Fortinet white logo
Fortinet white logo

Resolved issues

Resolved issues

The following issues have been fixed in Hyperscale firewall for FortiOS 6.4.8 Build 6165. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.4.8 release notes also apply to Hyperscale firewall for FortiOS 6.4.8 Build 6165.

Bug ID

Description

656488 Resolved an issue that could prevent FortiGate-1800F or 1801F interfaces 25 to 36, configured to operate at 10G, from connecting to some switch hardware.

684381

Resolved an issue that prevented NP7 processors from sending ICMP packets with checksum errors to the CPU. See NP7 handling of ICMP checksum errors during anomaly checking.

695803

Resolved an issue that prevented being able to change the order of DoS firewall policies from the GUI or CLI.

704851

The config system session-ttl command now works as a per-hyperscale firewall VDOM configuration as expected. Session timeouts set by this command only apply to the hyperscale firewall VDOM that they are added to.

Global session timeouts apply to sessions in hyperscale firewall VDOMs that do not match config system session-ttl settings in individual hyperscale firewall VDOMs.

You can also override global and per-VDOM session timeouts by setting the tcp-timeout-pid and udp-timeout-pid options in a hyperscale firewall policy.

707298 753692

Resolved an issue that caused the snmpd process to use relatively high amounts of CPU time when the FortiGate is not processing much traffic.

714198

Resolved an issue with how IPS re-directs NP7 offloaded sessions that can cause excess latency in transparent mode VDOMs. This issue could also block network backup traffic using port 1867.

715157

The npu sniffer diagnose command output now works as expected.

719779

Resolved an issue that caused interfaces that are part of a split interface to be removed from a LAG after restoring the configuration.

721294 Resolved an issue that caused incorrect traffic statistic reporting for VLAN interfaces.

722128 722547

Resolved an issue with how fragmented packets are handled by NP7 processors that caused packets to be dropped and displayed error messages on the CLI.

724061 727365

The double-level-mcast-offload option of the config system npu command now works for IPv6 multicast traffic.

724334 Resolved an issue that could prevent dynamic policy changes from correctly being implemented on the session table of the secondary FortiGate in an FGCP HA cluster.

725268 714711

IPsec traffic can now be offloaded to NP7 processors when being sent over an EMAC VLAN interface.

725502

IPsec traffic passing through virtual network interfaces is now offloaded to NP7 processors.

725581 The config log npu-server command no longer generates ICMP log messages if ICMP logging is not enabled.

726326

Resolved an issue that would cause offloaded IPsec sessions to be dropped after a phase 2 re-key occurred.

727541

Resolved issues with and improved the performance of CPU or host hardware logging.

727820 729443 729616

Removed restrictions on the IP address types required or recommended when configuring hardware logging servers. You can now send log messages for any traffic type (IPv4, IPv6, NAT64, or NAT46) to any configured hardware logging server.

727907

Resolved an issue that caused both FortiGates in an FGSP cluster to create duplicate log messages for the same hardware session. The resolution prevents sessions on the secondary FortiGate from creating log messages. This means that if a failover occurs, the session will continue on the secondary FortiGate but when the sessions ends, it will not create a session end log message.

728202

The srcaddr-negate and distaddr-negate hyperscale firewall policy options now work as expected.

728299

If you disable all hyperscale firewall policies in a hyperscale firewall VDOM and then enable them in random order, SNMP queries about these policies now show correct policy statistics.

728506 You can now add a name to NAT46 and NAT64 hyperscale firewall policies.

729770 735807

Adjusted how HA failover works to make the process more efficient and faster for configurations with large numbers of VDOMs (for example, over 250 VDOMs).

730155 730527

Resolved an issue that caused the reverse deny policy to block all traffic and also helped improve performance and reduce processing errors.

730160

Resolved an issue that caused inaccurate session counts to be displayed on the GUI for individual VDOMs.

730526 Resolved an issue with how NP7 processors handle internal IPsec processing that could cause LACP/BFD/BGP flapping.

732152

Changes to session-ttl are now successfully applied to all sessions.

733530 728276 723824

Resolved issues with forward error correction that caused some types of traffic to be blocked.

734342

Resolved a TPE PBA leak that can prevent ARP replies from leaving FortiGate interfaces after the FortiGate has been operating for an extended period of time.

As part of fixing this issue, FortiOS now checks for TPE duplication and adds a new session offload error code to the no_ofld_reason field of sessions that are not offloaded because of this problem. The new error code is [NP7_FOS_ERR_DUP_TPEID] = "dup_tpe_id".

The following diagnose command has been added to show session offload error statistics:

diag npu np7 session-offload-stats all <action>

<action> can be:

{0|b|brief} show non-zero counters.

{1|v|verbose} show all the counters.

