Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 6.4.9 FortiOS Release Notes

Known issues

6.4.9
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
Copy Link
Copy Doc ID 3c6536c6-b68b-11ec-9fd1-fa163e15d75b:236526
Download PDF

Known issues

The following issues have been identified in version 6.4.9. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Application Control

Bug ID

Description
787130 Application control does not block FTP traffic on an explicit proxy.

Explicit Proxy

Bug ID

Description

803228

When converting an explicit proxy session to SSL redirect, traffic may be interrupted inadvertently in some situations.

816879

When an explicit proxy is enabled with IP pools, certificate inspection probe sessions use the interface IP instead of IPs from the configured IP pool. Therefore, when an interface IP is not allowed to connect externally, the probe session fails and causes traffic to not work.

Firewall

Bug ID

Description

719311

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

770541

Within the Policy & Objects menu, the firewall, DoS, and traffic shaping policy pages take around five seconds to load when the FortiGate cannot reach the FortiGuard DNS servers.

Workaround: set the DNS server to the FortiGuard DNS server.

FortiView

Bug ID

Description

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

692734

When using the 5 minutes time period, if the FortiGate system time is 40 to 59 second behind the browser time, no data is retrieved.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

763925

GUI shows user as expired after entering a comment in guest management.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

Workaround: use the regular Guest Management page.

HA

Bug ID

Description

771999

Sessions not synchronized to HA secondary on an FGSP and FGCP combined setup.

779180

FGSP does not synchronize the helper-pmap expectation session.

Hyperscale

Bug ID

Description

734305

In the GUI, an FQDN or ISDB can be selected for a DoS policy, which is not supported (an error message appears). The CLI shows the correct options.

760560

The timestamp on the hyperscale SPU of a deny policy (policy id 0) is incorrect.

796368

Traffic shaping profile does not seem to have an effect on TCP/UDP traffic in hyperscale.

802369

Large client IP range makes fixed allocation usage relatively limited.

Intrusion Prevention

Bug ID

Description

763736

IPS custom signature logging shows (even after being disabled) after upgrading to FortiOS 6.4.7.

IPsec VPN

Bug ID

Description

777476

When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the resync event to synchronize SA data to the FGSP peer.

Log & Report

Bug ID

Description

726231

The default logtraffic setting (UTM) in a security policy unexpectedly generates a traffic log.

768626

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

850642

Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes.

Proxy

Bug ID

Description

604681

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

REST API

Bug ID

Description

759675

Connection failed error occurs on FortiGate when an interface is created and updated using the API in quick succession.

Routing

Bug ID

Description

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

712155

The security rating for Admin Idle Timeout incorrectly fails for a FortiAnalyzer with less than 10 minutes.

789820

The csfd process is causing high memory usage on the FortiGate.

SSL VPN

Bug ID

Description

710657

The dstaddr/dstaddr6 of an SSL VPN policy can be set to all when split tunnel mode is enabled and only the default portal is set.

730416

Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

745554

Logging in with SSO to FortiAnalyzer with SSL VPN web mode fails.

852566

User peer feature for one group to match to multiple user peers in the authentication rules is broken.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

602141

The extender daemon crashes on Low Encryption (LENC) FortiGates.

648085

Link status on peer device is not down when the admin port is down on the FG-500E.

664856

A VWP named .. can be created in the GUI, but it cannot be edited or deleted.

666664

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

669645

VXLAN VNI interface cannot be used with a hardware switch.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

Workaround: set the auto-asic-offload option to disable in the firewall policy.

751044

PSU alarm log and SNMP trap are added for FG-20xF and FGR-60F models.

751715

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

800333

DoS offload does not work in 6.4.9 and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite.

801985

Kernel panic occurs when a virtual switch with VLAN is created, and another port is configured with a trunk.

809366

FG-40F with STP enabled on a hardware switch creates a loop after upgrading to 6.4.9.

879769

If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway.

Upgrade

Bug ID

Description

767808

The asicdos option for enabling/disabling NP6XLite DoS offloading is missing after upgrading to 6.4.9. Affected platforms: NP6XLite.

User & Authentication

Bug ID

Description

624167

FortiToken Mobile push notification not working with dynamic WAN IP service provider.

754725

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

823884

When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to.

853793

FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

794290

Failed to load FFW-VM; cw_acd: can not find board mac from interfaces error displayed in console.

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

783209

After upgrading FortiOS from 6.2 to 6.4, a new arrp-profile (arrp-default) is added as a static entry. FortiManager cannot install the configuration to a managed FortiGate when trying to purge the arrp-profile table.

Workaround: reboot the FortiGate.
Previous
Next

Known issues

The following issues have been identified in version 6.4.9. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Application Control

Bug ID

Description
787130 Application control does not block FTP traffic on an explicit proxy.

