Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 6.4.8. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

665173 Crash logs are sometimes truncated/incomplete.

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Application Control

Bug ID

Description

787130

Application control does not block FTP traffic on an explicit proxy.

DNS Filter

Bug ID

Description

748227

DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.

Endpoint Control

Bug ID

Description

738614

EMS Cloud does not update the IP for dynamic address on the FortiGate.

744613

EMS endpoint IP and MAC addresses are not synchronized to the ZTNA tags on the FortiGate.

Explicit Proxy

Bug ID

Description

607230

Percent encoding is not converted in FTP over HTTP explicit proxy.

721039

Short disconnections of streaming applications (Teams and Whereby) through explicit proxy.

747840

When configuring authentication schemes to negotiate and NTLM (mix), Firefox may not show the authentication pop-up with an explicit proxy.

757736

HTTPS TLS 1.3 handshake fails with internal error alert.

Firewall

Bug ID

Description

729245

HTTP/1.0 health check should process the whole response when http-match is set.

738584

Firewall is using the wrong NAT IP address to send out traffic after removing the VIP and its associated policy.

743160

SYN-ACK is dropped when application control with auto-asic-offload and NP acceleration are enabled in a firewall policy.

745853

FortiGate stops sending logs to Netflow traffic because the Netflow session cleanup routine runs for too long when there are many long live sessions in the cache.

746891

Auto-update script sent from FortiOS GUI has a policy ID of zero, which causes FortiManager to be out of synchronization.

754240

After a session updates its shaping policy, if the new shaping policy does not configure a per-IP shaper, the session will still use the old per-IP shaper from the previous shaping policy.

FortiView

Bug ID

Description

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

608770

When there is no IP/IPv6 address setting for Zone, the GUI incorrectly displays 0.0.0.0/0.0.0.0 for IP/Netmask and ::/0 for IPv6 Address.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

Workaround: do not click on the OK button. Click the Cancel button to close the page.

650327

The values for set gui-default-policy-columns does not work for the srcaddr, dstaddr, and source columns.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

696573

Firewall policy not visible in the GUI when enabling internet-service src.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

720613

The event log sometimes contains duplicated lines when downloaded from the GUI.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

Workaround: use the CLI.

733375

On the VPN > SSL-VPN Settings page, after clicking Apply, source-address objects become source-address6 objects if IPv6 is enabled.

734157

On a downstream FortiGate, going to VDOM FG-traffic > Network > Interfaces takes a long time to load.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

740254

Unable to view log details for Oracle.GlassFish.Server.ThemeServlet.Directory.Traversal log when clicking Details in the GUI.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

742561

On the Network > Interfaces page, after upgrading to FortiOS 6.4.7, a previously valid VLAN switch VLAN ID of 0 now displays the error message The minimum value is 2.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

750490

Firewall policy changes made in the GUI remove the replacement message group in that policy.

763925

GUI shows user as expired after entering a comment in guest management.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

Workaround: use the regular Guest Management page.

HA

Bug ID

Description

658839

Cloning a policy from the CLI causes the HA cluster to get out of sync.

680753

admin-restrict-local feature does not work on management interface in HA cluster.

711521

When HA failover happens, there is a time difference between the old secondary becoming new primary and the new primary's HA ID getting updated. If a session is created in between, the session gets a wrong HA ID, which indicates incorrectly that the session's traffic needs to be handled by new secondary.

714788

Uninterruptible upgrade might be broken in large scale environments.

717788

FGSP has problem at failover when NTurbo or offloading is enabled (IPv4) with virtual wire pair traffic.

725240

HA cluster goes out of sync due to mismatched vpn.certificate.crl checksum.

729607

FTP transfers drop in active-active mode in cases where expectation sessions accumulated in the secondary unit reach the maximum number (128).

732201

VDOM restore on an already configured VDOM causes high CPU sometimes on the primary.

740743

When enabling lag-out-port-select, both cluster units simultaneously reboot.

740933

HA goes out of synchronization when uploading a local certificate.

744349

Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.

744826

API key (token) on the secondary device is not synchronized to the primary when standalone-config-sync is enabled.

746008

DNS may not resolve correctly in a virtual cluster environment. It also impacts the FortiGate 6000F, 7000E, and 7000F series where DNS may not resolve on the correct blades (FPC, FPM).

747270

When the HA secondary device relays logs to the primary device, it may encounter high CPU usage.

752892

PPPoE connection gets disconnected during HA failover.

757494

Unable to add a member to an aggregate interface that is down in a HA cluster.

