Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiOS Release Notes

Known issues

The following issues have been identified in version 6.4.9. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

702646 Re-enable JavaScript heuristic detection and fix detection blocking content despite low rating.

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Application Control

Bug ID

Description

787130 Application control does not block FTP traffic on an explicit proxy.

DNS Filter

Bug ID

Description

692482

DNS filter forwards the DNS status code 1 FormErr as status code 2 ServFail in cases where the redirect server responses have no question section.

744572

In multi-VDOM with default system fortiguard configuration, the DNS filter does not work for the non-management VDOM.

796052

If local-in and transparent requests are hashed into the same local ID list, when the DNS proxy receives a response, it finds the wrong query for requests with the same ID and domain.

Explicit Proxy

Bug ID

Description

755298

SNI ssl-exempt result conflicts with CN ssl-exempt result when SNI is an IP.

765761

Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP.

778339

Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking.

780211

diagnose wad stats policy list output displays information for only 20 proxy policies, so not all policies are included.

Firewall

Bug ID

Description

767226

When a policy denies traffic for a VIP and send-deny-packet is enabled, the mappedip is used for the RST packet's source IP instead of the external IP.

770668

The packet dropped counter is not incremented for per-ip-shaper with max-concurrent-session as the only criterion and offload disabled on the firewall policy.

773035

Custom services name is not displayed correctly in logs with a port range of more than 3000 ports.

791735

The number of sessions in session_count does not match the output from diagnose sys session full-stat.

803270

Unexpected value for session_count appears.

FortiView

Bug ID

Description

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

692734

When using the 5 minutes time period, if the FortiGate system time is 40 to 59 second behind the browser time, no data is retrieved.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

473841

Newly created deny policy incorrectly has logging disabled and can not be enabled when the CSF is enabled.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

630216

A user can browse HA secondary logs in the GUI, but when a user downloads these logs, it is the primary FortiGate logs instead.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

663558

Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

734773

On the System > HA page, when vCluster is enabled and the management VDOM is not the root VDOM, the GUI incorrectly displays management VDOM as primary VDOM.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

739827

On FG-VM64-AZURE, administrator is logged out every few seconds, and the following message appears in the browser: Some cookies are misusing the recommended "SameSite" attribute.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

749451

On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of diagnose sys sdwan intf-sla-log exceed 232-1.

749843

Bandwidth widget does not display traffic information for VLAN interfaces when a large number of VLAN interfaces are configured.

763925

GUI shows user as expired after entering a comment in guest management.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

Workaround: use the regular Guest Management page.

HA

Bug ID

Description

683584

The hasync process crashed because the write buffer offset is not validated before using it.

683628

The hasync process crashes often with signal 11 in cases when a CMDB mind map file is deleted and some processes still mind map the old file.

717785

HA primary does not send anti-spam and outbreak prevention license information to the secondary.

750829

In large customer configurations, some functions may time out, which causes an unexpected failover and keeps high cmdbsvr usage for a long time.

751072

HA secondary is consistently unable to synchronize any sessions from the HA primary when the original HA primary returns.

752928

fnbamd uses ha-mgmt-interface for certificate related DNS queries when ha-direct is enabled.

754599

SCTP sessions are not fully synchronized between nodes in FGSP.

760562

hasync crashes when the size of hasync statistics packets is invalid.

763214

Firmware upgrade fails when the bandwidth between hbdev is reduced to 26 Mbps and lower (Check image file integrity error!).

764873

FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner.

765619

HA desynchronizes after user from a read-only administrator group logs in.

766842

Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled.

771389

SNMP community name with one extra character at the end stills matches when HA is enabled.

771999

Sessions not synchronized to HA secondary on an FGSP and FGCP combined setup.

779180

FGSP does not synchronize the helper-pmap expectation session.

779512

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

782769

Unable to form HA pair when HA encryption is enabled.

786592

Failure in self-pinging towards the management IP.

794707

Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync.

801872

Unexpected HA failover on AWS A-P cluster when ipsec-soft-dec-async is enabled.

803697

The ha-mgmt-interface stops using the configured gateway6.

