups with ten or more firewall addresses if one or more of the firewall addresses in the address group matches a single IP address. You can workaround this problem by removing the firewall addresses from the address group that match a single IP address and adding these firewall addresses directly to the firewall policy. After making the configuration change, you should restart the FortiGate.