DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.

IPsec VPN does not have FCT client IP to send to EMS if using DHCP-over-IPsec.

No FortiClient entry in diagnose endpoint record list when the FortiClient is registered on EMS with a WiFi tunnel mode interface.

EMS Cloud does not update the IP for dynamic address on the FortiGate.

Dynamic group EMS tags are not showing up for connected wireless devices.

Percent encoding is not converted in FTP over HTTP explicit proxy.

Proxy policy matching should support choosing the best internet service name when the IP matches multiple object names.

WAD encounters segmentation crash at wad_ssl_arm_close; crash occurred on explicit web proxy.

Unable to load URL when application control or AV are enabled in a proxy policy.

Short disconnections of streaming applications (Teams and Whereby) through explicit proxy.

When configuring authentication schemes to negotiate and NTLM (mix), Firefox may not show the authentication pop-up with an explicit proxy.

When an explicit proxy policy has a category address as destination address, the FortiGate needs to check if the address is a Google Translate URL for extra rating. This will trigger a keyword match. However, if a web filter profile is not set yet, WAD will crash. The fix will delay the keyword match until a web filter profile is present.

HTTP/1.0 health check should process the whole response when http-match is set.

Applying a traffic shaping profile and outbound bandwidth above 200000 blocks the traffic.

Firewall is using the wrong NAT IP address to send out traffic after removing the VIP and its associated policy.

SYN-ACK is dropped when application control with auto-asic-offload and NP acceleration are enabled in a firewall policy.

FortiGate drops SERVER HELLO when accessing some TLS 1.3 websites using a flow-based policy with SSL deep inspection.

FortiGate stops sending logs to Netflow traffic because the Netflow session cleanup routine runs for too long when there are many long live sessions in the cache.

Auto-update script sent from FortiOS GUI has a policy ID of zero, which causes FortiManager to be out of synchronization.

When there is no IP/IPv6 address setting for Zone, the GUI incorrectly displays 0.0.0.0/0.0.0.0 for IP/Netmask and ::/0 for IPv6 Address.

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

The values for set gui-default-policy-columns does not work for the srcaddr, dstaddr, and source columns.

Firewall policy not visible in the GUI when enabling internet-service src.

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

The event log sometimes contains duplicated lines when downloaded from the GUI.

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

On the VPN > SSL-VPN Settings page, after clicking Apply, source-address objects become source-address6 objects if IPv6 is enabled.

On a downstream FortiGate, going to VDOM FG-traffic > Network > Interfaces takes a long time to load.

Unable to view log details for Oracle.GlassFish.Server.ThemeServlet.Directory.Traversal log when clicking Details in the GUI.

Bandwidth widget shows incorrect traffic on FG-40F.

On the Network > Interfaces page, after upgrading to FortiOS 6.4.7, a previously valid VLAN switch VLAN ID of 0 now displays the error message The minimum value is 2.

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

Cloning a policy from the CLI causes the HA cluster to get out of sync.

admin-restrict-local feature does not work on management interface in HA cluster.

When HA failover happens, there is a time difference between the old secondary becoming new primary and the new primary's HA ID getting updated. If a session is created in between, the session gets a wrong HA ID, which indicates incorrectly that the session's traffic needs to be handled by new secondary.

Uninterruptible upgrade might be broken in large scale environments.

FGSP has problem at failover when NTurbo or offloading is enabled (IPv4) with virtual wire pair traffic.

HA cluster goes out of sync due to mismatched vpn.certificate.crl checksum.

FTP transfers drop in active-active mode in cases where expectation sessions accumulated in the secondary unit reach the maximum number (128).

VDOM restore on an already configured VDOM causes high CPU sometimes on the primary.

When enabling lag-out-port-select, both cluster units simultaneously reboot.

HA goes out of synchronization when uploading a local certificate.

Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.

API key (token) on the secondary device is not synchronized to the primary when standalone-config-sync is enabled.

DNS may not resolve correctly in a virtual cluster environment. It also impacts the FortiGate 6000F and 7000E/F series where DNS may not resolve on the correct blades (FPC/FPM).

When the HA secondary device relays logs to the primary device, it may encounter high CPU usage.

PPPoE connection gets disconnected during HA failover.

The global UTM profiles named with a g- prefix are shared between all VDOMs and logically do not belong to any VDOM. When they are changed, the ipshelper cannot always refresh its configuration because the ipshelper tries to check each VDOM profile.

