Fortinet black logo

FortiOS Release Notes

Resolved issues

Resolved issues

The following issues have been fixed in version 6.4.7. To inquire about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

702142

File filter monitor blocks files in flow AV if there is a scan error.

Application Control

Bug ID

Description

701926

Stress test with application control only results in packet drops.

DNS Filter

Bug ID

Description

682354

SDNS block portal IP information is not available in anycast mode.

Endpoint Control

Bug ID

Description

685549

Need to check EMSC entitlement periodically inside fcnacd.

687320

When using FortiClient EMS, renaming the imported CA results in an authentication error. This error does not occur if the CA is not renamed.

Explicit Proxy

Bug ID

Description

716224

In web proxy with transparent policy, the web filter rating fails when there is no SNI or CID.

733863

Get 504 gateway timeout error when trying to access proxy.pac from remote users using dialup IPsec VPN.

Firewall

Bug ID

Description

694284

In transparent mode when HA is enabled, if the packet passes through the FortiGate more than once time, the MAC address could be different from main session.

705402

Server load-balancing on FortiGate is not working as expected when the active server is down.

707854

FortiGate is not able to resolve FQDNs without DNS suffix for firewall address objects.

709832

When there are multiple internet services configured that match a certain IP, port, or protocol, it may cause the wrong policy to be matched.

714198

When in transparent mode with AV and IPS, the original and reply direction traffic should be redirected only one time.

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

716317

IPS user quarantine ban event is marking the sessions as dirty.

717802

In transparent mode, a log has an irrelevant policyid.

719925

Load balancing is not allowed with a flow-based policy, even if the server type is configured as IP or TCP.

FortiView

Bug ID

Description

712580

When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN&bsol;username. The user is displayed with a \ in the CLI.

722543

The Used Quota cannot be sorted on the FortiGuard Quota Monitor. The Used Quota column has now been split into two sortable columns: Used Traffic Quota and Used Time Quota.

GUI

Bug ID

Description

589231

When using the GUI to edit an IP/Wildcard Mask that was created using the CLI, the error message Invalid IP/Wildcard mask. is displayed.

676306, 719694

When there is a connection issue between the FortiGate and a managed FortiSwitch, unexpected behavior might occur in httpsd when navigating between Switch Controller related GUI pages.

696226

Interfaces and zones open slowly.

697463

Unable to delete a certificate in the GUI on the System > Certificates page.

697482

If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F.

700525

When viewed from a Firefox browser, System > Certificates does not display the certificate expiry date.

709103

For certain configurations, editing interfaces from the GUI causes the httpsd process to spike in CPU usage.

713148

For certain configurations, various pages that have interface selects can cause high memory usage from httpsd and put the FortiGate into conserve mode.

715493

For certain configurations, httpsd consumes high CPU when loading Firewall pages in a browser.

719620

Interface page does not load for an administrator user with netgrp read-write permissions and an IPsec VPN is configured.

722832

When LDAPS is configured with FQDN and a server identity check, all LDAP-related GUI pages do not work. The CLI and fnbamd are OK.

724394

When a RADIUS server address is defined as an FQDN, GUI tests for connectivity and user credentials fail.

727035

Unable to change FortiSwitch port status when native VLAN is empty.

727644

When the first row of sequence group in a policy table is deleted, the sequence group disappears.

739543

On the Network > Interfaces page, unable to create or edit a VLAN switch as the VLAN ID validation incorrectly fails.

HA

Bug ID

Description

634465

When sending UDP packets, hasync code uses the wrong buffer size, which may overwrite beyond the buffer to other corrupted memory.

669301

When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory.

678145

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

692384

High memory usage of hasync process on FGCP passive device.

695067

When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.

697066

When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary.

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

703719

hasync is busy when receiving ARP when there is a huge number of ARPs in the network.

708928

The set override disable setting changes to enabled on main virtual cluster after rebooting (flag of second virtual cluster remains disabled).

710236

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group |memory> after HA hbdev configuration changes.

