Resolved an issue that prevented NP7 processors from sending ICMP packets with checksum errors to the CPU. See NP7 handling of ICMP checksum errors during anomaly checking.

Resolved an issue that prevented being able to change the order of DoS firewall policies from the GUI or CLI.

The config system session-ttl command now works as a per-hyperscale firewall VDOM configuration as expected. Session timeouts set by this command only apply to the hyperscale firewall VDOM that they are added to.

Global session timeouts apply to sessions in hyperscale firewall VDOMs that do not match config system session-ttl settings in individual hyperscale firewall VDOMs.

You can also override global and per-VDOM session timeouts by setting the tcp-timeout-pid and udp-timeout-pid options in a hyperscale firewall policy.

Resolved an issue that caused the snmpd process to use relatively high amounts of CPU time when the FortiGate is not processing much traffic.

Resolved an issue with how IPS re-directs NP7 offloaded sessions that can cause excess latency in transparent mode VDOMs. This issue could also block network backup traffic using port 1867.

The npu sniffer diagnose command output now works as expected.

Resolved an issue that caused interfaces that are part of a split interface to be removed from a LAG after restoring the configuration.

Resolved an issue with how fragmented packets are handled by NP7 processors that caused packets to be dropped and displayed error messages on the CLI.

The double-level-mcast-offload option of the config system npu command now works for IPv6 multicast traffic.

IPsec traffic can now be offloaded to NP7 processors when being sent over an EMAC VLAN interface.

IPsec traffic passing through virtual network interfaces is now offloaded to NP7 processors.

Resolved an issue that would cause offloaded IPsec sessions to be dropped after a phase 2 re-key occurred.

Resolved issues with and improved the performance of CPU or host hardware logging.

Removed restrictions on the IP address types required or recommended when configuring hardware logging servers. You can now send log messages for any traffic type (IPv4, IPv6, NAT64, or NAT46) to any configured hardware logging server.

Resolved an issue that caused both FortiGates in an FGSP cluster to create duplicate log messages for the same hardware session. The resolution prevents sessions on the secondary FortiGate from creating log messages. This means that if a failover occurs, the session will continue on the secondary FortiGate but when the sessions ends, it will not create a session end log message.

The srcaddr-negate and distaddr-negate hyperscale firewall policy options now work as expected.

If you disable all hyperscale firewall policies in a hyperscale firewall VDOM and then enable them in random order, SNMP queries about these policies now show correct policy statistics.

Adjusted how HA failover works to make the process more efficient and faster for configurations with large numbers of VDOMs (for example, over 250 VDOMs).

Resolved an issue that caused the reverse deny policy to block all traffic and also helped improve performance and reduce processing errors.

Resolved an issue that caused inaccurate session counts to be displayed on the GUI for individual VDOMs.

Changes to session-ttl are now successfully applied to all sessions.

Resolved issues with forward error correction that caused some types of traffic to be blocked.

Resolved a TPE PBA leak that can prevent ARP replies from leaving FortiGate interfaces after the FortiGate has been operating for an extended period of time.

As part of fixing this issue, FortiOS now checks for TPE duplication and adds a new session offload error code to the no_ofld_reason field of sessions that are not offloaded because of this problem. The new error code is [NP7_FOS_ERR_DUP_TPEID] = "dup_tpe_id".

The following diagnose command has been added to show session offload error statistics:

diag npu np7 session-offload-stats all <action>

<action> can be:

{0|b|brief} show non-zero counters.

{1|v|verbose} show all the counters.

Resolve an issue with how FortiOS handles hyperscale firewall policy changes that could cause traffic to continue to be accepted by a hyperscale firewall policy when the Action is changed to Deny All while the FortiGate is processing traffic.

Resolved an issue that caused synchronization errors after creating 249 VDOMs.

Resolved a kernel issue that caused the explicit proxy to drop connections and return HTTP5xx errors.

Improved configuration error checking when creating hardware logging servers.

FortiGate-1800F and 1801F HA interfaces are now compatible with SFP connectors when the interface speed is set to 1000full.

The Load Balance GUI dashboard widget is now available.

The list of interfaces displayed by the get system interface transceiver command is now updated correctly when interfaces are split or after split interfaces are reset to their default configuration.

Resolved a number of issues with the diagnose hardware test memory command output.

Resolved an issue with VLAN IDs and VDOM IDs that can cause fragmented packets to be dropped.

Resolved an issue that caused hyperscale firewall policies to continue to allow traffic after changing the policy action to deny while traffic is passing through the FortiGate.

Resolved an issue that could cause the GUI httpsd process to consume excessive amounts of memory.

The config system dedicated-mgmt command is no longer missing from FortiGates with dedicated management interfaces and NP7 processors.

Resolved an issue that prevented some UDP sessions from expiring.

Resolved an issue that could prevent resources from being made available after sessions expire.

The GUI no longer displays an error message when you change a hyperscale firewall policy Action from Accept to Deny if you have added an IP pool to the policy.

Enabling the inbandwidth option for an interface no longer blocks all traffic from passing through that interface.