779180

FGSP does not synchronize the helper-pmap expectation session.

Intrusion Prevention

Bug ID

Description

654307

Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.

665755

The global UTM profiles named with a g- prefix are shared between all VDOMs and logically do not belong to any VDOM. When they are changed, the ipshelper cannot always refresh its configuration because the ipshelper tries to check each VDOM profile.

746467

IPS engine crashes when IPS injects packets to vNP and vNP/DPDK fails to restart (crashes and sometimes is out of service).

755859

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

763736

IPS custom signature logging shows (even after being disabled) after upgrading to FortiOS 6.4.7.

784976

IPS engine goes to 100% (at 5 Gbps) on FG-4200F when testing CCS with CPS and throughput when UTM is enabled.

IPsec VPN

Bug ID

Description

668997

Duplicate entry found error shown when assigning multiple dialup IPsec tunnels with the same secondary IP in the GUI.

691178

Exchanging IPs does not work with multiple dynamic tunnels.

691718

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

715671

Traffic is failing on dialup VPN IKEv2 with EAP authentication.

717082

FortiGate keeps initiating DHCP SA rekey after lifetime expires.

718617

In an IPsec tunnel XAuth with RADIUS, the RADIUS Accounting Stop packet is missing the Acct-Input-Octets/Acct-Output-Octets attribute.

720689

Kernel crash occurs with FEC enabled on IPsec VPN when corrupted packets are received.

725551

IKE idle timeout timers continue running when the HA state switches to secondary.

726450

Local out dialup IPsec traffic does not match policy-based routes.

729760

The ADVPN forwarder does not currently track the shortcut query that it forwards. Shortcut queries and replies are forwarded or terminated solely based on the route lookup.

735412

IKE HA resynchronizes the synchronized connection without an established IKE SA.

735430

TCP SYN-ACKs are silently dropped if the traffic is sourced from a dialup IPsec tunnel and UTM is enabled.

740475

Traffic cannot be sent out through IPsec VPN tunnel because SA is pushed to the wrong NP6 for platforms where NP6 is standalone. Affected models: FG-2000E and FG-2500E.

743732

If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.

744598

Tunnel interface MTU settings do not work when net-device is enabled in phase 1.

745331

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

747123

In an IPsec aggregate tunnel interface where one of the members is down and has an MTU of zero, and the other tunnel is up and has a non-zero MTU, the interface will take the minimum of both MTU values, which is zero. This results in no traffic going in the outbound direction.

752947

The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.

765868

The packets did not pass through QTM, and SYN packets bypass the IPsec tunnel once traffic is offloaded. Affected platforms: NP7 models.

777476

When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the resync event to synchronize SA data to the FGSP peer.

Log & Report

Bug ID

Description

712037

FortiAnalyzer OFTP connection is re-initialized every 30 seconds when the FortiGate connects to an unauthorized FortiAnalyzer.

715549

On the Log & Report > SSL page, the Service for SSL logs is displayed as FTPS instead of SSL.

724827

Syslogd is using the wrong source IP when configured with interface-select-method auto.

731154

SSL VPN tunnel down event log (log ID 39948) is missing.

745310

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

745689

Unknown interface is shown in flow-based UTM logs.

749842

The miglogd process uses high CPU when handling a web rating error log that is reported with an invalid VDOM ID.

751358

Unable to set source IP for FortiCloud unless FortiCloud is already activated.

754143

Add srcreputation and dstreputation fields in the forward traffic logs to provide the reputation level of the source and destination when the traffic matches an entry in the internet service database.

768626

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

Proxy

Bug ID

Description

568905

WAD crashes due to RCX having a null value.

582464

WAD SSL crash due to wrong cipher options chosen.

604681

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

712584

WAD memory leak causes device to go into conserve mode.

726999

WAD crash on wad_hash_map_del.

728641

SSL renegotiation fails when Firefox offers TLS 1.3, but the server decides to use TLS 1.2.

733760

Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app.

734840

Web filter is blocking websites in proxy mode due to SSL certificate validation failure, which is caused by an unreachable OCSP server.

743746

WAD encounters signal 11 crash when adding user information.

744756

Web proxy forward server group could not recover sometimes if the FQDN is not resolved.

752744

Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.

754969

Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.

756394

WAD crashes due to memory corruption.

756616

High CPU usage in proxy-based policy with deep inspection and IPS sensor.

758086

HTTPS traffic gets SSL error when deep inspection and an AV of file filter profile are enabled.