Explicit Proxy

Bug ID

Description

803228

When converting an explicit proxy session to SSL redirect, traffic may be interrupted inadvertently in some situations.

816879

When an explicit proxy is enabled with IP pools, certificate inspection probe sessions use the interface IP instead of IPs from the configured IP pool. Therefore, when an interface IP is not allowed to connect externally, the probe session fails and causes traffic to not work.

Firewall

Bug ID

Description

719311

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

770541

Within the Policy & Objects menu, the firewall, DoS, and traffic shaping policy pages take around five seconds to load when the FortiGate cannot reach the FortiGuard DNS servers.

Workaround: set the DNS server to the FortiGuard DNS server.

FortiView

Bug ID

Description

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

692734

When using the 5 minutes time period, if the FortiGate system time is 40 to 59 second behind the browser time, no data is retrieved.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

688016

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

763925

GUI shows user as expired after entering a comment in guest management.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

Workaround: use the regular Guest Management page.

HA

Bug ID

Description

771999

Sessions not synchronized to HA secondary on an FGSP and FGCP combined setup.

779180

FGSP does not synchronize the helper-pmap expectation session.

Hyperscale

Bug ID

Description

734305

In the GUI, an FQDN or ISDB can be selected for a DoS policy, which is not supported (an error message appears). The CLI shows the correct options.

760560

The timestamp on the hyperscale SPU of a deny policy (policy id 0) is incorrect.

796368

Traffic shaping profile does not seem to have an effect on TCP/UDP traffic in hyperscale.

802369

Large client IP range makes fixed allocation usage relatively limited.

Intrusion Prevention

Bug ID

Description

763736

IPS custom signature logging shows (even after being disabled) after upgrading to FortiOS 6.4.7.

IPsec VPN

Bug ID

Description

777476

When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the resync event to synchronize SA data to the FGSP peer.

Log & Report

Bug ID

Description

726231

The default logtraffic setting (UTM) in a security policy unexpectedly generates a traffic log.

768626

FortiGate does not send WELF (WebTrends Enhanced Log Format) logs.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

850642

Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes.

Proxy

Bug ID

Description

604681

WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

Workaround: disable SoC SSL acceleration under the firewall SSL settings.

REST API

Bug ID

Description

759675

Connection failed error occurs on FortiGate when an interface is created and updated using the API in quick succession.

Routing

Bug ID

Description

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

712155

The security rating for Admin Idle Timeout incorrectly fails for a FortiAnalyzer with less than 10 minutes.

789820

The csfd process is causing high memory usage on the FortiGate.

SSL VPN

Bug ID

Description

710657

The dstaddr/dstaddr6 of an SSL VPN policy can be set to all when split tunnel mode is enabled and only the default portal is set.

730416

Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

745554

Logging in with SSO to FortiAnalyzer with SSL VPN web mode fails.

852566

User peer feature for one group to match to multiple user peers in the authentication rules is broken.

System

Bug ID

Description

555616

When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

602141

The extender daemon crashes on Low Encryption (LENC) FortiGates.

648085

Link status on peer device is not down when the admin port is down on the FG-500E.

664856

A VWP named .. can be created in the GUI, but it cannot be edited or deleted.

666664

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

669645

VXLAN VNI interface cannot be used with a hardware switch.

685674

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

Workaround: set the auto-asic-offload option to disable in the firewall policy.

751044

PSU alarm log and SNMP trap are added for FG-20xF and FGR-60F models.

751715

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

800333

DoS offload does not work in 6.4.9 and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite.

801985

Kernel panic occurs when a virtual switch with VLAN is created, and another port is configured with a trunk.

809366

FG-40F with STP enabled on a hardware switch creates a loop after upgrading to 6.4.9.

879769

If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway.

Upgrade

Bug ID

Description

767808

The asicdos option for enabling/disabling NP6XLite DoS offloading is missing after upgrading to 6.4.9. Affected platforms: NP6XLite.

User & Authentication

Bug ID

Description

624167

FortiToken Mobile push notification not working with dynamic WAN IP service provider.

754725

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

823884

When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to.

853793

FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

VM

Bug ID

Description

596742

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

617046

FG-VMX manager not showing all the nodes deployed.

639258

Autoscale GCP health check is not successful (port 8443 HTTPS).

668625

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

794290

Failed to load FFW-VM; cw_acd: can not find board mac from interfaces error displayed in console.

WiFi Controller

Bug ID

Description

662714

The security-redirect-url setting is missing when the portal-type is auth-mac.

783209

After upgrading FortiOS from 6.2 to 6.4, a new arrp-profile (arrp-default) is added as a static entry. FortiManager cannot install the configuration to a managed FortiGate when trying to purge the arrp-profile table.

Workaround: reboot the FortiGate.
Previous
Next