Resolved issues
The following issues have been fixed in version 6.4.7. To inquire about a particular bug, please contact Customer Service & Support.
Anti Virus
Bug ID |
Description |
---|---|
702142 |
File filter monitor blocks files in flow AV if there is a scan error. |
Application Control
Bug ID |
Description |
---|---|
701926 |
Stress test with application control only results in packet drops. |
DNS Filter
Bug ID |
Description |
---|---|
682354 |
SDNS block portal IP information is not available in anycast mode. |
Endpoint Control
Bug ID |
Description |
---|---|
685549 |
Need to check EMSC entitlement periodically inside fcnacd. |
687320 |
When using FortiClient EMS, renaming the imported CA results in an authentication error. This error does not occur if the CA is not renamed. |
Explicit Proxy
Bug ID |
Description |
---|---|
716224 |
In web proxy with transparent policy, the web filter rating fails when there is no SNI or CID. |
733863 |
Get 504 gateway timeout error when trying to access proxy.pac from remote users using dialup IPsec VPN. |
Firewall
Bug ID |
Description |
---|---|
694284 |
In transparent mode when HA is enabled, if the packet passes through the FortiGate more than once time, the MAC address could be different from main session. |
705402 |
Server load-balancing on FortiGate is not working as expected when the active server is down. |
707854 |
FortiGate is not able to resolve FQDNs without DNS suffix for firewall address objects. |
709832 |
When there are multiple internet services configured that match a certain IP, port, or protocol, it may cause the wrong policy to be matched. |
714198 |
When in transparent mode with AV and IPS, the original and reply direction traffic should be redirected only one time. |
714647 |
Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally. |
716317 |
IPS user quarantine ban event is marking the sessions as dirty. |
717802 |
In transparent mode, a log has an irrelevant |
719925 |
Load balancing is not allowed with a flow-based policy, even if the server type is configured as IP or TCP. |
FortiView
Bug ID |
Description |
---|---|
712580 |
When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN\username. The user is displayed with a |
722543 |
The Used Quota cannot be sorted on the FortiGuard Quota Monitor. The Used Quota column has now been split into two sortable columns: Used Traffic Quota and Used Time Quota. |
GUI
Bug ID |
Description |
---|---|
589231 |
When using the GUI to edit an IP/Wildcard Mask that was created using the CLI, the error message Invalid IP/Wildcard mask. is displayed. |
676306, 719694 |
When there is a connection issue between the FortiGate and a managed FortiSwitch, unexpected behavior might occur in httpsd when navigating between Switch Controller related GUI pages. |
696226 |
Interfaces and zones open slowly. |
697463 |
Unable to delete a certificate in the GUI on the System > Certificates page. |
697482 |
If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F. |
700525 |
When viewed from a Firefox browser, System > Certificates does not display the certificate expiry date. |
709103 |
For certain configurations, editing interfaces from the GUI causes the httpsd process to spike in CPU usage. |
713148 |
For certain configurations, various pages that have interface selects can cause high memory usage from httpsd and put the FortiGate into conserve mode. |
715493 |
For certain configurations, httpsd consumes high CPU when loading Firewall pages in a browser. |
719620 |
Interface page does not load for an administrator user with |
722832 |
When LDAPS is configured with FQDN and a server identity check, all LDAP-related GUI pages do not work. The CLI and fnbamd are OK. |
724394 |
When a RADIUS server address is defined as an FQDN, GUI tests for connectivity and user credentials fail. |
727035 |
Unable to change FortiSwitch port status when native VLAN is empty. |
727644 |
When the first row of sequence group in a policy table is deleted, the sequence group disappears. |
739543 |
On the Network > Interfaces page, unable to create or edit a VLAN switch as the VLAN ID validation incorrectly fails. |
HA
Bug ID |
Description |
---|---|
634465 |
When sending UDP packets, |
669301 |
When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory. |
678145 |
GUI shows a warning icon that the cluster is out of sync although the cluster is in sync. |
692384 |
High memory usage of hasync process on FGCP passive device. |
695067 |
When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation. |
697066 |
When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary. |
703047 |
|
703719 |
|
708928 |
The |
710236 |