764193

The three-way handshake packet that was marked as TCP port number reused cannot pass through the FortiGate, and the FortiGate replies with a FIN, ACK to the client.

REST API

Bug ID

Description

743169

Update various REST API endpoints to prevent information in other VDOMs from being leaked.

743743

httpsd crashes due to GET /api/v2/log/.../virus/archive request when the mkey is not provided.

Routing

Bug ID

Description

670031

LDAP traffic that originates from the FortiGate is not following SD-WAN rule.

693988

For DSL interface, adding static route with set dynamic-gateway enable does not add route to routing table.

723726

TCP session drops between virtual wire pair with auto-asic-offload enabled in policy.

724574

BFD neighborship is lost between hub and spoke. One side shows BFD as down, and other side does not show the neighbor in the list.

724887

set interface-select-method takes a long time to take effect for DNS local out traffic when the source IP is specified.

725322

Improve the help text for distance to indicate that 255 means unreachable.

729002

PIM/PIM6 does not send out unicast packet with the correct source IP if interface is not specified.

731941

Disconnected from FortiAnalyzer events reported when the interface-select-method is set to specify, and the interface port_<x> is set to an interface that does not have the highest priority in the SD-WAN interface selection.

736705

ZEBOS launcher is unable to start and crashes constantly if aspath has more than 80 characters in the config router router-map > set-aspath setting.

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

746000

Multicast streams sourced on SSL VPN client are not registered in PIM-SM.

748733

Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.

769321

After ADVPN HA failover, BGP is not established, and tunnels are up but not passing traffic between the hub and spokes.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

635183

ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector.

670451

ACI SDN connector (connected by aci-direct) shows curl error 7 when updating from second VDOM.

738344

When CSF root synchronizes a large automation setting (over 16000) to the downstream FortiGate, csfd crashes while trying to process the relay message.

741346

The variable %%date%% resolves into 1900-01-00 instead of actual date when the schedule trigger type is used.

742743

Security rating Issue with unused deny policies.

745263

AV & IPS DB Update automation trigger is not working when clicking Update Licenses & Definitions Now in the GUI.

746950

When an Azure network interface ID contains upper case letters, the Azure SDN connector may not retrieve that network interface.

789820

The csfd process is causing high memory usage on the FortiGate.

SSL VPN

Bug ID

Description

676673

Ciphers with ARIA, AESCCM, and CHACHA cannot be banned for SSL VPN.

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

693237

DCE/RPC sessions are randomly dropped (no session matched).

693519

SSL VPN authentication fails for PKI user with LDAP.

695386

SAML login failure when a user belongs to multiple groups associated with multiple VPN realms.

706646

SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode.

707792

SSL VPN connection breaks when deleting irrelevant CA and PKI is involved.

711974

SSL VPN bookmarks are not working correctly with multiple SD-WAN zones.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

726338

The wildcard matching method does not always work as expected because the kernel sometimes does not have the address yet.

726576

Internal webpage with JavaScript is not loading in SSL VPN web mode.

730416

Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

731278

Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode.

737341

Some links and buttons are not working properly when accessing them through SSL VPN web mode.

737894

If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.

738711

FortiClient error message is not pertinent when the client does not meet host checking requirements.

744494

Memory occupied by the SSL VPN daemon increases significantly while the process is busy.

745499

In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak.

746990

RADIUS accounting messages after SSL VPN do not include the Class attribute (Group name).

747352

Internal web server page, https://te***.ss***.es:10443, is not loading properly in SSL VPN web mode.

748085

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

749452

SSL VPN login authentication times out if primary RADIUS server becomes unavailable.

749918

Keyboard keys do not work with RDP bookmarks when PT-BR and PT-BR-ABNT2 layouts are chosen.

752055

VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.

755296

SSL VPN web mode has issues accessing https://e***.or***.kr.

767818

SSL VPN bookmark issues with internal website.

768994

SSL VPN crashed when closing web mode RDP after upgrading to 6.4.7.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

644616

NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface.

648085

Link status on peer device is not down when the admin port is down on the FortiGate.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

683929

IPv6 health check cannot send probe packets even if the IPv6 gateway is configured under configure members view.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

696556

Support gtp-enhance-mode (GTP-U) on FG-3815D.

699152

QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E.

702966

There was a memory leak in the administrator login debug that caused the getty daemon to be killed.

704981

LLDP transmission fails if there are nested software switches.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

713835

The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in.

714805

FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev.

715234

Packets are dropped for 30 seconds during or after massive configuration commit.