715939

Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of intf_vd_changed events and recheck the MAC every time, which blocks hatalk from sending heartbeat packets for a long time and the peer loses it.

717251

In FGSP, session-sync-dev statistics of get system ha status disappear after reboot.

721720

Performance degradation of session synchronization after upgrading.

722284

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

723130

diagnose sys ha reset-uptime on the secondary devices triggers a failover on a cluster with more than two members.

Intrusion Prevention

Bug ID

Description

669089

IPS profile dialog in GUI shows misleading All Attributes in the Details field for filter entries with a CVE value.

680501

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

693800

IPS memory spike on device running version: 5.00229.

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

685287

When trying to override the MTU for the tunnel interface, it cannot be set according to the underlying interface MTU.

699834

ESP errors are logged with incorrect SPI value.

710605

Enabling FEC causes BGP neighbors to disconnect after a while.

714400

Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector.

715651

iked crashed when clients from the same peer connect to two different dynamic server configurations that are using RADIUS authentication.

Log & Report

Bug ID

Description

722315

System might generate garbage administrator log events upon session timeout.

726690

Forward traffic log from disk is missing for virtual wire pair policy.

726900

No traffic logs are shown after an overnight run.

Proxy

Bug ID

Description

520176

Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds.

615391

Reusing the buffer region causes frequent WAD crashes.

616261

WAD daemon might have signal 11 crashes when SSL starts to process an event during a handshake, and the event is not in the context of FTS.

683844

In cases when WAD fails to resolve a firewall policy for the session, WAD crashes at wad_ssl_proxy_can_bypass() when a missed condition check allows the session to still pass through.

690387

wad_proto_stats crashes a few times.

692444

WAD memory leak is caused by missing a close event. The WAD receives a close event from TCP when the SSL port is blocked by the up application layer. If the SSL port input buffer does not have any data, then the close event will get ignored even if the application layer turns off blocking and the SSL port will leak.

700073, 714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

710737

For firewall policies with http-policy-redirect enabled and ssl-ssh-profile is set to inspect-all certificate-inspection, WAD is unable to block the traffic when proxy policy matching fails.

714610

Explicit proxy policy (ISDB and IP pool) cannot be set in the GUI or CLI.

716400

Certificate inspection is not working as expected when an external proxy is used.

719681

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

722481

Proxy-based inspection causes browser to show ERR_CONNECTION_CLOSED message.

725628

WAD HTTP parser string leak for hostname and scheme with trace-auth-no-rsp enabled.

727349

Traffic is stuck if HTTP POST does not have an end of boundary.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

710198

/api/v2/monitor/system/available-interfaces takes over one minute for a response.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

661270

OSPF is stuck in loading state when there is a large amount of OSPF interfaces.

683742

DNS local out traffic cannot match SD-WAN rule when its member is not in VRF 0.

693396

hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel.

706237

ICMP Destination Host Unreachable responses are sent in reverse order.

710401

Return traffic for packets destined to the FortiGate are being sent out the wrong interface.

712586

SNAT sessions on the original preferred SD-WAN member will be flushed after the preferred SD-WAN member changes, so existing SNAT traffic will be interrupted.

715274

Enabling SD-WAN on interfaces with full BGP routes leads to device going into conserve mode.

722343

SD-WAN rule not matched with MAC address object and ISDB in policy.

723550

Load-balance service mode and maximize bandwidth (SLA) in SD-WAN rule does not work as expected.

724250

Enabling preserve-session-route does not take effect in SD-WAN scenario.

730208

Traffic is not going through when the returning interface is changed.

739500

SD-WAN rules with specific route tags cannot acquire the corresponding routes as the destination in some cases.

Security Fabric

Bug ID

Description

687238

FortiManager cannot install a policy due to conflict with certificate synchronization from the Security Fabric.

695040

Unable to connect to vCenter using ESXi SDN connector with password containing certain characters.

716698

Multiple ACI Direct connectors are not supported.

718581

If HA management interface is configured, the Kubernetes connector fails to connect.

SSL VPN

Bug ID

Description

500664

SSL VPN RDP bookmark not working with CVE-2018-0886.