Hyperscale

Bug ID

Description

796368

Traffic shaping profile does not seem to have an effect on TCP/UDP traffic in hyperscale.

802369

Large client IP range makes fixed allocation usage relatively limited.

Intrusion Prevention

Bug ID

Description

654307

Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.

699775

Fortinet logo is missing on web filter block page in Chrome.

713508

Low download performance occurs when SSL deep inspection is enabled on aggregate and VLAN interfaces when NTurbo is enabled.

739272

Users cannot visit websites with an explicit web proxy when the FortiGate enters conserve mode with fail-open disabled. Block pages appear with the replacement message, IPS Sensor Triggered!.

763736

IPS custom signature logging shows (even after being disabled) after upgrading to FortiOS 6.4.7.

IPsec VPN

Bug ID

Description

771935

Offloaded transit ESP is dropped in one direction until session is not deleted.

773313

FG-40F-3G4G with WWAN DHCP interface set as L2TP client shows drops in WWAN connections and does not get the WWAN IP.

777476

When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the resync event to synchronize SA data to the FGSP peer.

781403

IKE is consuming excessive memory.

786409

Tunnel had one-way traffic after iked crashed.

814366

There are no incoming ESP packets from the hub to spoke after upgrade from 6.4.8 to 6.4.9.

Log & Report

Bug ID

Description

621329

Mixed traffic and UTM logs are in the event log file because the current category in the log packet header is not big enough.

702859

Outdated report files deleted system event log keeps being generated.

708890

Traffic log of ZTNA HTTPS proxy and TCP forwarding is missing policy name and FortiClient ID.

726231

The default logtraffic setting (UTM) in a security policy unexpectedly generates a traffic log.

753904

The reportd process consumes a high amount of CPU.

764478

Logs are missing on FortiGate Cloud from the FortiGate.

768626

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

774767

The expected reboot log is missing.

776929

When submitting files for sandbox logging in flow mode, filetype="unknown" is displayed for PDF, DOC, JS, RTF, ZIP, and RAR files.

Proxy

Bug ID

Description

604681

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

678815

WAD crashes with signal 11 if the client sends a client hello containing a key share that does not match the key share that the server prefers.

717995

Proxy mode generates untagged traffic in a virtual wire pair.

747915

Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model.

755685

Trend Micro client results in FortiGate illegal parameter SSL alert response because the Trend Micro client sent a ClientHello that includes extra data, which is declined by the FortiGate according to RFC 5246 7.4.1.2.

768278

WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out.

791662

FortiGate is silently dropping server hello in TLS negotiation.

802935

FortiGate cannot block a virus file when using the HTTP PATCH upload method.

803260

Memory increase suddenly and is not released until rebooting.

807332

WAD does not forward the 302 HTTP redirect to the end client.

Routing

Bug ID

Description

717086

External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the interface-select-method configuration in system external-resource is changed.

724541

One IPv6 BGP neighbor is allowed to be configured with one IPv6 address format and shows a different IPv6 address format.

729621

High CPU on hub BGPD due to hub FortiGate being unable to maintain BGP connections with more than 1000 branches when route-reflector is enabled.

730194

When syncing a large number of service qualities, there is a chance of accessing out-of-boundary memory, which causes the VWL daemon to crash.

742648

Health check over shortcut tunnel is dead after auto-discovery-receiver is disabled/enabled and VWL crash occurs.

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

759752

FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet.

762258

When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down.

771052

The set next-hop-self-rr6 enable parameter not effective.

778392

Kernel panic crash occurs after receiving new IPv6 prefix via BGP.

780210

Changing the interface weight under SD-WAN takes longer to be applied from the GUI than the CLI.

796409

GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

690812

FortiGate firewall dynamic address resolution lost when SDN connector updates its cache.

712155

The security rating for Admin Idle Timeout incorrectly fails for a FortiAnalyzer with less than 10 minutes.

718469

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

724071

Log disk usage from user information history daemon is high and can restrict the use for general logging purposes.

788543

Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer.

789820

The csfd process is causing high memory usage on the FortiGate.

791324

Test Automation Stitch function only works on the root FortiGate, and is not working on the downstream FortiGate.