715978

NTurbo does not work with EMAC VLAN interface.

716169, 767848

SFP interface is set as 1000full is down after rebooting.

716341

SFP28 port flapping when the speed is set to 10G.

716483

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

718571

In cases where there are a lot of DHCP relay interfaces (such as 1000) and an interface is added or deleted, DHCP relay takes a long time to release and initialize all interfaces before it works again.

721487

FortiGate often enters conserve mode due to high memory usage by httpsd process.

721789

Account profile settings changed after firmware upgrade.

722547

Fragmented SKB size occurs if the tail room is too small to carry the NTurbo vtag, which causes packets to be dropped.

722781

MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.

724065

Power supply 2 DC is lost log only appears when unplugging the power cable from power supply 2.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected.

724779

HPE setting of NTurbo host queue is missing and causes IPS traffic to stop when HPE is enabled.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

729939

Multiple processes crashing at the same time causes the device's management functionality to be unavailable when the packet size is smaller than FSAE_HEADER_SIZE(6).

732633

DNS query timeout log generated for first entry in DNS domain list when multiple domains are added.

732760

SNMP trap packets are sometimes not sent from the primary ha-direct interface to all SNMP managers after upgrading.

740649

FortiGate sends CSR configuration without double quote (") to FortiManager.

741944

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

744892

DNS query responses can be bumped when dealing with a high volume of visibility hostname log requests.

745017

get system checksum status should only display checksums for VDOMs the current user has permissions for.

747508

Default FortiLink configuration on FG-81F running versions 6.4.6 to 6.4.8 does not work as expected.

747834

Unexpected behavior of SNMP fgLogDeviceCachedCount value for syslog.

749835

Traffic logs reports ICMP destination as unreachable for received traffic

751044

There was no sensor trap function and related log on SoC4 platforms.

751523

When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.

755746

SoC3 platforms failed to boot up when upgrading from 6.2.10 or 6.4.8.

755953

Direct CLI script from FortiManager fails due to additional end at the end of diagnose debug crashlog read.

756139

When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.

756445

Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if asic-offload is enabled.

758815

Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.

763739

On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match the outbandwidth setting.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

765452

Slow memory leak in IPS engine 6.091, which persists in 6.107.

766661

Outbandwidth setting does not work in NP7 models when UTM/NTurbo is enabled.

767778

Kernel panic occurs when adding and deleting LAG members on NP6 models.

770317

FG-5001D backplane interfaces did not work in FG-5913C SLBC system.

771442

Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.

777044

On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.

778474

dhcpd is not processing discover messages if they contain a 0 length option, such as 80 (rapid commit). The warning, length 0 overflows input buffer, is displayed.

797993

Using outbound traffic shaping and IPS NTurbo together in NP7 platforms causes some traffic to be blocked.

Upgrade

Bug ID

Description

725369

After upgrading to 6.4.5, VIP randomly stops working and a find DNAT: IP-0.0.0.0 message appears.

754180

MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.

765493

After upgrading to 6.4.7, a web filter profile within flow-based firewall policies appears with a proxy mode feature set.

User & Authentication

Bug ID

Description

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

691838

Memory leaks and crashes observed during stress long duration performance test when using FortiToken Cloud.

700838

FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end
config system global
    set admin-server-cert <scep_certificate>
end

725327

FSSO user fails to log in with principal user name.

739702

There are unknown user logins on the FortiGate and the logs do not have any information for the unknown user.

741403

Unknown user log in to FortiGate does not provide any information for the unknown user.

744014

LLDP neighbors cannot be seen on virtual switch ports.

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

755302

The fnbamd process spikes to 99% or crashes during RADIUS authentication.

765136

Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

736067

NSX connector stops updating addresses sometimes.

739376

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

794290

Failed to load FFW-VM; cw_acd: can not find board mac from interfaces error displayed in console.

VoIP

Bug ID

Description

757477

PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

Web Filter

Bug ID

Description

717619

Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category.

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

727301

Unable to quarantine hosts behind FortiAP and FortiSwitch.

733608

FG-5001D is unable to display managed FortiAPs after upgrading.

748154

802.1X clients are disconnected following FortiGuard update.

748479

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

783209

After upgrading FortiOS from 6.2 to 6.4, a new arrp-profile (arrp-default) is added as a static entry. FortiManager cannot install the configuration to a managed FortiGate when trying to purge the arrp-profile table.

Workaround: reboot the FortiGate.