515519

guacd uses 99% CPU when SSL VPN web portal connects to RDP server.

542815

SSL VPN web portal RDP connections to RDS session hosts fails.

550819

guacd is consuming too much memory and CPU resources during operation.

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

630068

When SSL VPN SSH times out, SSH to SES will crash when SSH is empty.

662042

The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.

676333

Unable to type accents using dead keys in RDP using Spanish keyboard layout over SSL VPN web mode in macOS.

677031

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

677548

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

677668

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

686425

When accessing an application in SSL VPN web mode (Sage HR), images fail to load for http://S-***.ro***.de/mp***/.

687433

Webpage is not loading via SSL VPN web mode bookmark.

689465

RDS redirect not working on SSL VPN web portal.

689901

SharePoint links (su***.com) not working properly on webpage launched by SSL VPN web portal.

693347

Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic.

693691

VPN logs do not show any bandwidth utilization in SSL web tunnel statistics when only using RDP.

693718

FortiClient SSL VPN users are unable to authenticate when zero-trust tag IP address is used as the host IP under limited access.

694346

Report section of internal web server (https://lm***.lm***.au***.vw***/ar***/) is not accessible via the SSL VPN web portal.

695404

WALLIX personal bookmark issue in SSL VPN portal.

695763

FortiClient iOS 6.4.5 has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

696940

Public website, https://www.we***.org/****.html, does not run normally in SSL VPN web mode.

697643

Customer webpage is not loading in SSL VPN web mode with https://nb***.al**.com.eg/SFTP.

699587

SSL VPN policy matching problem when a local user has the same name as a pure remote user.

699619

SSL VPN web mode fails to access to https://www.we***.org.

701119

SSL VPN DTLS tunnel could not be established in some cases when the tunnel link is still under negotiation. Some IP packets were sent to the client, causing the client's logic to fail.

702493

CMS URLs incorrectly rewritten by SSL VPN proxy in web mode.

704597

Search option on internal website, kp***.kd****.ca, not working while accessing via SSL VPN web mode.

714700

SSL VPN proxy error in web mode due to requests to loopback IP.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

716622

Due to change on samld side that increases the length of the SAML attribute name to 256, SSL VPN could not correctly parse the username from the SAML response when the username attribute has a long name.

717193

Website cannot be accessed in SSL VPN web mode.

718142

The map integrated in the public site is not visible when using SSL VPN web mode.

718159

Webpage, http://10.3.24.8/ma***, is not displaying correctly in SSL VPN web mode.

720290

Internal webpage, https://172.3**.***.164/ce***/, is not loading in SSL VPN web mode.

723498

Sometimes in tunnel mode with a lot of tunnels, the file descriptor to the mux dev is not closed, which causes the memory to linger until the process is killed.

724830

FortiGate sends authentication request to all RADIUS servers instead of only those in the default realm.

726641

Unable to load pi***.vi***-ga***.org in SSL VPN web mode.

736822

Non-US keyboard layout in RDP session with SSL VPN web mode does not work correctly.

Switch Controller

Bug ID

Description

682430

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

717506

Unable to add description on shared FortiSwitch port.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

495532

EHP drop improvement for units with no NP service module.

567019

CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120 and device reboots.

607565

Interface emac-vlan feature does not work on SoC4 platform.

613947

Redundant interface cannot pick up traffic if one member is down.

627734

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

645241

LACP failed to process traffic after adding new QSFP interfaces as LACP members even when the LACP status is up.

645848

FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection.

651626

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

671332

httpsd crashed after changing VDOM for interface.

674616

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

681791

Install preview does not show all changes performed on the FortiGate.

683387, 711698

Change WWAN interface default netmask to /32 and default distance to 1.

687457

dnsproxy process crashes with signal 11.

690287

No hardware switch function is available on FG-300E.

692943

If an updated FFDB package is found, crash may happen at init_ffdb_map if it is called when ffdb_map or ffdb_app is already in the process of being parsed, especially in HA.

698003

When creating a new administrator, the administrator profile's reference is visible in other administrator accounts from different VDOMs.