IPS signatures not working with VIP in proxy mode.

IPS engine crashes when IPS injects packets to vNP and vNP/DPDK fails to restart (crashes and sometimes is out of service).

FortiGate can only collect up to 128 packets when detected by a signature.

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

Duplicate entry found error shown when assigning multiple dialup IPsec tunnels with the same secondary IP in the GUI.

FortiGate not sending its external interface IP in the IKE negotiation (Google Cloud Platform).

Traffic is dropped in policy-based mode with FEC and NTurbo enabled.

Site-to-site IPsec VPN cannot establish in asymmetric routing scenario where the IPsec VPN bound interface is a loopback interface.

Exchanging IPs does not work with multiple dynamic tunnels.

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

An iked kernel panic occurs whenever a large download is initiated over an IPsec dialup tunnel.

Routes are not added or removed as expected when failover occurs with IPsec FGSP HA.

Traffic is failing on dialup VPN IKEv2 with EAP authentication.

FortiGate keeps initiating DHCP SA rekey after lifetime expires.

In an IPsec tunnel XAuth with RADIUS, the RADIUS Accounting Stop packet is missing the Acct-Input-Octets/Acct-Output-Octets attribute.

Kernel crash occurs with FEC enabled on IPsec VPN when corrupted packets are received.

IKE idle timeout timers continue running when the HA state switches to secondary.

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

Local out dialup IPsec traffic does not match policy-based routes.

The ADVPN forwarder does not currently track the shortcut query that it forwards. Shortcut queries and replies are forwarded or terminated solely based on the route lookup.

IKE HA resynchronizes the synchronized connection without an established IKE SA.

TCP SYN-ACKs are silently dropped if the traffic is sourced from a dialup IPsec tunnel and UTM is enabled.

Traffic cannot be sent out through IPsec VPN tunnel because SA is pushed to the wrong NP6 for platforms where NP6 is standalone. Affected models: FG-2000E and FG-2500E.

If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.

Tunnel interface MTU settings do not work when net-device is enabled in phase 1.

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

In an IPsec aggregate tunnel interface where one of the members is down and has an MTU of zero, and the other tunnel is up and has a non-zero MTU, the interface will take the minimum of both MTU values, which is zero. This results in no traffic going in the outbound direction.

The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.

FortiAnalyzer OFTP connection is re-initialized every 30 seconds when the FortiGate connects to an unauthorized FortiAnalyzer.

On the Log & Report > SSL page, the Service for SSL logs is displayed as FTPS instead of SSL.

Logs are missing on FortiGate Cloud from a certain point.

Syslogd is using the wrong source IP when configured with interface-select-method auto.

SSL VPN tunnel down event log (log ID 39948) is missing.

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

Unknown interface is shown in flow-based UTM logs.

The miglogd process uses high CPU when handling a web rating error log that is reported with an invalid VDOM ID.

Unable to set source IP for FortiCloud unless FortiCloud is already activated.

WAD crashes due to RCX having a null value.

WAD SSL crash due to wrong cipher options chosen.

WAD memory leak causes device to go into conserve mode.

WAD crash on wad_hash_map_del.

SSL renegotiation fails when Firefox offers TLS 1.3, but the server decides to use TLS 1.2.

Web filter is blocking websites in proxy mode due to SSL certificate validation failure, which is caused by an unreachable OCSP server.

Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app.

WAD crashes when firewall FQDN address is null.

diagnose wad stats policy list does not show statistics correctly when enabling certificate inspection and HTTP policy redirect.

WAD encounters signal 11 crash when adding user information.

Web proxy forward server group could not recover sometimes if the FQDN is not resolved.

When a timeout happens while forticron is downloading a file, the original downloaded file is not be deleted, so the next successful download has extra data in front.

Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.

Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.

WAD crashes due to memory corruption.

WAD memory spike when downloading files larger than 4 GB.

High CPU usage in proxy-based policy with deep inspection and IPS sensor.

WAD crashes if the certificate authentication request context is not closed in the following scenarios: when fnbamd returns a failure certificate authentication result or no response; and when the CA certificate is updated and the certificate cache is flushed.

HTTPS traffic gets SSL error when deep inspection and an AV of file filter profile are enabled.

