Known issues
The following issues have been identified in Hyperscale firewall for FortiOS 6.4.6 Build 5868. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.6 release notes also apply to Hyperscale firewall for FortiOS 6.4.6 Build 5868.
Bug ID |
Description |
---|---|
704851 |
The |
720247 |
MAC filter drops sometimes appear on SIP traffic. |
727145 |
Some CPUs or NP7 processors may get stuck from fifo deadlocks and hw/sw session conflicts. |
727391 |
For optimal performance, the following option should be set to config system npu set vlan-lookup-cache {disable | enable} end Enabling or disabling |
728299 |
If you disable all hyperscale firewall policies in a VDOM and then enable them in random order, SNMP queries about these policies will show incorrect policy IDs. |
729627 |
After an HA failover, sessions in the new primary FortiGate are incorrectly labeled as native sessions when they are sync-over sessions. |
729645 |
In some cases, left over UDP IPv4 sessions are not cleared from the sessions list. |
731041 |
Hyperscale firewall sessions using fixed allocation IP pools may be dropped during an FGCP HA failover. |
725502 |
Traffic passing through virtual network interfaces is not offloaded to NP7 processors. |
730238 |
Configurations with large number of VDOMs may cause NPD UNKNOW ERRNO errors. |
730441 |
Processing large amounts of IPv6 multicast traffic over extended time periods may cause the FortiGate to restart. |
727277 |
Error messages may appear on the CLI console after adding or deleting transparent mode VDOMs. |
729443 |
NAT64 hyperscale firewall policies will be lost after upgrading from FortiOS 6.2.7 build 7105 to 6.4.6 Build 5868, if the NAT64 policies are configured to send hardware log messages to a log server with an IPv4 IP address. You can work around this issue by replacing the IPv4 log server with an IPv6 log server before upgrading. |
729616 |
The GUI and CLI allow you to incorrectly configure IPv4 hyperscale firewall policies that include a hardware logging server with an IPv6 IP address. For more information, see Hardware logging server IP address restrictions. |
728583 |
WCCP firewall policies will block traffic if an IPS sensor has been added to the policy and |
727283 |
The GUI menu of an FGCP HA cluster can show duplicate Dashboard > Status entries. |
728629 |
Hyperscale sessions matched with policy routes may not be successfully offloaded if the source address of the policy route is added to the IP/Netmask field. Sessions accepted by policy routes where the source address is one or more firewall address added to the Addresses field should work as expected. |
729062 |
Including IPv4 and IPv6 firewall addresses in the same hyperscale firewall policy will not work as intended. Instead, you should create separate IPv4 and IPv6 hyperscale firewall policies. |
728439 |
ECMP load balancing may not work as expected in the reply direction. Instead of traffic being load balanced between multiple destinations, all traffic uses the same destination. |
728307 |
When viewing information about a hardware log server from the GUI, the Ref. column does not contain a list of the policies that the hardware log server has been added to. |
728202 |
The |
728506 |
NAT46 and NAT64 hyperscale firewall policies do not include a Name field. |
727889 |
NAT46 and NAT64 UDP packets can intermittently be dropped. |
724964 |
Configuring load balancing by creating multiple policy routes with the same priority and destination does not work as expected. Traffic is not load balanced, but all traffic uses one of the policy routes. |
728011 |
The secondary FortiGate in an FGCP HA cluster displays debug messages on the CLI console when the FortiGate is added to a cluster. |
728136 |
For an FGCP HA cluster, the output of the |
727052 |
In some cases, user TCP sessions expire counters are not updated in a hyperscale firewall VDOM when the sessions receive new traffic. As a result, the session expires and has to be restarted. |
727465 |
Transparent mode hyperscale firewall VDOMs may behave in unexpected ways leading to some or all traffic being dropped. |
727219 |
IPv6 UDP traffic may be forwarded by the secondary FortiGate in an FGCP HA A-P cluster. |
727288 |
In some cases, the |
718693 |
In some configurations, fragmented packets are unexpectedly sent to the CPU instead of NP7 processors. |
718442 | SNMP queries for NAT64 session counts may not return any data. |
706696 |
SNMP UDP traffic passing through a FortiGate may be dropped when NP7 hardware acceleration is enabled. |
724336 |
Disabling |
724334 |
In some cases, some sessions are not removed from the secondary FortiGate in an FGCP HA cluster when they expire on the primary FortiGate. |
718717 |
Packets may not be fragmented when they leave an inter-VDOM link interface and the packets are larger than the MTU of the interface. |
724085 |
Traffic fails over an EMAC VLAN interface when the source interface is in another VDOM. |
730898 |
TCP traffic may be incorrectly blocked by a specific policy that doesn't match the traffic, but has been added above a general policy that would accept the traffic. |
740225 |
In hyperscale VDOMs, traffic may be blocked by NP7 processors if the firewall policy that accepts the traffic includes address groups with ten or more firewall addresses if one or more of the firewall addresses in the address group matches a single IP address. You can workaround this problem by removing the firewall addresses from the address group that match a single IP address and adding these firewall addresses directly to the firewall policy. After making the configuration change, you should restart the FortiGate. |