698204

SNMP query for firewall policy statistics in non-root VDOM returns a 0.

699358

Cannot change FEC (forward error correction) on port group 13-16.

699902

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

700314

ARP reply sent out by FortiGate but was not received on neighbor device.

702135

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

703131

Split-task VDOM does not update IPS/AV from ha-direct connected internal FortiManager.

703872

Unable to change speed and status of hardware switch member on SoC3 and SoC4 platforms with virtual switch feature.

705734

FWF-40F has random kernel panic with 6.4.4 firmware.

706686

LAG interface between FortiGate and Cisco switch flaps when adding/removing member interface.

709513

SD-WAN reports phantom packet loss.

712506

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

712905

Daylight saving time changes will not reflect for time zone 16.

713599

FG-40F-3G4G experiencing kernel panics and unexpected reboots (Unable to handle kernel NULL pointer dereference).

713769

Failed to load data error appears on Fabric Connectors page. Affected models: FG-200F and FG-201F.

714192

diagnose sys bcm_intf cli "2:" and diagnose sys bcm_intf cli "ps" try to access a non-existent BCM switches, which leads to kernel panic.

714256

A softirq happened in an unprotected session read lock and caused a self-deadlock.

714402

FortiGate crashes after reboot (kernel BUG at drivers/net/macvlan.c:869).

714711

NP offloading is blocking backup traffic.

715571

config match command is not available in the user group configuration within the root VDOM when split-task VDOM is used.

715647

In VWP with set wildcard-vlan enable, for some special cases the SKB headlen is not long enough for handling. It may cause a protective crash when doing skb_pull.

717203

When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file.

718322

FortiGate sends an invalid configuration to FortiManager, which causes the FortiManager policy packages to have an unknown status.

721733

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

722273

SA is freed while its timer is still pending, which leads to a kernel crash.

722287

The set key-outbound and set key-inbound parameters are missing for GRE tunnels under config system gre-tunnel.

729636

FTLC1122RDNL transceiver is showing as not certified by Fortinet on FG-3800D.

731821

MAP-E DDNS update request is not sent after booting up the device.

Upgrade

Bug ID

Description

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

688989

Two-factor authentication can be bypassed with some configurations.

691556

Get CLI error when setting auto-regenerate-days option for local certificate.

698716

RADIUS password encoding does not work.

707868

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

709303

SAML user-name and group-name configuration values are limited to only 35 characters.

710212

RADIUS accounting port is occasionally missing.

725056

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

VM

Bug ID

Description

687925

Hardware checksum failure encountered on Azure FG-VM.

691337

When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.

714682

GENEVE tunnel with loopback interface is not working.

715750

EIP information is not automatically updated after instance reboot.

Web Filter

Bug ID

Description

677234

Unable to block webpages present in the external list when accessing them through the Google Translate URL.

WiFi Controller

Bug ID

Description

502080

TARGET ASSERT error in WiFi driver causes kernel panic.

662615

FG-80F series should support a total of 96 WTP entries (48 normal).

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

680527

Clients fails to authenticate to SSID due to MPSK client limit being reached when the actual connected clients are below the limit.

685593

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

693973

Captive portal/disclaimer is not shown for SSIDs not belonging to the default VRF.

697058

Unable to change AP state under rogue AP's monitor page.

700356

CAPWAP daemon crashing due to IoT detection.

709824

Dynamic VLAN SSID traffic cannot pass through VDOM link when capwap-offload is enabled.

710759

Automation trigger for rogue AP on wire sends email alerts for rogue AP not on wire.

717227

get wireless-controller wtp-status output only shows only one AP entry.

720674

cw_acd is crashing on FG-40F.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

669673

FortiOS6.4.7 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-26103

686912

FortiOS 6.4.7 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-32600

710161

FortiOS 6.4.7 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-24018

726300

FortiOS 6.4.7 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-36169

Resolved issues

The following issues have been fixed in version 6.4.7. To inquire about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

702142

File filter monitor blocks files in flow AV if there is a scan error.