735269

Resolve an issue with how FortiOS handles hyperscale firewall policy changes that could cause traffic to continue to be accepted by a hyperscale firewall policy when the Action is changed to Deny All while the FortiGate is processing traffic.

735807

Resolved an issue that caused synchronization errors after creating 249 VDOMs.

737535 Resolved an issue that prevented collecting and displaying the session count for NAT64 and NAT46 sessions processed by the CPU.

738642

Resolved a kernel issue that caused the explicit proxy to drop connections and return HTTP5xx errors.

739181 Increased DoS protection capacity for CGN platforms.

739640

Improved configuration error checking when creating hardware logging servers.

740009

FortiGate-1800F and 1801F HA interfaces are now compatible with SFP connectors when the interface speed is set to 1000full.

745009

The Load Balance GUI dashboard widget is now available.

745945

The list of interfaces displayed by the get system interface transceiver command is now updated correctly when interfaces are split or after split interfaces are reset to their default configuration.

750149 Resolved an issue that caused NP7 processors to drop CAPWAP packets when users are authenticated using an EAP method. This was happening because the EAP packets were becoming fragmented into two packets and the second packet was smaller than the minimum allowed packet size.

750384

Resolved a number of issues with the diagnose hardware test memory command output.

750498

Resolved an issue with VLAN IDs and VDOM IDs that can cause fragmented packets to be dropped.

751528

Resolved an issue that caused hyperscale firewall policies to continue to allow traffic after changing the policy action to deny while traffic is passing through the FortiGate.

752222 753062

Resolved an issue that could cause the GUI httpsd process to consume excessive amounts of memory.

753390

The config system dedicated-mgmt command is no longer missing from FortiGates with dedicated management interfaces and NP7 processors.

753857

Resolved an issue that prevented some UDP sessions from expiring.

753869

Resolved an issue that could prevent resources from being made available after sessions expire.

754128 Resolved an issue that could cause a system to become unresponsive after creating a large number of VDOMs and firewall policies.

754362

The GUI no longer displays an error message when you change a hyperscale firewall policy Action from Accept to Deny if you have added an IP pool to the policy.

754414 Resolved an issue with how IPv6 address groups are added to NP7 processors firewall address tables.

755002 752462

Enabling the inbandwidth option for an interface no longer blocks all traffic from passing through that interface.

755416 755531 Resolved a multicast CPU or host logging memory leak.

757418

Resolved an issue that could cause incorrect log rate reporting if multicast CPU or host logging is enabled.

Resolved issues

Resolved issues

The following issues have been fixed in Hyperscale firewall for FortiOS 6.4.8 Build 6165. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 6.4.8 release notes also apply to Hyperscale firewall for FortiOS 6.4.8 Build 6165.

Bug ID

Description

656488 Resolved an issue that could prevent FortiGate-1800F or 1801F interfaces 25 to 36, configured to operate at 10G, from connecting to some switch hardware.

684381

Resolved an issue that prevented NP7 processors from sending ICMP packets with checksum errors to the CPU. See NP7 handling of ICMP checksum errors during anomaly checking.

695803

Resolved an issue that prevented being able to change the order of DoS firewall policies from the GUI or CLI.

704851

The config system session-ttl command now works as a per-hyperscale firewall VDOM configuration as expected. Session timeouts set by this command only apply to the hyperscale firewall VDOM that they are added to.

Global session timeouts apply to sessions in hyperscale firewall VDOMs that do not match config system session-ttl settings in individual hyperscale firewall VDOMs.

You can also override global and per-VDOM session timeouts by setting the tcp-timeout-pid and udp-timeout-pid options in a hyperscale firewall policy.

707298 753692

Resolved an issue that caused the snmpd process to use relatively high amounts of CPU time when the FortiGate is not processing much traffic.

714198

Resolved an issue with how IPS re-directs NP7 offloaded sessions that can cause excess latency in transparent mode VDOMs. This issue could also block network backup traffic using port 1867.

715157

The npu sniffer diagnose command output now works as expected.

719779

Resolved an issue that caused interfaces that are part of a split interface to be removed from a LAG after restoring the configuration.

721294 Resolved an issue that caused incorrect traffic statistic reporting for VLAN interfaces.

722128 722547

Resolved an issue with how fragmented packets are handled by NP7 processors that caused packets to be dropped and displayed error messages on the CLI.

724061 727365

The double-level-mcast-offload option of the config system npu command now works for IPv6 multicast traffic.

724334 Resolved an issue that could prevent dynamic policy changes from correctly being implemented on the session table of the secondary FortiGate in an FGCP HA cluster.

725268 714711

IPsec traffic can now be offloaded to NP7 processors when being sent over an EMAC VLAN interface.

725502

IPsec traffic passing through virtual network interfaces is now offloaded to NP7 processors.