Update various REST API endpoints to prevent information in other VDOMs from being leaked.

httpsd crashes due to GET /api/v2/log/.../virus/archive request when the mkey is not provided.

LDAP traffic that originates from the FortiGate is not following SD-WAN rule.

For DSL interface, adding static route with set dynamic-gateway enable does not add route to routing table.

Suggest adding an option for NetFlow to use SD-WAN.

TCP session drops between virtual wire pair with auto-asic-offload enabled in policy.

BFD neighborship is lost between hub and spoke. One side shows BFD as down, and other side does not show the neighbor in the list.

set interface-select-method takes a long time to take effect for DNS local out traffic when the source IP is specified.

Improve the help text for distance to indicate that 255 means unreachable.

ADVPN does not work with RIP as the routing protocol when net-device is enabled.

PIM/PIM6 does not send out unicast packet with the correct source IP if interface is not specified.

Disconnected from FortiAnalyzer events reported when the interface-select-method is set to specify, and the interface port_<x> is set to an interface that does not have the highest priority in the SD-WAN interface selection.

ZEBOS launcher is unable to start and crashes constantly if aspath has more than 80 characters in the config router router-map > set-aspath setting.

OSPFv3 cannot install IPv6 ECMP routes when both ABR next hops are in the same subnet.

Multicast streams sourced on SSL VPN client are not registered in PIM-SM.

Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.

ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector.

ACI SDN connector (connected by aci-direct) shows curl error 7 when updating from second VDOM.

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

When CSF root synchronizes a large automation setting (over 16000) to the downstream FortiGate, csfd crashes while trying to process the relay message.

The variable %%date%% resolves into 1900-01-00 instead of actual date when the schedule trigger type is used.

Security rating Issue with unused deny policies.

AV & IPS DB Update automation trigger is not working when clicking Update Licenses & Definitions Now in the GUI.

The policy script-src 'self' will block the SSL VPN proxy URL.

Pop-up window does not load correctly when accessing internal application at https://re***.wo***.nl using SSL VPN web mode.

set banned-cipher command does not work for TLS 1.3.

Ciphers with ARIA, AESCCM, and CHACHA cannot be banned for SSL VPN.

SSL VPN firewall policy creation via CLI does not require setting user identity.

DCE/RPC sessions are randomly dropped (no session matched).

SSL VPN authentication fails for PKI user with LDAP.

SAML login failure when a user belongs to multiple groups associated with multiple VPN realms.

SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode.

SSL VPN connection breaks when deleting irrelevant CA and PKI is involved.

SSL VPN bookmarks are not working correctly with multiple SD-WAN zones.

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

The map integrated in the public site is not visible when using SSL VPN web mode.

The wildcard matching method does not always work as expected because the kernel sometimes does not have the address yet.

Internal webpage with JavaScript is not loading in SSL VPN web mode.

The wildcard FQDN does not always work reliably in cases where the kernel does not have the address yet.

Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode.

Slow RDP response when using SSL VPN web mode access.

Some links and buttons are not working properly when accessing them through SSL VPN web mode.

If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.

FortiClient error message is not pertinent when the client does not meet host checking requirements.

Memory occupied by the SSL VPN daemon increases significantly while the process is busy.

SSL VPN RDP bookmark is not working when using Chrome 93 32-bit. Firefox 64-bit and Chrome 64-bit are still not supported on Windows 32-bit.

In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak.

RADIUS accounting messages after SSL VPN do not include the Class attribute (Group name).

Internal web server page, https://te***.ss***.es:10443, is not loading properly in SSL VPN web mode.

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

Remove the maximum check for resolution of RDP/VNC in web portal.

SSL VPN login authentication times out if primary RADIUS server becomes unavailable.

Keyboard keys do not work with RDP bookmarks when PT-BR and PT-BR-ABNT2 layouts are chosen.

VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.

SSL VPN web mode has issues accessing https://e***.or***.kr.

Outdated OS support for host check should be removed.

SSL VPN bookmark of VNC is not using ZRLE compression and consumes more bandwidth to end clients.

Extend skip-check-for-unsupported-os to support the same OS type but different OS versions.

SSL VPN bookmark issues with internal website.

NPU offload is disabled for IPsec over pure EMAC VLANs (EMAC interfaces without VLAN IDs).

There are no kernel routing updates when the session is re-initialized at the DSLAM side. DSL creates a default route to 240.0.0.1 after changing any configuration on the DSL interface.