SSL VPN

Bug ID

Description

730416

Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

740378

Windows FortiClient 7.0.1 cannot work with FortiOS 7.0.1 over SSL VPN when the tunnel IP is in the same subnet as one of the outgoing interfaces and NAT is not enabled.

741674

Customer internal website (https://cm***.msc****.com/x***) cannot be rendered in SSL VPN web mode.

745554

Logging in with SSO to FortiAnalyzer with SSL VPN web mode fails.

749857

Web mode and tunnel mode could not reflect the VRF setting, which causes the traffic to not pass through as expected.

756753

FQDN in firewall policy is treated case sensitive, which causes SSL VPN failure when redirecting or accessing a URL that contains capitalized characters.

757726

SSL VPN web portal does not serve updated certificate.

759664

Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected.

762685

Punycode is not supported in SSL VPN DNS split tunneling.

767832

After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.

767869

SCADA portal will not fully load with SSL VPN web bookmark.

771162

Unable to access SSL VPN bookmark in web mode.

772191

Website is not loading in SSL VPN web mode.

774661

SSL VPN web portal not loading internal webpage.

774831

Comma character (,) is acting as delimiter in authentication session decoding when CN format is Surname, Name.

781542

Unable to access internal SSL VPN bookmark in web mode.

783508

After upgrading to 6.4.8, NLA security mode for SSL VPN web portal bookmark does not work.

786179

Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode.

796768

SSL VPN RDP is unable to connect to load-balanced VMs.

801588

After Kronos (third-party) update from 8.1.3 to 8.1.13, SSL VPN web portal users get a blank page after logging in successfully.

809209

SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time.

809473

When sslvpnd debugs are enabled, the SSL VPN process crashes more often.

811492

SSL VPN should not leak information while performing Telnet.

816716

sslvpnd crashed when deleting a VLAN interface.

Switch Controller

Bug ID

Description

774848

Bulk MAC addresses deletions on FortiSwitch is randomly causing all wired clients to disconnect at the same time and reconnect.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

602141

The extender daemon crashes on Low Encryption (LENC) FortiGates.

648085

Link status on peer device is not down when the admin port is down on the FortiGate.

679059

The ipmc_sensord process is killed multiple times when the CPU or memory usage is high.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

712321

Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D.

716250

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

717791

Running execute restore vmlicense tftp fails and displays tftp: bind: Address already in use message.

718307

Verizon LTE connection is not stable, and the connection may drop after a few hours.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected.

738423

Unable to create a hardware switch with no member.

749613

Unable to save configuration changes and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

750171

Legitimate traffic is unable to go through with NP6 synproxy enabled.

750533

The cmdbsvr crashes when accessing an invalid firewall vip mapped IP that causes traffic to stop traversing the FortiGate.

751044

There was no sensor trap function and related log on SoC4 platforms.

751870

User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.

753912

FortiGate calculates faulty FDS weight with DST enabled.

757478

Kernel panic results in reboot due the size of inner Ethernet header and IP header not being checked properly when the SKB is received by the VXLAN interface.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

771267

Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries.

773702

FortiGate running startup configuration is not saved on flash drive.

775529

Hardware switch is not passing VRRP packets.

778116

Restricted VDOM user is able to access the root VDOM.

779523

Negative tunnel_count in diagnose firewall gtp profile list for FGSP peer.

787595

FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.

792544

A request is made to the remote authentication server before checking trusthost.

796398

BPDUs packets are blocked even though STF forwarding is enabled on FG-800D in transparent mode (UTP and SFP).

799255

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

800333

DoS offload does not work in 6.4.9 and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite.

801474

DHCP IP lease is flushed within the lease time.

801985

Kernel panic occurs when a virtual switch with VLAN is created, and another port is configured with a trunk.

802917

PPPoE virtual tunnel drops traffic after logon credentials are changed.

809366

FG-40F with STP enabled on a hardware switch creates a loop after upgrading to 6.4.9.

812499

When traffic gets offloaded, an incorrect MAC address is used as a source.

813606

DHCP relay offers to iPhones is blocked by the FortiGate.

816278

Memory increase due to iked process.