725581 The config log npu-server command no longer generates ICMP log messages if ICMP logging is not enabled.

726326

Resolved an issue that would cause offloaded IPsec sessions to be dropped after a phase 2 re-key occurred.

727541

Resolved issues with and improved the performance of CPU or host hardware logging.

727820 729443 729616

Removed restrictions on the IP address types required or recommended when configuring hardware logging servers. You can now send log messages for any traffic type (IPv4, IPv6, NAT64, or NAT46) to any configured hardware logging server.

727907

Resolved an issue that caused both FortiGates in an FGSP cluster to create duplicate log messages for the same hardware session. The resolution prevents sessions on the secondary FortiGate from creating log messages. This means that if a failover occurs, the session will continue on the secondary FortiGate but when the sessions ends, it will not create a session end log message.

728202

The srcaddr-negate and distaddr-negate hyperscale firewall policy options now work as expected.

728299

If you disable all hyperscale firewall policies in a hyperscale firewall VDOM and then enable them in random order, SNMP queries about these policies now show correct policy statistics.

728506 You can now add a name to NAT46 and NAT64 hyperscale firewall policies.

729770 735807

Adjusted how HA failover works to make the process more efficient and faster for configurations with large numbers of VDOMs (for example, over 250 VDOMs).

730155 730527

Resolved an issue that caused the reverse deny policy to block all traffic and also helped improve performance and reduce processing errors.

730160

Resolved an issue that caused inaccurate session counts to be displayed on the GUI for individual VDOMs.

730526 Resolved an issue with how NP7 processors handle internal IPsec processing that could cause LACP/BFD/BGP flapping.

732152

Changes to session-ttl are now successfully applied to all sessions.

733530 728276 723824

Resolved issues with forward error correction that caused some types of traffic to be blocked.

734342

Resolved a TPE PBA leak that can prevent ARP replies from leaving FortiGate interfaces after the FortiGate has been operating for an extended period of time.

As part of fixing this issue, FortiOS now checks for TPE duplication and adds a new session offload error code to the no_ofld_reason field of sessions that are not offloaded because of this problem. The new error code is [NP7_FOS_ERR_DUP_TPEID] = "dup_tpe_id".

The following diagnose command has been added to show session offload error statistics:

diag npu np7 session-offload-stats all <action>

<action> can be:

{0|b|brief} show non-zero counters.

{1|v|verbose} show all the counters.

735269

Resolve an issue with how FortiOS handles hyperscale firewall policy changes that could cause traffic to continue to be accepted by a hyperscale firewall policy when the Action is changed to Deny All while the FortiGate is processing traffic.

735807

Resolved an issue that caused synchronization errors after creating 249 VDOMs.

737535 Resolved an issue that prevented collecting and displaying the session count for NAT64 and NAT46 sessions processed by the CPU.

738642

Resolved a kernel issue that caused the explicit proxy to drop connections and return HTTP5xx errors.

739181 Increased DoS protection capacity for CGN platforms.

739640

Improved configuration error checking when creating hardware logging servers.

740009

FortiGate-1800F and 1801F HA interfaces are now compatible with SFP connectors when the interface speed is set to 1000full.

745009

The Load Balance GUI dashboard widget is now available.

745945

The list of interfaces displayed by the get system interface transceiver command is now updated correctly when interfaces are split or after split interfaces are reset to their default configuration.

750149 Resolved an issue that caused NP7 processors to drop CAPWAP packets when users are authenticated using an EAP method. This was happening because the EAP packets were becoming fragmented into two packets and the second packet was smaller than the minimum allowed packet size.

750384

Resolved a number of issues with the diagnose hardware test memory command output.

750498

Resolved an issue with VLAN IDs and VDOM IDs that can cause fragmented packets to be dropped.

751528

Resolved an issue that caused hyperscale firewall policies to continue to allow traffic after changing the policy action to deny while traffic is passing through the FortiGate.

752222 753062

Resolved an issue that could cause the GUI httpsd process to consume excessive amounts of memory.

753390

The config system dedicated-mgmt command is no longer missing from FortiGates with dedicated management interfaces and NP7 processors.

753857

Resolved an issue that prevented some UDP sessions from expiring.

753869

Resolved an issue that could prevent resources from being made available after sessions expire.

754128 Resolved an issue that could cause a system to become unresponsive after creating a large number of VDOMs and firewall policies.

754362

The GUI no longer displays an error message when you change a hyperscale firewall policy Action from Accept to Deny if you have added an IP pool to the policy.

754414 Resolved an issue with how IPv6 address groups are added to NP7 processors firewall address tables.

755002 752462

Enabling the inbandwidth option for an interface no longer blocks all traffic from passing through that interface.

755416 755531 Resolved a multicast CPU or host logging memory leak.

757418

Resolved an issue that could cause incorrect log rate reporting if multicast CPU or host logging is enabled.