Application Control

Bug ID

Description

701926

Stress test with application control only results in packet drops.

DNS Filter

Bug ID

Description

682354

SDNS block portal IP information is not available in anycast mode.

Endpoint Control

Bug ID

Description

685549

Need to check EMSC entitlement periodically inside fcnacd.

687320

When using FortiClient EMS, renaming the imported CA results in an authentication error. This error does not occur if the CA is not renamed.

Explicit Proxy

Bug ID

Description

716224

In web proxy with transparent policy, the web filter rating fails when there is no SNI or CID.

733863

Get 504 gateway timeout error when trying to access proxy.pac from remote users using dialup IPsec VPN.

Firewall

Bug ID

Description

694284

In transparent mode when HA is enabled, if the packet passes through the FortiGate more than once time, the MAC address could be different from main session.

705402

Server load-balancing on FortiGate is not working as expected when the active server is down.

707854

FortiGate is not able to resolve FQDNs without DNS suffix for firewall address objects.

709832

When there are multiple internet services configured that match a certain IP, port, or protocol, it may cause the wrong policy to be matched.

714198

When in transparent mode with AV and IPS, the original and reply direction traffic should be redirected only one time.

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

716317

IPS user quarantine ban event is marking the sessions as dirty.

717802

In transparent mode, a log has an irrelevant policyid.

719925

Load balancing is not allowed with a flow-based policy, even if the server type is configured as IP or TCP.

FortiView

Bug ID

Description

712580

When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN&bsol;username. The user is displayed with a \ in the CLI.

722543

The Used Quota cannot be sorted on the FortiGuard Quota Monitor. The Used Quota column has now been split into two sortable columns: Used Traffic Quota and Used Time Quota.

GUI

Bug ID

Description

589231

When using the GUI to edit an IP/Wildcard Mask that was created using the CLI, the error message Invalid IP/Wildcard mask. is displayed.

676306, 719694

When there is a connection issue between the FortiGate and a managed FortiSwitch, unexpected behavior might occur in httpsd when navigating between Switch Controller related GUI pages.

696226

Interfaces and zones open slowly.

697463

Unable to delete a certificate in the GUI on the System > Certificates page.

697482

If FortiGate Cloud is not activated, users cannot edit the Log Settings page from the GUI. Affected models: FG-200F and FG-201F.

700525

When viewed from a Firefox browser, System > Certificates does not display the certificate expiry date.

709103

For certain configurations, editing interfaces from the GUI causes the httpsd process to spike in CPU usage.

713148

For certain configurations, various pages that have interface selects can cause high memory usage from httpsd and put the FortiGate into conserve mode.

715493

For certain configurations, httpsd consumes high CPU when loading Firewall pages in a browser.

719620

Interface page does not load for an administrator user with netgrp read-write permissions and an IPsec VPN is configured.

722832

When LDAPS is configured with FQDN and a server identity check, all LDAP-related GUI pages do not work. The CLI and fnbamd are OK.

724394

When a RADIUS server address is defined as an FQDN, GUI tests for connectivity and user credentials fail.

727035

Unable to change FortiSwitch port status when native VLAN is empty.

727644

When the first row of sequence group in a policy table is deleted, the sequence group disappears.

739543

On the Network > Interfaces page, unable to create or edit a VLAN switch as the VLAN ID validation incorrectly fails.

HA

Bug ID

Description

634465

When sending UDP packets, hasync code uses the wrong buffer size, which may overwrite beyond the buffer to other corrupted memory.

669301

When sending UDP packets, hasync code uses the wrong buffer size so that it may overwrite beyond the buffer to other corrupted memory.

678145

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

692384

High memory usage of hasync process on FGCP passive device.

695067

When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.

697066

When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary.

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

703719

hasync is busy when receiving ARP when there is a huge number of ARPs in the network.

708928

The set override disable setting changes to enabled on main virtual cluster after rebooting (flag of second virtual cluster remains disabled).

710236

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group |memory> after HA hbdev configuration changes.