Heartbeat interfaces do not get updated under |
715939 |
Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of |
717251 |
In FGSP, |
721720 |
Performance degradation of session synchronization after upgrading. |
722284 |
When there is a large number of VLAN interfaces (around 600), the FortiGate reports |
723130 |
|
Intrusion Prevention
Bug ID |
Description |
---|---|
669089 |
IPS profile dialog in GUI shows misleading All Attributes in the Details field for filter entries with a CVE value. |
680501 |
Destination interfaces are set to unknown for previous ADVPN shortcuts sessions. |
693800 |
IPS memory spike on device running version: 5.00229. |
721462 |
Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239. |
IPsec VPN
Bug ID |
Description |
---|---|
685287 |
When trying to override the MTU for the tunnel interface, it cannot be set according to the underlying interface MTU. |
699834 |
ESP errors are logged with incorrect SPI value. |
710605 |
Enabling FEC causes BGP neighbors to disconnect after a while. |
714400 |
Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector. |
715651 |
iked crashed when clients from the same peer connect to two different dynamic server configurations that are using RADIUS authentication. |
Log & Report
Bug ID |
Description |
---|---|
722315 |
System might generate garbage administrator log events upon session timeout. |
726690 |
Forward traffic log from disk is missing for virtual wire pair policy. |
726900 |
No traffic logs are shown after an overnight run. |
Proxy
Bug ID |
Description |
---|---|
520176 |
Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds. |
615391 |
Reusing the buffer region causes frequent WAD crashes. |
616261 |
WAD daemon might have signal 11 crashes when SSL starts to process an event during a handshake, and the event is not in the context of FTS. |
683844 |
In cases when WAD fails to resolve a firewall policy for the session, WAD crashes at |
690387 |
wad_proto_stats crashes a few times. |
692444 |
WAD memory leak is caused by missing a close event. The WAD receives a close event from TCP when the SSL port is blocked by the up application layer. If the SSL port input buffer does not have any data, then the close event will get ignored even if the application layer turns off blocking and the SSL port will leak. |
700073, 714109 |
YouTube server added new URLs ( |
710737 |
For firewall policies with |
714610 |
Explicit proxy policy (ISDB and IP pool) cannot be set in the GUI or CLI. |
716400 |
Certificate inspection is not working as expected when an external proxy is used. |
719681 |
Flow control failure occurred while transferring large files when |
722481 |
Proxy-based inspection causes browser to show ERR_CONNECTION_CLOSED message. |
725628 |
WAD HTTP parser string leak for hostname and scheme with |
727349 |
Traffic is stuck if HTTP POST does not have an end of boundary. |
735893 |
After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected. |
REST API
Bug ID |
Description |
---|---|
710198 |
|
Routing
Bug ID |
Description |
---|---|
537354 |
BFD/BGP dropping when |
661270 |
OSPF is stuck in loading state when there is a large amount of OSPF interfaces. |
683742 |
DNS local out traffic cannot match SD-WAN rule when its member is not in VRF 0. |
693396 |
hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel. |
706237 |
ICMP Destination Host Unreachable responses are sent in reverse order. |
710401 |
Return traffic for packets destined to the FortiGate are being sent out the wrong interface. |
712586 |
SNAT sessions on the original preferred SD-WAN member will be flushed after the preferred SD-WAN member changes, so existing SNAT traffic will be interrupted. |
715274 |
Enabling SD-WAN on interfaces with full BGP routes leads to device going into conserve mode. |
722343 |
SD-WAN rule not matched with MAC address object and ISDB in policy. |
723550 |
Load-balance service mode and maximize bandwidth (SLA) in SD-WAN rule does not work as expected. |
724250 |
Enabling |
730208 |
Traffic is not going through when the returning interface is changed. |
739500 |
SD-WAN rules with specific route tags cannot acquire the corresponding routes as the destination in some cases. |
Security Fabric
Bug ID |
Description |
---|---|
687238 |
FortiManager cannot install a policy due to conflict with certificate synchronization from the Security Fabric. |
695040 |
Unable to connect to vCenter using ESXi SDN connector with password containing certain characters. |
716698 |
Multiple ACI Direct connectors are not supported. |
718581 |
If HA management interface is configured, the Kubernetes connector fails to connect. |
SSL VPN
Bug ID |