Known issues

The following issues have been identified in version 6.4.8. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

665173 Crash logs are sometimes truncated/incomplete.

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Application Control

Bug ID

Description

787130

Application control does not block FTP traffic on an explicit proxy.

DNS Filter

Bug ID

Description

748227

DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.

Endpoint Control

Bug ID

Description

738614

EMS Cloud does not update the IP for dynamic address on the FortiGate.

744613

EMS endpoint IP and MAC addresses are not synchronized to the ZTNA tags on the FortiGate.

Explicit Proxy

Bug ID

Description

607230

Percent encoding is not converted in FTP over HTTP explicit proxy.

721039

Short disconnections of streaming applications (Teams and Whereby) through explicit proxy.

747840

When configuring authentication schemes to negotiate and NTLM (mix), Firefox may not show the authentication pop-up with an explicit proxy.

757736

HTTPS TLS 1.3 handshake fails with internal error alert.

Firewall

Bug ID

Description

729245

HTTP/1.0 health check should process the whole response when http-match is set.

738584

Firewall is using the wrong NAT IP address to send out traffic after removing the VIP and its associated policy.

743160

SYN-ACK is dropped when application control with auto-asic-offload and NP acceleration are enabled in a firewall policy.

745853

FortiGate stops sending logs to Netflow traffic because the Netflow session cleanup routine runs for too long when there are many long live sessions in the cache.

746891

Auto-update script sent from FortiOS GUI has a policy ID of zero, which causes FortiManager to be out of synchronization.

754240

After a session updates its shaping policy, if the new shaping policy does not configure a per-IP shaper, the session will still use the old per-IP shaper from the previous shaping policy.

FortiView

Bug ID

Description

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

608770

When there is no IP/IPv6 address setting for Zone, the GUI incorrectly displays 0.0.0.0/0.0.0.0 for IP/Netmask and ::/0 for IPv6 Address.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

Workaround: do not click on the OK button. Click the Cancel button to close the page.

650327

The values for set gui-default-policy-columns does not work for the srcaddr, dstaddr, and source columns.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

696573

Firewall policy not visible in the GUI when enabling internet-service src.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

720613

The event log sometimes contains duplicated lines when downloaded from the GUI.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

Workaround: use the CLI.

733375

On the VPN > SSL-VPN Settings page, after clicking Apply, source-address objects become source-address6 objects if IPv6 is enabled.

734157

On a downstream FortiGate, going to VDOM FG-traffic > Network > Interfaces takes a long time to load.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

740254

Unable to view log details for Oracle.GlassFish.Server.ThemeServlet.Directory.Traversal log when clicking Details in the GUI.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

742561

On the Network > Interfaces page, after upgrading to FortiOS 6.4.7, a previously valid VLAN switch VLAN ID of 0 now displays the error message The minimum value is 2.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

750490

Firewall policy changes made in the GUI remove the replacement message group in that policy.

763925

GUI shows user as expired after entering a comment in guest management.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

Workaround: use the regular Guest Management page.

HA

Bug ID

Description

658839

Cloning a policy from the CLI causes the HA cluster to get out of sync.

680753

admin-restrict-local feature does not work on management interface in HA cluster.

711521

When HA failover happens, there is a time difference between the old secondary becoming new primary and the new primary's HA ID getting updated. If a session is created in between, the session gets a wrong HA ID, which indicates incorrectly that the session's traffic needs to be handled by new secondary.

714788

Uninterruptible upgrade might be broken in large scale environments.

717788

FGSP has problem at failover when NTurbo or offloading is enabled (IPv4) with virtual wire pair traffic.

725240

HA cluster goes out of sync due to mismatched vpn.certificate.crl checksum.

729607

FTP transfers drop in active-active mode in cases where expectation sessions accumulated in the secondary unit reach the maximum number (128).

732201

VDOM restore on an already configured VDOM causes high CPU sometimes on the primary.

740743

When enabling lag-out-port-select, both cluster units simultaneously reboot.

740933

HA goes out of synchronization when uploading a local certificate.

744349

Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.

744826

API key (token) on the secondary device is not synchronized to the primary when standalone-config-sync is enabled.

746008

DNS may not resolve correctly in a virtual cluster environment. It also impacts the FortiGate 6000F, 7000E, and 7000F series where DNS may not resolve on the correct blades (FPC, FPM).

747270

When the HA secondary device relays logs to the primary device, it may encounter high CPU usage.

752892

PPPoE connection gets disconnected during HA failover.

757494

Unable to add a member to an aggregate interface that is down in a HA cluster.