VPN throughput dropped when FEC is enabled.

The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series.

SoC3 platforms may encounter kernel panic in cases when a PKCE IOCTL wait event is interrupted by WAD diagnose CLI commands.

System halts after running execute update-now in FIPS-CC mode.

NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface.

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

Lack of null pointer check in NP6XLite driver may lead to kernel panic. Affected models: FG-40F, FG-60F, and FG-101F.

On FG-40F, get NP6XLITE: failed to read lif accounting message on console.

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

DSL creates a default route to 240.0.0.1 after changing any configuration on a DSL interface.

IPv6 health check cannot send probe packets even if the IPv6 gateway is configured under configure members view.

SFP port status is not correct under get system interface transceiver due to incorrect i2c reading/writing. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, and FG-390xE.

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

port1 physical status is down. Affected models: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, and FG-390xE.

Support gtp-enhance-mode (GTP-U) on FG-3815D.

QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E.

FG-1500D reboots suddenly after COMLog reported kernel panic and voipd is tainted.

There was a memory leak in the administrator login debug that caused the getty daemon to be killed.

Split-task VDOM does not update IPS/AV from ha-direct connected internal FortiManager.

Kernel panic on FG-101F due to lack of null pointer check on NP6XLite driver.

LLDP transmission fails if there are nested software switches.

FortiGuard DDNS does not update the IP address when the PPPoE reconnects.

Interoperability issue between FortiGate aggregate interface and Cisco 9K switch.

Unexpected output in get system interface transceiver. Affected models: FG-110xE, FG-220xE, FG-330xE, FG-340xE, FG-360xE, and FG-390xE.

Multiple SFP ports on Nexus 7K go into a suspended state as no LACP PDUs are received.

SFP28 ports on FG-340xE/FG-360xE cannot receive or transmit packets when the speed is set to 1000full. This issue is triggered by warm rebooting the FortiGate/Cisco switch or disconnecting the fiber cable.

The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in.

FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev.

Packets are dropped for 30 seconds during or after massive configuration commit.

NTurbo does not work with EMAC VLAN interface.

SFP interface is set as 1000full is down after rebooting.

SFP28 port flapping when the speed is set to 10G.

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

In cases where there are a lot of DHCP relay interfaces (such as 1000) and an interface is added or deleted, DHCP relay takes a long time to release and initialize all interfaces before it works again.

FortiGate often enters conserve mode due to high memory usage by httpsd process.

Account profile settings changed after firmware upgrade.

Fragmented SKB size occurs if the tail room is too small to carry the NTurbo vtag, which causes packets to be dropped.

MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.

Power supply 2 DC is lost log only appears when unplugging the power cable from power supply 2.

HPE setting of NTurbo host queue is missing and causes IPS traffic to stop when HPE is enabled.

FG-600E copper speed LED does not work.

NTP daemon is not responding when using the manual setting.

Quarantined IP is not synchronized in FortiController mode.

DNS FQDN was not synchronized amongst all the working blade, so each blade might have different IP from the same FQDN. If policy a uses the FQDN as the address, it will cause the IP address of FQDN to not be in the list for the current blade, so the traffic will not match this FQDN policy.

DHCP discovery dropped on virtual wire pair when UTM is enabled.

Multiple processes crashing at the same time causes the device's management functionality to be unavailable when the packet size is smaller than FSAE_HEADER_SIZE(6).

DNS query timeout log generated for first entry in DNS domain list when multiple domains are added.

SNMP trap packets are sometimes not sent from the primary ha-direct interface to all SNMP managers after upgrading.

VLAN ID is not taken into consideration at the session level for traffic crossing NP7 platforms.

Connectivity issue with FortiGuard after upgrading from 7.0.0 to 7.0.1 when ha-direct is enabled.

Add support for FS-TRAN-FX 100 Mbps SFP optical transceivers on the FGR-60F and FGR-60F-3G4G models. Previously, there was no I2C reading/writing handler in drivers for FGR-60F and FGR-60F-3G4G.

FortiGate sends CSR configuration without double quote (") to FortiManager.

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

Parsing FFDB may cause a crash when loading at reboot if the versions of FFDB_APP and FFDB_GEO_ID_FILE are different.

DDNS hostname is not correct when two VDOMs are configured.