Description |
---|---|
500664 |
SSL VPN RDP bookmark not working with CVE-2018-0886. |
515519 |
guacd uses 99% CPU when SSL VPN web portal connects to RDP server. |
542815 |
SSL VPN web portal RDP connections to RDS session hosts fails. |
550819 |
guacd is consuming too much memory and CPU resources during operation. |
586035 |
The policy |
630068 |
When SSL VPN SSH times out, SSH to SES will crash when SSH is empty. |
662042 |
The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal. |
676333 |
Unable to type accents using dead keys in RDP using Spanish keyboard layout over SSL VPN web mode in macOS. |
677031 |
SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal. |
677548 |
In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server. |
677668 |
sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP. |
686425 |
When accessing an application in SSL VPN web mode (Sage HR), images fail to load for http://S-***.ro***.de/mp***/. |
687433 |
Webpage is not loading via SSL VPN web mode bookmark. |
689465 |
RDS redirect not working on SSL VPN web portal. |
689901 |
SharePoint links (su***.com) not working properly on webpage launched by SSL VPN web portal. |
693347 |
Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic. |
693691 |
VPN logs do not show any bandwidth utilization in SSL web tunnel statistics when only using RDP. |
693718 |
FortiClient SSL VPN users are unable to authenticate when zero-trust tag IP address is used as the host IP under limited access. |
694346 |
Report section of internal web server (https://lm***.lm***.au***.vw***/ar***/) is not accessible via the SSL VPN web portal. |
695404 |
WALLIX personal bookmark issue in SSL VPN portal. |
695763 |
FortiClient iOS 6.4.5 has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient. |
696940 |
Public website, https://www.we***.org/****.html, does not run normally in SSL VPN web mode. |
697643 |
Customer webpage is not loading in SSL VPN web mode with https://nb***.al**.com.eg/SFTP. |
699587 |
SSL VPN policy matching problem when a local user has the same name as a pure remote user. |
699619 |
SSL VPN web mode fails to access to https://www.we***.org. |
701119 |
SSL VPN DTLS tunnel could not be established in some cases when the tunnel link is still under negotiation. Some IP packets were sent to the client, causing the client's logic to fail. |
702493 |
CMS URLs incorrectly rewritten by SSL VPN proxy in web mode. |
704597 |
Search option on internal website, kp***.kd****.ca, not working while accessing via SSL VPN web mode. |
714700 |
SSL VPN proxy error in web mode due to requests to loopback IP. |
715928 |
SSL VPN signal 11 crashes at |
716622 |
Due to change on samld side that increases the length of the SAML attribute name to 256, SSL VPN could not correctly parse the username from the SAML response when the username attribute has a long name. |
717193 |
Website cannot be accessed in SSL VPN web mode. |
718142 |
The map integrated in the public site is not visible when using SSL VPN web mode. |
718159 |
Webpage, http://10.3.24.8/ma***, is not displaying correctly in SSL VPN web mode. |
720290 |
Internal webpage, https://172.3**.***.164/ce***/, is not loading in SSL VPN web mode. |
723498 |
Sometimes in tunnel mode with a lot of tunnels, the file descriptor to the |
724830 |
FortiGate sends authentication request to all RADIUS servers instead of only those in the default realm. |
726641 |
Unable to load pi***.vi***-ga***.org in SSL VPN web mode. |
736822 |
Non-US keyboard layout in RDP session with SSL VPN web mode does not work correctly. |
Switch Controller
Bug ID |
Description |
---|---|
682430 |
Entry created in NTP under interface configuration after failing to enable FortiLink interface. |
717506 |
Unable to add description on shared FortiSwitch port. |
System
Bug ID |
Description |
---|---|
464340 |
EHP drops for units with no NP service module. |
495532 |
EHP drop improvement for units with no NP service module. |
567019 |
CP9 VPN queue tasklet |
607565 |
Interface |
613947 |
Redundant interface cannot pick up traffic if one member is down. |
627734 |
Optimize interface dialog and configuration view for |
645241 |
LACP failed to process traffic after adding new QSFP interfaces as LACP members even when the LACP status is up. |
645848 |
FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection. |
651626 |
A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value. |
671332 |
httpsd crashed after changing VDOM for interface. |
674616 |
VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D. |
681791 |
Install preview does not show all changes performed on the FortiGate. |
683387, 711698 |