715939

Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of intf_vd_changed events and recheck the MAC every time, which blocks hatalk from sending heartbeat packets for a long time and the peer loses it.

717251

In FGSP, session-sync-dev statistics of get system ha status disappear after reboot.

721720

Performance degradation of session synchronization after upgrading.

722284

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

723130

diagnose sys ha reset-uptime on the secondary devices triggers a failover on a cluster with more than two members.

Intrusion Prevention

Bug ID

Description

669089

IPS profile dialog in GUI shows misleading All Attributes in the Details field for filter entries with a CVE value.

680501

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

693800

IPS memory spike on device running version: 5.00229.

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

685287

When trying to override the MTU for the tunnel interface, it cannot be set according to the underlying interface MTU.

699834

ESP errors are logged with incorrect SPI value.

710605

Enabling FEC causes BGP neighbors to disconnect after a while.

714400

Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector.

715651

iked crashed when clients from the same peer connect to two different dynamic server configurations that are using RADIUS authentication.

Log & Report

Bug ID

Description

722315

System might generate garbage administrator log events upon session timeout.

726690

Forward traffic log from disk is missing for virtual wire pair policy.

726900

No traffic logs are shown after an overnight run.

Proxy

Bug ID

Description

520176

Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds.

615391

Reusing the buffer region causes frequent WAD crashes.

616261

WAD daemon might have signal 11 crashes when SSL starts to process an event during a handshake, and the event is not in the context of FTS.

683844

In cases when WAD fails to resolve a firewall policy for the session, WAD crashes at wad_ssl_proxy_can_bypass() when a missed condition check allows the session to still pass through.

690387

wad_proto_stats crashes a few times.

692444

WAD memory leak is caused by missing a close event. The WAD receives a close event from TCP when the SSL port is blocked by the up application layer. If the SSL port input buffer does not have any data, then the close event will get ignored even if the application layer turns off blocking and the SSL port will leak.

700073, 714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

710737

For firewall policies with http-policy-redirect enabled and ssl-ssh-profile is set to inspect-all certificate-inspection, WAD is unable to block the traffic when proxy policy matching fails.

714610

Explicit proxy policy (ISDB and IP pool) cannot be set in the GUI or CLI.

716400

Certificate inspection is not working as expected when an external proxy is used.

719681

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

722481

Proxy-based inspection causes browser to show ERR_CONNECTION_CLOSED message.

725628

WAD HTTP parser string leak for hostname and scheme with trace-auth-no-rsp enabled.

727349

Traffic is stuck if HTTP POST does not have an end of boundary.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

710198

/api/v2/monitor/system/available-interfaces takes over one minute for a response.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

661270

OSPF is stuck in loading state when there is a large amount of OSPF interfaces.

683742

DNS local out traffic cannot match SD-WAN rule when its member is not in VRF 0.

693396

hasync daemon was busy in dead loop if FD resource was used up when flushing routes from the kernel.

706237

ICMP Destination Host Unreachable responses are sent in reverse order.

710401

Return traffic for packets destined to the FortiGate are being sent out the wrong interface.

712586

SNAT sessions on the original preferred SD-WAN member will be flushed after the preferred SD-WAN member changes, so existing SNAT traffic will be interrupted.

715274

Enabling SD-WAN on interfaces with full BGP routes leads to device going into conserve mode.

722343

SD-WAN rule not matched with MAC address object and ISDB in policy.

723550

Load-balance service mode and maximize bandwidth (SLA) in SD-WAN rule does not work as expected.

724250

Enabling preserve-session-route does not take effect in SD-WAN scenario.

730208

Traffic is not going through when the returning interface is changed.

739500

SD-WAN rules with specific route tags cannot acquire the corresponding routes as the destination in some cases.

Security Fabric

Bug ID

Description

687238

FortiManager cannot install a policy due to conflict with certificate synchronization from the Security Fabric.

695040

Unable to connect to vCenter using ESXi SDN connector with password containing certain characters.

716698

Multiple ACI Direct connectors are not supported.

718581

If HA management interface is configured, the Kubernetes connector fails to connect.