DNS query responses can be bumped when dealing with a high volume of visibility hostname log requests.

get system checksum status should only display checksums for VDOMs the current user has permissions for.

Default FortiLink configuration on FG-81F running versions 6.4.6 to 6.4.8 does not work as expected.

Unexpected behavior of SNMP fgLogDeviceCachedCount value for syslog.

Client traffic from VLAN to VXLAN encapsulation traffic is failing after upgrading from 6.2.7 to 6.4.6.

Traffic logs reports ICMP destination as unreachable for received traffic

When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.

FG-40F has a newcli signal 11 crash.

FortiGate receives Firmware image without valid RSA signature loaded error when loading the image from FortiCloud.

Static ARP entry was removed while using DHCP relay.

SoC3 platforms failed to boot up when upgrading from 6.2.10 or 6.4.8.

Direct CLI script from FortiManager fails due to additional end at the end of diagnose debug crashlog read.

When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.

Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if asic-offload is enabled.

Packet loss on the LAG interface (eight ports) using SFP+/SFP28 ports in both static and active mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

NP7 platforms will very sparsely stop forwarding traffic with the root cause at QTM.

Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.

When updated related configurations change, the updated configurations may crash.

On SoC4-based FortiGates (FG-40F, FG-60F, FG-80F, FG-100F) the outbound bandwidth in the bandwidth widget does not adhere to the outbandwidth setting.

DDNS interface update status can get stuck if changes to the interface are made rapidly.

Kernel panic occurs on FG-90E after upgrading to 6.4.7.

High CPU usage on platforms with low free memory upon IPS engine initialization.

On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match the outbandwidth setting.

Slow memory leak in IPS engine 6.091, which persists in 6.107.

Outbandwidth setting does not work in NP7 models when UTM/NTurbo is enabled.

Hardware logs sent to syslog server with an incorrect timestamp in hyperscale mode.

Kernel panic occurs when adding and deleting LAG members on NP6 models.

FG-5001D backplane interfaces did not work in FG-5913C SLBC system.

Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.

On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.

dhcpd is not processing discover messages if they contain a 0 length option, such as 80 (rapid commit). The warning, length 0 overflows input buffer, is displayed.

MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.

LLDP neighbors cannot be seen on virtual switch ports.

FortiGate is unable to verify the CA chain of the FSSO server if the chain is not directly rooted to FSSO endpoint.

Memory leaks and crashes observed during stress long duration performance test when using FortiToken Cloud.

FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2.

When a GUI administrator certificate, admin-server-cert, is provisioned via SCEP, the FortiGate does not automatically offer the newly updated certificate to HTTPS clients. FortiOS 7.0.0 and later does not have this issue.

Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.

diagnose fortitoken-cloud sync fails when user email address is longer than 35 characters.

FSSO user fails to log in with principal user name.

There are unknown user logins on the FortiGate and the logs do not have any information for the unknown user.

LLDP neighbors cannot be seen on virtual switch ports.

DST_Root_CA_X3 certificate is expired.

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

The fnbamd process spikes to 99% or crashes during RADIUS authentication.

FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

NSX connector stops updating addresses sometimes.

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

Unable to block webpages present in the external list when accessing them through the Google Translate URL.

Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category.

MAC authentication bypass is not working for some clients.

Unable to quarantine hosts behind FortiAP and FortiSwitch.

FG-5001D is unable to display managed FortiAPs after upgrading.

Some Apple devices cannot handle 303/307 messages, and may loop to load the external portal page and fail to pass authentication. Some Android devices cannot process JavaScript redirect messages after users submit their username and password.

FortiGate is not recognizing attribute 49, Acct-Terminate-Cause Value (6) Admin Reset, from RFC 2866.

802.1X clients are disconnected following a FortiGuard update.

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

In RADIUS MAC authentication, the FortiGate NAS-IP-Address will revert to 0.0.0.0 after using the FortiGate address.

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

• CVE-2022-22306

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

• CVE-2022-22306

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

• CVE-2021-41032

FortiOS 6.4.9 is no longer vulnerable to the following CVE References:

• CVE-2021-3711
• CVE-2021-3712

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

• CVE-2021-42755

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

• CVE-2021-42757

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

• CVE-2021-43081

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

• CVE-2022-22299

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

• CVE-2022-23442

FortiOS 6.4.9 is no longer vulnerable to the following CVE Reference:

• CVE-2021-43072