779180

FGSP does not synchronize the helper-pmap expectation session.

Intrusion Prevention

Bug ID

Description

654307

Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.

665755

The global UTM profiles named with a g- prefix are shared between all VDOMs and logically do not belong to any VDOM. When they are changed, the ipshelper cannot always refresh its configuration because the ipshelper tries to check each VDOM profile.

746467

IPS engine crashes when IPS injects packets to vNP and vNP/DPDK fails to restart (crashes and sometimes is out of service).

755859

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

763736

IPS custom signature logging shows (even after being disabled) after upgrading to FortiOS 6.4.7.

784976

IPS engine goes to 100% (at 5 Gbps) on FG-4200F when testing CCS with CPS and throughput when UTM is enabled.

IPsec VPN

Bug ID

Description

668997

Duplicate entry found error shown when assigning multiple dialup IPsec tunnels with the same secondary IP in the GUI.

691178

Exchanging IPs does not work with multiple dynamic tunnels.

691718

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

715671

Traffic is failing on dialup VPN IKEv2 with EAP authentication.

717082

FortiGate keeps initiating DHCP SA rekey after lifetime expires.

718617

In an IPsec tunnel XAuth with RADIUS, the RADIUS Accounting Stop packet is missing the Acct-Input-Octets/Acct-Output-Octets attribute.

720689

Kernel crash occurs with FEC enabled on IPsec VPN when corrupted packets are received.

725551

IKE idle timeout timers continue running when the HA state switches to secondary.

726450

Local out dialup IPsec traffic does not match policy-based routes.

729760

The ADVPN forwarder does not currently track the shortcut query that it forwards. Shortcut queries and replies are forwarded or terminated solely based on the route lookup.

735412

IKE HA resynchronizes the synchronized connection without an established IKE SA.

735430

TCP SYN-ACKs are silently dropped if the traffic is sourced from a dialup IPsec tunnel and UTM is enabled.

740475

Traffic cannot be sent out through IPsec VPN tunnel because SA is pushed to the wrong NP6 for platforms where NP6 is standalone. Affected models: FG-2000E and FG-2500E.

743732

If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.

744598

Tunnel interface MTU settings do not work when net-device is enabled in phase 1.

745331

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

747123

In an IPsec aggregate tunnel interface where one of the members is down and has an MTU of zero, and the other tunnel is up and has a non-zero MTU, the interface will take the minimum of both MTU values, which is zero. This results in no traffic going in the outbound direction.

752947

The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.

765868

The packets did not pass through QTM, and SYN packets bypass the IPsec tunnel once traffic is offloaded. Affected platforms: NP7 models.

777476

When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the resync event to synchronize SA data to the FGSP peer.

Log & Report

Bug ID

Description

712037

FortiAnalyzer OFTP connection is re-initialized every 30 seconds when the FortiGate connects to an unauthorized FortiAnalyzer.

715549

On the Log & Report > SSL page, the Service for SSL logs is displayed as FTPS instead of SSL.

724827

Syslogd is using the wrong source IP when configured with interface-select-method auto.

731154

SSL VPN tunnel down event log (log ID 39948) is missing.

745310

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

745689

Unknown interface is shown in flow-based UTM logs.

749842

The miglogd process uses high CPU when handling a web rating error log that is reported with an invalid VDOM ID.

751358

Unable to set source IP for FortiCloud unless FortiCloud is already activated.

754143

Add srcreputation and dstreputation fields in the forward traffic logs to provide the reputation level of the source and destination when the traffic matches an entry in the internet service database.

768626

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

Proxy

Bug ID

Description

568905

WAD crashes due to RCX having a null value.

582464

WAD SSL crash due to wrong cipher options chosen.

604681

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

712584

WAD memory leak causes device to go into conserve mode.

726999

WAD crash on wad_hash_map_del.

728641

SSL renegotiation fails when Firefox offers TLS 1.3, but the server decides to use TLS 1.2.

733760

Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app.

734840

Web filter is blocking websites in proxy mode due to SSL certificate validation failure, which is caused by an unreachable OCSP server.

743746

WAD encounters signal 11 crash when adding user information.

744756

Web proxy forward server group could not recover sometimes if the FQDN is not resolved.

752744

Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.

754969

Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.

756394

WAD crashes due to memory corruption.

756616

High CPU usage in proxy-based policy with deep inspection and IPS sensor.

758086

HTTPS traffic gets SSL error when deep inspection and an AV of file filter profile are enabled.