SSL VPN

Bug ID

Description

500664

SSL VPN RDP bookmark not working with CVE-2018-0886.

515519

guacd uses 99% CPU when SSL VPN web portal connects to RDP server.

542815

SSL VPN web portal RDP connections to RDS session hosts fails.

550819

guacd is consuming too much memory and CPU resources during operation.

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

630068

When SSL VPN SSH times out, SSH to SES will crash when SSH is empty.

662042

The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.

676333

Unable to type accents using dead keys in RDP using Spanish keyboard layout over SSL VPN web mode in macOS.

677031

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

677548

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

677668

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

686425

When accessing an application in SSL VPN web mode (Sage HR), images fail to load for http://S-***.ro***.de/mp***/.

687433

Webpage is not loading via SSL VPN web mode bookmark.

689465

RDS redirect not working on SSL VPN web portal.

689901

SharePoint links (su***.com) not working properly on webpage launched by SSL VPN web portal.

693347

Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic.

693691

VPN logs do not show any bandwidth utilization in SSL web tunnel statistics when only using RDP.

693718

FortiClient SSL VPN users are unable to authenticate when zero-trust tag IP address is used as the host IP under limited access.

694346

Report section of internal web server (https://lm***.lm***.au***.vw***/ar***/) is not accessible via the SSL VPN web portal.

695404

WALLIX personal bookmark issue in SSL VPN portal.

695763

FortiClient iOS 6.4.5 has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

696940

Public website, https://www.we***.org/****.html, does not run normally in SSL VPN web mode.

697643

Customer webpage is not loading in SSL VPN web mode with https://nb***.al**.com.eg/SFTP.

699587

SSL VPN policy matching problem when a local user has the same name as a pure remote user.

699619

SSL VPN web mode fails to access to https://www.we***.org.

701119

SSL VPN DTLS tunnel could not be established in some cases when the tunnel link is still under negotiation. Some IP packets were sent to the client, causing the client's logic to fail.

702493

CMS URLs incorrectly rewritten by SSL VPN proxy in web mode.

704597

Search option on internal website, kp***.kd****.ca, not working while accessing via SSL VPN web mode.

714700

SSL VPN proxy error in web mode due to requests to loopback IP.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

716622

Due to change on samld side that increases the length of the SAML attribute name to 256, SSL VPN could not correctly parse the username from the SAML response when the username attribute has a long name.

717193

Website cannot be accessed in SSL VPN web mode.

718142

The map integrated in the public site is not visible when using SSL VPN web mode.

718159

Webpage, http://10.3.24.8/ma***, is not displaying correctly in SSL VPN web mode.

720290

Internal webpage, https://172.3**.***.164/ce***/, is not loading in SSL VPN web mode.

723498

Sometimes in tunnel mode with a lot of tunnels, the file descriptor to the mux dev is not closed, which causes the memory to linger until the process is killed.

724830

FortiGate sends authentication request to all RADIUS servers instead of only those in the default realm.

726641

Unable to load pi***.vi***-ga***.org in SSL VPN web mode.

736822

Non-US keyboard layout in RDP session with SSL VPN web mode does not work correctly.

Switch Controller

Bug ID

Description

682430

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

717506

Unable to add description on shared FortiSwitch port.

System

Bug ID

Description

464340

EHP drops for units with no NP service module.

495532

EHP drop improvement for units with no NP service module.

567019

CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120 and device reboots.

607565

Interface emac-vlan feature does not work on SoC4 platform.

613947

Redundant interface cannot pick up traffic if one member is down.

627734

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

645241

LACP failed to process traffic after adding new QSFP interfaces as LACP members even when the LACP status is up.

645848

FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection.

651626

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

671332

httpsd crashed after changing VDOM for interface.

674616

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

681791

Install preview does not show all changes performed on the FortiGate.

683387, 711698

Change WWAN interface default netmask to /32 and default distance to 1.

687457

dnsproxy process crashes with signal 11.

690287

No hardware switch function is available on FG-300E.