819640

SSH public key changes after every reboot.

Upgrade

Bug ID

Description

725369

After upgrading to 6.4.5, VIP randomly stops working and a find DNAT: IP-0.0.0.0 message appears.

767808

The asicdos option for enabling/disabling NP6XLite DoS offloading is missing after upgrading to 6.4.9. Affected platforms: NP6XLite.

User & Authentication

Bug ID

Description

624167

FortiToken Mobile push notification not working with dynamic WAN IP service provider.

667150

Add GUI support for FortiToken Mobile push notification and FortiToken Cloud based on two-factor authentication, which is already supported by authd.

756763

In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement.

777004

Local users named pop or map do not work as expected when trying to add then as sources in a firewall policy.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

721439

Problems occur when switching between HA broadcast heartbeat to unicast heartbeat and vice versa.

750889

DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID.

781879

Flex-VM license activation failed to be applied to FortiGate VM in HA. Standalone mode is OK.

794290

Failed to load FFW-VM; cw_acd: can not find board mac from interfaces error displayed in console.

799536

Data partition is almost full on FG-VM64 platforms.

VoIP

Bug ID

Description

794517

VoIP daemon memory leak occurs when the following conditions are met:

  • The SIP call is on top of the IPsec tunnel.
  • The call fails before the setup completes (session gets closed in a state earlier than VOIP_SESSION_STATE_RUNNING).

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

783209

After upgrading FortiOS from 6.2 to 6.4, a new arrp-profile (arrp-default) is added as a static entry. FortiManager cannot install the configuration to a managed FortiGate when trying to purge the arrp-profile table.

Workaround: reboot the FortiGate.

790367

FWF-60F has kernel panic and reboots by itself every few hours.

791761

CAPWAP tunnel traffic over WPA2-Enterprise SSID is dropped when offloading is enabled on FG-1800F.

801259

CLI script from FortiManager with two commands fails, but succeeds with one command.

Known issues

The following issues have been identified in version 6.4.9. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

702646 Re-enable JavaScript heuristic detection and fix detection blocking content despite low rating.

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

Application Control

Bug ID

Description

787130 Application control does not block FTP traffic on an explicit proxy.

DNS Filter

Bug ID

Description

692482

DNS filter forwards the DNS status code 1 FormErr as status code 2 ServFail in cases where the redirect server responses have no question section.

744572

In multi-VDOM with default system fortiguard configuration, the DNS filter does not work for the non-management VDOM.

796052

If local-in and transparent requests are hashed into the same local ID list, when the DNS proxy receives a response, it finds the wrong query for requests with the same ID and domain.

Explicit Proxy

Bug ID

Description

755298

SNI ssl-exempt result conflicts with CN ssl-exempt result when SNI is an IP.

765761

Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP.

778339

Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking.

780211

diagnose wad stats policy list output displays information for only 20 proxy policies, so not all policies are included.

Firewall

Bug ID

Description

767226

When a policy denies traffic for a VIP and send-deny-packet is enabled, the mappedip is used for the RST packet's source IP instead of the external IP.

770668

The packet dropped counter is not incremented for per-ip-shaper with max-concurrent-session as the only criterion and offload disabled on the firewall policy.

773035

Custom services name is not displayed correctly in logs with a port range of more than 3000 ports.

791735

The number of sessions in session_count does not match the output from diagnose sys session full-stat.

803270

Unexpected value for session_count appears.

FortiView

Bug ID

Description

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

692734

When using the 5 minutes time period, if the FortiGate system time is 40 to 59 second behind the browser time, no data is retrieved.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

473841

Newly created deny policy incorrectly has logging disabled and can not be enabled when the CSF is enabled.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

630216

A user can browse HA secondary logs in the GUI, but when a user downloads these logs, it is the primary FortiGate logs instead.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

663558

Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

734773

On the System > HA page, when vCluster is enabled and the management VDOM is not the root VDOM, the GUI incorrectly displays management VDOM as primary VDOM.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

739827

On FG-VM64-AZURE, administrator is logged out every few seconds, and the following message appears in the browser: Some cookies are misusing the recommended "SameSite" attribute.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

749451

On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of diagnose sys sdwan intf-sla-log exceed 232-1.