764193

The three-way handshake packet that was marked as TCP port number reused cannot pass through the FortiGate, and the FortiGate replies with a FIN, ACK to the client.

REST API

Bug ID

Description

743169

Update various REST API endpoints to prevent information in other VDOMs from being leaked.

743743

httpsd crashes due to GET /api/v2/log/.../virus/archive request when the mkey is not provided.

Routing

Bug ID

Description

670031

LDAP traffic that originates from the FortiGate is not following SD-WAN rule.

693988

For DSL interface, adding static route with set dynamic-gateway enable does not add route to routing table.

723726

TCP session drops between virtual wire pair with auto-asic-offload enabled in policy.

724574

BFD neighborship is lost between hub and spoke. One side shows BFD as down, and other side does not show the neighbor in the list.

724887

set interface-select-method takes a long time to take effect for DNS local out traffic when the source IP is specified.

725322

Improve the help text for distance to indicate that 255 means unreachable.

729002

PIM/PIM6 does not send out unicast packet with the correct source IP if interface is not specified.

731941

Disconnected from FortiAnalyzer events reported when the interface-select-method is set to specify, and the interface port_<x> is set to an interface that does not have the highest priority in the SD-WAN interface selection.

736705

ZEBOS launcher is unable to start and crashes constantly if aspath has more than 80 characters in the config router router-map > set-aspath setting.

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

746000

Multicast streams sourced on SSL VPN client are not registered in PIM-SM.

748733

Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.

769321

After ADVPN HA failover, BGP is not established, and tunnels are up but not passing traffic between the hub and spokes.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

635183

ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector.

670451

ACI SDN connector (connected by aci-direct) shows curl error 7 when updating from second VDOM.

738344

When CSF root synchronizes a large automation setting (over 16000) to the downstream FortiGate, csfd crashes while trying to process the relay message.

741346

The variable %%date%% resolves into 1900-01-00 instead of actual date when the schedule trigger type is used.

742743

Security rating Issue with unused deny policies.

745263

AV & IPS DB Update automation trigger is not working when clicking Update Licenses & Definitions Now in the GUI.

746950

When an Azure network interface ID contains upper case letters, the Azure SDN connector may not retrieve that network interface.

789820

The csfd process is causing high memory usage on the FortiGate.

SSL VPN

Bug ID

Description

676673

Ciphers with ARIA, AESCCM, and CHACHA cannot be banned for SSL VPN.

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

693237

DCE/RPC sessions are randomly dropped (no session matched).

693519

SSL VPN authentication fails for PKI user with LDAP.

695386

SAML login failure when a user belongs to multiple groups associated with multiple VPN realms.

706646

SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode.

707792

SSL VPN connection breaks when deleting irrelevant CA and PKI is involved.

711974

SSL VPN bookmarks are not working correctly with multiple SD-WAN zones.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

726338

The wildcard matching method does not always work as expected because the kernel sometimes does not have the address yet.

726576

Internal webpage with JavaScript is not loading in SSL VPN web mode.

730416

Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

731278

Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode.

737341

Some links and buttons are not working properly when accessing them through SSL VPN web mode.

737894

If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.

738711

FortiClient error message is not pertinent when the client does not meet host checking requirements.

744494

Memory occupied by the SSL VPN daemon increases significantly while the process is busy.

745499

In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak.

746990

RADIUS accounting messages after SSL VPN do not include the Class attribute (Group name).

747352

Internal web server page, https://te***.ss***.es:10443, is not loading properly in SSL VPN web mode.

748085

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

749452

SSL VPN login authentication times out if primary RADIUS server becomes unavailable.

749918

Keyboard keys do not work with RDP bookmarks when PT-BR and PT-BR-ABNT2 layouts are chosen.

752055

VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.

755296

SSL VPN web mode has issues accessing https://e***.or***.kr.

767818

SSL VPN bookmark issues with internal website.

768994

SSL VPN crashed when closing web mode RDP after upgrading to 6.4.7.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

644616

NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface.

648085

Link status on peer device is not down when the admin port is down on the FortiGate.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

683929

IPv6 health check cannot send probe packets even if the IPv6 gateway is configured under configure members view.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

696556

Support gtp-enhance-mode (GTP-U) on FG-3815D.

699152

QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E.

702966

There was a memory leak in the administrator login debug that caused the getty daemon to be killed.

704981

LLDP transmission fails if there are nested software switches.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

713835

The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in.

714805

FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev.

715234

Packets are dropped for 30 seconds during or after massive configuration commit.

715978

NTurbo does not work with EMAC VLAN interface.