692943

If an updated FFDB package is found, crash may happen at init_ffdb_map if it is called when ffdb_map or ffdb_app is already in the process of being parsed, especially in HA.

698003

When creating a new administrator, the administrator profile's reference is visible in other administrator accounts from different VDOMs.

698204

SNMP query for firewall policy statistics in non-root VDOM returns a 0.

699358

Cannot change FEC (forward error correction) on port group 13-16.

699902

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

700314

ARP reply sent out by FortiGate but was not received on neighbor device.

702135

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

703131

Split-task VDOM does not update IPS/AV from ha-direct connected internal FortiManager.

703872

Unable to change speed and status of hardware switch member on SoC3 and SoC4 platforms with virtual switch feature.

705734

FWF-40F has random kernel panic with 6.4.4 firmware.

706686

LAG interface between FortiGate and Cisco switch flaps when adding/removing member interface.

709513

SD-WAN reports phantom packet loss.

712506

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

712905

Daylight saving time changes will not reflect for time zone 16.

713599

FG-40F-3G4G experiencing kernel panics and unexpected reboots (Unable to handle kernel NULL pointer dereference).

713769

Failed to load data error appears on Fabric Connectors page. Affected models: FG-200F and FG-201F.

714192

diagnose sys bcm_intf cli "2:" and diagnose sys bcm_intf cli "ps" try to access a non-existent BCM switches, which leads to kernel panic.

714256

A softirq happened in an unprotected session read lock and caused a self-deadlock.

714402

FortiGate crashes after reboot (kernel BUG at drivers/net/macvlan.c:869).

714711

NP offloading is blocking backup traffic.

715571

config match command is not available in the user group configuration within the root VDOM when split-task VDOM is used.

715647

In VWP with set wildcard-vlan enable, for some special cases the SKB headlen is not long enough for handling. It may cause a protective crash when doing skb_pull.

717203

When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file.

718322

FortiGate sends an invalid configuration to FortiManager, which causes the FortiManager policy packages to have an unknown status.

721733

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

722273

SA is freed while its timer is still pending, which leads to a kernel crash.

722287

The set key-outbound and set key-inbound parameters are missing for GRE tunnels under config system gre-tunnel.

729636

FTLC1122RDNL transceiver is showing as not certified by Fortinet on FG-3800D.

731821

MAP-E DDNS update request is not sent after booting up the device.

Upgrade

Bug ID

Description

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

688989

Two-factor authentication can be bypassed with some configurations.

691556

Get CLI error when setting auto-regenerate-days option for local certificate.

698716

RADIUS password encoding does not work.

707868

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

709303

SAML user-name and group-name configuration values are limited to only 35 characters.

710212

RADIUS accounting port is occasionally missing.

725056

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

VM

Bug ID

Description

687925

Hardware checksum failure encountered on Azure FG-VM.

691337

When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.

714682

GENEVE tunnel with loopback interface is not working.

715750

EIP information is not automatically updated after instance reboot.

Web Filter

Bug ID

Description

677234

Unable to block webpages present in the external list when accessing them through the Google Translate URL.

WiFi Controller

Bug ID

Description

502080

TARGET ASSERT error in WiFi driver causes kernel panic.

662615

FG-80F series should support a total of 96 WTP entries (48 normal).

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

680527

Clients fails to authenticate to SSID due to MPSK client limit being reached when the actual connected clients are below the limit.

685593

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

693973

Captive portal/disclaimer is not shown for SSIDs not belonging to the default VRF.

697058

Unable to change AP state under rogue AP's monitor page.

700356

CAPWAP daemon crashing due to IoT detection.

709824

Dynamic VLAN SSID traffic cannot pass through VDOM link when capwap-offload is enabled.

710759

Automation trigger for rogue AP on wire sends email alerts for rogue AP not on wire.

717227

get wireless-controller wtp-status output only shows only one AP entry.

720674

cw_acd is crashing on FG-40F.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

669673

FortiOS6.4.7 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-26103

686912

FortiOS 6.4.7 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-32600

710161

FortiOS 6.4.7 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-24018

726300

FortiOS 6.4.7 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-36169