749843

Bandwidth widget does not display traffic information for VLAN interfaces when a large number of VLAN interfaces are configured.

763925

GUI shows user as expired after entering a comment in guest management.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

Workaround: use the regular Guest Management page.

HA

Bug ID

Description

683584

The hasync process crashed because the write buffer offset is not validated before using it.

683628

The hasync process crashes often with signal 11 in cases when a CMDB mind map file is deleted and some processes still mind map the old file.

717785

HA primary does not send anti-spam and outbreak prevention license information to the secondary.

750829

In large customer configurations, some functions may time out, which causes an unexpected failover and keeps high cmdbsvr usage for a long time.

751072

HA secondary is consistently unable to synchronize any sessions from the HA primary when the original HA primary returns.

752928

fnbamd uses ha-mgmt-interface for certificate related DNS queries when ha-direct is enabled.

754599

SCTP sessions are not fully synchronized between nodes in FGSP.

760562

hasync crashes when the size of hasync statistics packets is invalid.

763214

Firmware upgrade fails when the bandwidth between hbdev is reduced to 26 Mbps and lower (Check image file integrity error!).

764873

FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner.

765619

HA desynchronizes after user from a read-only administrator group logs in.

766842

Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled.

771389

SNMP community name with one extra character at the end stills matches when HA is enabled.

771999

Sessions not synchronized to HA secondary on an FGSP and FGCP combined setup.

779180

FGSP does not synchronize the helper-pmap expectation session.

779512

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

782769

Unable to form HA pair when HA encryption is enabled.

786592

Failure in self-pinging towards the management IP.

794707

Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync.

801872

Unexpected HA failover on AWS A-P cluster when ipsec-soft-dec-async is enabled.

803697

The ha-mgmt-interface stops using the configured gateway6.

Hyperscale

Bug ID

Description

796368

Traffic shaping profile does not seem to have an effect on TCP/UDP traffic in hyperscale.

802369

Large client IP range makes fixed allocation usage relatively limited.

Intrusion Prevention

Bug ID

Description

654307

Wrong direction and banned location by quarantine action for ICMP.Oversized.Packet in NGFW policy mode.

699775

Fortinet logo is missing on web filter block page in Chrome.

713508

Low download performance occurs when SSL deep inspection is enabled on aggregate and VLAN interfaces when NTurbo is enabled.

739272

Users cannot visit websites with an explicit web proxy when the FortiGate enters conserve mode with fail-open disabled. Block pages appear with the replacement message, IPS Sensor Triggered!.

763736

IPS custom signature logging shows (even after being disabled) after upgrading to FortiOS 6.4.7.

IPsec VPN

Bug ID

Description

771935

Offloaded transit ESP is dropped in one direction until session is not deleted.

773313

FG-40F-3G4G with WWAN DHCP interface set as L2TP client shows drops in WWAN connections and does not get the WWAN IP.

777476

When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the resync event to synchronize SA data to the FGSP peer.

781403

IKE is consuming excessive memory.

786409

Tunnel had one-way traffic after iked crashed.

814366

There are no incoming ESP packets from the hub to spoke after upgrade from 6.4.8 to 6.4.9.

Log & Report

Bug ID

Description

621329

Mixed traffic and UTM logs are in the event log file because the current category in the log packet header is not big enough.

702859

Outdated report files deleted system event log keeps being generated.

708890

Traffic log of ZTNA HTTPS proxy and TCP forwarding is missing policy name and FortiClient ID.

726231

The default logtraffic setting (UTM) in a security policy unexpectedly generates a traffic log.

753904

The reportd process consumes a high amount of CPU.

764478

Logs are missing on FortiGate Cloud from the FortiGate.

768626

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

774767

The expected reboot log is missing.

776929

When submitting files for sandbox logging in flow mode, filetype="unknown" is displayed for PDF, DOC, JS, RTF, ZIP, and RAR files.

Proxy

Bug ID

Description

604681

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

678815

WAD crashes with signal 11 if the client sends a client hello containing a key share that does not match the key share that the server prefers.