Change WWAN interface default netmask to /32 and default distance to 1. |
687457 |
dnsproxy process crashes with signal 11. |
690287 |
No hardware switch function is available on FG-300E. |
692943 |
If an updated FFDB package is found, crash may happen at |
698003 |
When creating a new administrator, the administrator profile's reference is visible in other administrator accounts from different VDOMs. |
698204 |
SNMP query for firewall policy statistics in non-root VDOM returns a |
699358 |
Cannot change FEC (forward error correction) on port group 13-16. |
699902 |
SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration. |
700314 |
ARP reply sent out by FortiGate but was not received on neighbor device. |
702135 |
cmdbsvr memory leak due to unreleased memory allocated by OpenSSL. |
703131 |
Split-task VDOM does not update IPS/AV from |
703872 |
Unable to change speed and status of hardware switch member on SoC3 and SoC4 platforms with virtual switch feature. |
705734 |
FWF-40F has random kernel panic with 6.4.4 firmware. |
706686 |
LAG interface between FortiGate and Cisco switch flaps when adding/removing member interface. |
709513 |
SD-WAN reports phantom packet loss. |
712506 |
25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E. |
712905 |
Daylight saving time changes will not reflect for time zone 16. |
713599 |
FG-40F-3G4G experiencing kernel panics and unexpected reboots ( |
713769 |
Failed to load data error appears on Fabric Connectors page. Affected models: FG-200F and FG-201F. |
714192 |
|
714256 |
A softirq happened in an unprotected session read lock and caused a self-deadlock. |
714402 |
FortiGate crashes after reboot ( |
714711 |
NP offloading is blocking backup traffic. |
715571 |
|
715647 |
In VWP with |
717203 |
When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file. |
718322 |
FortiGate sends an invalid configuration to FortiManager, which causes the FortiManager policy packages to have an unknown status. |
721733 |
IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag. |
722273 |
SA is freed while its timer is still pending, which leads to a kernel crash. |
722287 |
The |
729636 |
FTLC1122RDNL transceiver is showing as not certified by Fortinet on FG-3800D. |
731821 |
MAP-E DDNS update request is not sent after booting up the device. |
Upgrade
Bug ID |
Description |
---|---|
716912 |
SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0. |
User & Authentication
Bug ID |
Description |
---|---|
688989 |
Two-factor authentication can be bypassed with some configurations. |
691556 |
Get CLI error when setting |
698716 |
RADIUS password encoding does not work. |
707868 |
The authd daemon crashes due to invalid dynamic memory access when data size is over 64K. |
709303 |
SAML |
710212 |
RADIUS accounting port is occasionally missing. |
725056 |
FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...). |
VM
Bug ID |
Description |
---|---|
687925 |
Hardware checksum failure encountered on Azure FG-VM. |
691337 |
When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a |
714682 |
GENEVE tunnel with loopback interface is not working. |
715750 |
EIP information is not automatically updated after instance reboot. |
Web Filter
Bug ID |
Description |
---|---|
677234 |
Unable to block webpages present in the external list when accessing them through the Google Translate URL. |
WiFi Controller
Bug ID |
Description |
---|---|
502080 |
|
662615 |
FG-80F series should support a total of 96 WTP entries (48 normal). |
676689 |
RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection. |
680527 |
Clients fails to authenticate to SSID due to MPSK client limit being reached when the actual connected clients are below the limit. |
685593 |
Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz. |
693973 |
Captive portal/disclaimer is not shown for SSIDs not belonging to the default VRF. |
697058 |
Unable to change AP state under rogue AP's monitor page. |
700356 |
CAPWAP daemon crashing due to IoT detection. |
709824 |
Dynamic VLAN SSID traffic cannot pass through VDOM link when |
710759 |
Automation trigger for rogue AP on wire sends email alerts for rogue AP not on wire. |
717227 |
|
720674 |
cw_acd is crashing on FG-40F. |
Common Vulnerabilities and Exposures
Visit https://fortiguard.com/psirt for more information.
Bug ID |
CVE references |
---|---|
669673 |
FortiOS6.4.7 is no longer vulnerable to the following CVE Reference:
|
686912 |
FortiOS 6.4.7 is no longer vulnerable to the following CVE Reference:
|
710161 |
FortiOS 6.4.7 is no longer vulnerable to the following CVE Reference:
|
726300 |
FortiOS 6.4.7 is no longer vulnerable to the following CVE Reference:
|