716169, 767848

SFP interface is set as 1000full is down after rebooting.

716341

SFP28 port flapping when the speed is set to 10G.

716483

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

718571

In cases where there are a lot of DHCP relay interfaces (such as 1000) and an interface is added or deleted, DHCP relay takes a long time to release and initialize all interfaces before it works again.

721487

FortiGate often enters conserve mode due to high memory usage by httpsd process.

721789

Account profile settings changed after firmware upgrade.

722547

Fragmented SKB size occurs if the tail room is too small to carry the NTurbo vtag, which causes packets to be dropped.

722781

MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.

724065

Power supply 2 DC is lost log only appears when unplugging the power cable from power supply 2.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected.

724779

HPE setting of NTurbo host queue is missing and causes IPS traffic to stop when HPE is enabled.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

729939

Multiple processes crashing at the same time causes the device's management functionality to be unavailable when the packet size is smaller than FSAE_HEADER_SIZE(6).

732633

DNS query timeout log generated for first entry in DNS domain list when multiple domains are added.

732760

SNMP trap packets are sometimes not sent from the primary ha-direct interface to all SNMP managers after upgrading.

740649

FortiGate sends CSR configuration without double quote (") to FortiManager.

741944

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

744892

DNS query responses can be bumped when dealing with a high volume of visibility hostname log requests.

745017

get system checksum status should only display checksums for VDOMs the current user has permissions for.

747508

Default FortiLink configuration on FG-81F running versions 6.4.6 to 6.4.8 does not work as expected.

747834

Unexpected behavior of SNMP fgLogDeviceCachedCount value for syslog.

749835

Traffic logs reports ICMP destination as unreachable for received traffic

751044

There was no sensor trap function and related log on SoC4 platforms.

751523

When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.

755746

SoC3 platforms failed to boot up when upgrading from 6.2.10 or 6.4.8.

755953

Direct CLI script from FortiManager fails due to additional end at the end of diagnose debug crashlog read.

756139

When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.

756445

Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if asic-offload is enabled.

758815

Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.

763739

On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match the outbandwidth setting.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

765452

Slow memory leak in IPS engine 6.091, which persists in 6.107.

766661

Outbandwidth setting does not work in NP7 models when UTM/NTurbo is enabled.

767778

Kernel panic occurs when adding and deleting LAG members on NP6 models.

770317

FG-5001D backplane interfaces did not work in FG-5913C SLBC system.

771442

Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.

777044

On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.

778474

dhcpd is not processing discover messages if they contain a 0 length option, such as 80 (rapid commit). The warning, length 0 overflows input buffer, is displayed.

797993

Using outbound traffic shaping and IPS NTurbo together in NP7 platforms causes some traffic to be blocked.

Upgrade

Bug ID

Description

725369

After upgrading to 6.4.5, VIP randomly stops working and a find DNAT: IP-0.0.0.0 message appears.

754180

MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.

765493

After upgrading to 6.4.7, a web filter profile within flow-based firewall policies appears with a proxy mode feature set.

User & Authentication

Bug ID

Description

682394

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

691838

Memory leaks and crashes observed during stress long duration performance test when using FortiToken Cloud.

700838

FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2.

701356

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Workaround: manually unset admin-server-cert and set it back to the same certificate.

config system global
    unset admin-server-cert
end
config system global
    set admin-server-cert <scep_certificate>
end

725327

FSSO user fails to log in with principal user name.

739702

There are unknown user logins on the FortiGate and the logs do not have any information for the unknown user.

741403

Unknown user log in to FortiGate does not provide any information for the unknown user.

744014

LLDP neighbors cannot be seen on virtual switch ports.

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

755302

The fnbamd process spikes to 99% or crashes during RADIUS authentication.

765136

Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

736067

NSX connector stops updating addresses sometimes.

739376

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

794290

Failed to load FFW-VM; cw_acd: can not find board mac from interfaces error displayed in console.

VoIP

Bug ID

Description

757477

PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

Web Filter

Bug ID

Description

717619

Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category.

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

727301

Unable to quarantine hosts behind FortiAP and FortiSwitch.

733608

FG-5001D is unable to display managed FortiAPs after upgrading.

748154

802.1X clients are disconnected following FortiGuard update.

748479

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

783209

After upgrading FortiOS from 6.2 to 6.4, a new arrp-profile (arrp-default) is added as a static entry. FortiManager cannot install the configuration to a managed FortiGate when trying to purge the arrp-profile table.

Workaround: reboot the FortiGate.