717995

Proxy mode generates untagged traffic in a virtual wire pair.

747915

Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model.

755685

Trend Micro client results in FortiGate illegal parameter SSL alert response because the Trend Micro client sent a ClientHello that includes extra data, which is declined by the FortiGate according to RFC 5246 7.4.1.2.

768278

WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out.

791662

FortiGate is silently dropping server hello in TLS negotiation.

802935

FortiGate cannot block a virus file when using the HTTP PATCH upload method.

803260

Memory increase suddenly and is not released until rebooting.

807332

WAD does not forward the 302 HTTP redirect to the end client.

Routing

Bug ID

Description

717086

External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the interface-select-method configuration in system external-resource is changed.

724541

One IPv6 BGP neighbor is allowed to be configured with one IPv6 address format and shows a different IPv6 address format.

729621

High CPU on hub BGPD due to hub FortiGate being unable to maintain BGP connections with more than 1000 branches when route-reflector is enabled.

730194

When syncing a large number of service qualities, there is a chance of accessing out-of-boundary memory, which causes the VWL daemon to crash.

742648

Health check over shortcut tunnel is dead after auto-discovery-receiver is disabled/enabled and VWL crash occurs.

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

759752

FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet.

762258

When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down.

771052

The set next-hop-self-rr6 enable parameter not effective.

778392

Kernel panic crash occurs after receiving new IPv6 prefix via BGP.

780210

Changing the interface weight under SD-WAN takes longer to be applied from the GUI than the CLI.

796409

GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

690812

FortiGate firewall dynamic address resolution lost when SDN connector updates its cache.

712155

The security rating for Admin Idle Timeout incorrectly fails for a FortiAnalyzer with less than 10 minutes.

718469

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

724071

Log disk usage from user information history daemon is high and can restrict the use for general logging purposes.

788543

Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer.

789820

The csfd process is causing high memory usage on the FortiGate.

791324

Test Automation Stitch function only works on the root FortiGate, and is not working on the downstream FortiGate.

SSL VPN

Bug ID

Description

730416

Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

740378

Windows FortiClient 7.0.1 cannot work with FortiOS 7.0.1 over SSL VPN when the tunnel IP is in the same subnet as one of the outgoing interfaces and NAT is not enabled.

741674

Customer internal website (https://cm***.msc****.com/x***) cannot be rendered in SSL VPN web mode.

745554

Logging in with SSO to FortiAnalyzer with SSL VPN web mode fails.

749857

Web mode and tunnel mode could not reflect the VRF setting, which causes the traffic to not pass through as expected.

756753

FQDN in firewall policy is treated case sensitive, which causes SSL VPN failure when redirecting or accessing a URL that contains capitalized characters.

757726

SSL VPN web portal does not serve updated certificate.

759664

Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected.

762685

Punycode is not supported in SSL VPN DNS split tunneling.

767832

After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.

767869

SCADA portal will not fully load with SSL VPN web bookmark.

771162

Unable to access SSL VPN bookmark in web mode.

772191

Website is not loading in SSL VPN web mode.

774661

SSL VPN web portal not loading internal webpage.

774831

Comma character (,) is acting as delimiter in authentication session decoding when CN format is Surname, Name.

781542

Unable to access internal SSL VPN bookmark in web mode.

783508

After upgrading to 6.4.8, NLA security mode for SSL VPN web portal bookmark does not work.

786179

Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode.

796768

SSL VPN RDP is unable to connect to load-balanced VMs.

801588

After Kronos (third-party) update from 8.1.3 to 8.1.13, SSL VPN web portal users get a blank page after logging in successfully.

809209

SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time.

809473

When sslvpnd debugs are enabled, the SSL VPN process crashes more often.

811492

SSL VPN should not leak information while performing Telnet.

816716

sslvpnd crashed when deleting a VLAN interface.

Switch Controller

Bug ID

Description

774848

Bulk MAC addresses deletions on FortiSwitch is randomly causing all wired clients to disconnect at the same time and reconnect.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

602141

The extender daemon crashes on Low Encryption (LENC) FortiGates.

648085

Link status on peer device is not down when the admin port is down on the FortiGate.

679059

The ipmc_sensord process is killed multiple times when the CPU or memory usage is high.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

712321

Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D.

716250

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

717791

Running execute restore vmlicense tftp fails and displays tftp: bind: Address already in use message.

718307

Verizon LTE connection is not stable, and the connection may drop after a few hours.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected.

738423

Unable to create a hardware switch with no member.

749613

Unable to save configuration changes and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

750171

Legitimate traffic is unable to go through with NP6 synproxy enabled.

750533

The cmdbsvr crashes when accessing an invalid firewall vip mapped IP that causes traffic to stop traversing the FortiGate.

751044

There was no sensor trap function and related log on SoC4 platforms.

751870

User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.

753912

FortiGate calculates faulty FDS weight with DST enabled.

757478

Kernel panic results in reboot due the size of inner Ethernet header and IP header not being checked properly when the SKB is received by the VXLAN interface.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

771267

Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries.

773702

FortiGate running startup configuration is not saved on flash drive.

775529

Hardware switch is not passing VRRP packets.

778116

Restricted VDOM user is able to access the root VDOM.

779523

Negative tunnel_count in diagnose firewall gtp profile list for FGSP peer.

787595

FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.

792544

A request is made to the remote authentication server before checking trusthost.

796398

BPDUs packets are blocked even though STF forwarding is enabled on FG-800D in transparent mode (UTP and SFP).

799255

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

800333

DoS offload does not work in 6.4.9 and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite.

801474

DHCP IP lease is flushed within the lease time.

801985

Kernel panic occurs when a virtual switch with VLAN is created, and another port is configured with a trunk.

802917

PPPoE virtual tunnel drops traffic after logon credentials are changed.

809366

FG-40F with STP enabled on a hardware switch creates a loop after upgrading to 6.4.9.

812499

When traffic gets offloaded, an incorrect MAC address is used as a source.

813606

DHCP relay offers to iPhones is blocked by the FortiGate.

816278

Memory increase due to iked process.

819640

SSH public key changes after every reboot.

Upgrade

Bug ID

Description

725369

After upgrading to 6.4.5, VIP randomly stops working and a find DNAT: IP-0.0.0.0 message appears.

767808

The asicdos option for enabling/disabling NP6XLite DoS offloading is missing after upgrading to 6.4.9. Affected platforms: NP6XLite.

User & Authentication

Bug ID

Description

624167

FortiToken Mobile push notification not working with dynamic WAN IP service provider.

667150

Add GUI support for FortiToken Mobile push notification and FortiToken Cloud based on two-factor authentication, which is already supported by authd.

756763

In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement.

777004

Local users named pop or map do not work as expected when trying to add then as sources in a firewall policy.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

721439

Problems occur when switching between HA broadcast heartbeat to unicast heartbeat and vice versa.

750889

DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID.

781879

Flex-VM license activation failed to be applied to FortiGate VM in HA. Standalone mode is OK.

794290

Failed to load FFW-VM; cw_acd: can not find board mac from interfaces error displayed in console.

799536

Data partition is almost full on FG-VM64 platforms.

VoIP

Bug ID

Description

794517

VoIP daemon memory leak occurs when the following conditions are met:

  • The SIP call is on top of the IPsec tunnel.
  • The call fails before the setup completes (session gets closed in a state earlier than VOIP_SESSION_STATE_RUNNING).

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

677994

Newly discovered and authorized FortiAP will cause HA sync issue. On the HA secondary member, if the WTP profile has a radio in monitor mode, it will be changed to AP mode and unset the band.

783209

After upgrading FortiOS from 6.2 to 6.4, a new arrp-profile (arrp-default) is added as a static entry. FortiManager cannot install the configuration to a managed FortiGate when trying to purge the arrp-profile table.

Workaround: reboot the FortiGate.

790367

FWF-60F has kernel panic and reboots by itself every few hours.

791761

CAPWAP tunnel traffic over WPA2-Enterprise SSID is dropped when offloading is enabled on FG-1800F.

801259

CLI script from FortiManager with two commands fails, but succeeds with one command.