Fortinet black logo

Known issues

Known issues

The following issues have been identified in version 7.0.0. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

705591 When av-scan is enabled on the load end box, the FortiGate CPU hits 100% for over one minute. Such high CPU might cause WAD daemon signal 6 abort during that period.

Endpoint Control

Bug ID

Description

707388

When EMS has an offline status, most of time the FortiClient de-registers from EMS and the client certificate will be empty in web browser certificate store.

Workaround: configure the FortiGate access proxy with set empty-cert-action block to block the SSL handshake if the client certificate is empty.

Explicit Proxy

Bug ID

Description

708851

When visiting a website for the first time in Firefox, the disclaimer page is shown and the webpage loads normally. When visiting a website for a second time, Firefox may take a few minutes to show the disclaimer and then another few minutes to load the webpage.

Workaround:use Chrome and Edge to visit websites.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

Workaround: do not click the OK button. Click the Cancel button to close the page.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

Workaround: manage the option from the CLI.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

701742

Items added to Favorites are lost after a logout or reboot.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

708121

After a user creates or edits an SSID interface, the GUI incorrectly navigates to the interfaces list instead of SSIDs list.

708211

Administrators with VDOM scope cannot change their own password in the GUI.

Workaround: use the CLI to change the password.

708947

Policy dialogs (Firewall, NAT46, NAT64, Proxy) sometimes get stuck loading due to an error when generating a security rating report.

Workaround: manually re-run the security rating report from the Security Fabric > Security Rating page.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

Workaround: use the CLI.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

734417

GUI incorrectly displays a warning saying there is not a valid upgrade path when upgrading firmware from 7.0.0 or 7.0.1 to 7.0.1 or 7.0.2.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

HA

Bug ID

Description

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

717525

FortiGate sends its serial number at the beginning of the file path via TFTP backup for CLI automation script or automation stitch when in the cluster.

717785

HA primary does not send anti-spam and outbreak prevention license information to the secondary.

Intrusion Prevention

Bug ID

Description

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

691718

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

708940

When ADVPN with BGP has routing-protocol and link-down-failover enabled, establishing the ADVPN shortcut establish causes the BGP neighbor to flap and affect traffic.

Proxy

Bug ID

Description

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

724670

Crash seen in WAD user information daemon when updating user group count upon user log off.

727629

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

Security Fabric

Bug ID

Description

726831

Security rating for Local Log Disk Not Full reporting as failed for FortiGate models without log disks.

SSL VPN

Bug ID

Description

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

System

Bug ID

Description

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

644782

A large number of detected devices causes httpsd to consume resources, and causes entry-level devices to enter conserve mode.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

708228

A DNS proxy crash occurs during ssl_ctx_free.

712506

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

715978

NTurbo does not work with EMAC VLAN interface.

721119

The forticron process uses high CPU.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

751715

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

756713

Packet loss on the LAG interface (eight ports) using SFP+/SFP28 ports in both static and active mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

Upgrade

Bug ID

Description

701571

After upgrading from 6.4.5 to 7.0.0, all flow-based polices are switched to proxy if there is a SIP profile attached to the firewall policy.

708250

Console prints __set_clr_flag:wwan ioctl failed, flag:0x0200 errno:19 when upgrading from 6.4.5 to 7.0.0.

713724

SD-WAN health check over IPsec interfaces no longer work if there is a specified gateway under the IPsec SD-WAN member.

Workaround: remove the specified gateway.

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

750551

DST_Root_CA_X3 certificate is expired.

Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

WAN Optimization

Bug ID

Description

702876

FortiGate web cache does not work in proxy mode.

WiFi Controller

Bug ID

Description

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

Known issues

The following issues have been identified in version 7.0.0. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

705591 When av-scan is enabled on the load end box, the FortiGate CPU hits 100% for over one minute. Such high CPU might cause WAD daemon signal 6 abort during that period.

Endpoint Control

Bug ID

Description

707388

When EMS has an offline status, most of time the FortiClient de-registers from EMS and the client certificate will be empty in web browser certificate store.

Workaround: configure the FortiGate access proxy with set empty-cert-action block to block the SSL handshake if the client certificate is empty.

Explicit Proxy

Bug ID

Description

708851

When visiting a website for the first time in Firefox, the disclaimer page is shown and the webpage loads normally. When visiting a website for a second time, Firefox may take a few minutes to show the disclaimer and then another few minutes to load the webpage.

Workaround:use Chrome and Edge to visit websites.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

Workaround: do not click the OK button. Click the Cancel button to close the page.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

Workaround: manage the option from the CLI.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

701742

Items added to Favorites are lost after a logout or reboot.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

708121

After a user creates or edits an SSID interface, the GUI incorrectly navigates to the interfaces list instead of SSIDs list.

708211

Administrators with VDOM scope cannot change their own password in the GUI.

Workaround: use the CLI to change the password.

708947

Policy dialogs (Firewall, NAT46, NAT64, Proxy) sometimes get stuck loading due to an error when generating a security rating report.

Workaround: manually re-run the security rating report from the Security Fabric > Security Rating page.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

Workaround: use the CLI.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

734417

GUI incorrectly displays a warning saying there is not a valid upgrade path when upgrading firmware from 7.0.0 or 7.0.1 to 7.0.1 or 7.0.2.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

HA

Bug ID

Description

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

717525

FortiGate sends its serial number at the beginning of the file path via TFTP backup for CLI automation script or automation stitch when in the cluster.

717785

HA primary does not send anti-spam and outbreak prevention license information to the secondary.

Intrusion Prevention

Bug ID

Description

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

691718

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

708940

When ADVPN with BGP has routing-protocol and link-down-failover enabled, establishing the ADVPN shortcut establish causes the BGP neighbor to flap and affect traffic.

Proxy

Bug ID

Description

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

724670

Crash seen in WAD user information daemon when updating user group count upon user log off.

727629

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

Security Fabric

Bug ID

Description

726831

Security rating for Local Log Disk Not Full reporting as failed for FortiGate models without log disks.

SSL VPN

Bug ID

Description

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

System

Bug ID

Description

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

644782

A large number of detected devices causes httpsd to consume resources, and causes entry-level devices to enter conserve mode.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

708228

A DNS proxy crash occurs during ssl_ctx_free.

712506

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

715978

NTurbo does not work with EMAC VLAN interface.

721119

The forticron process uses high CPU.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

751715

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

756713

Packet loss on the LAG interface (eight ports) using SFP+/SFP28 ports in both static and active mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

Upgrade

Bug ID

Description

701571

After upgrading from 6.4.5 to 7.0.0, all flow-based polices are switched to proxy if there is a SIP profile attached to the firewall policy.

708250

Console prints __set_clr_flag:wwan ioctl failed, flag:0x0200 errno:19 when upgrading from 6.4.5 to 7.0.0.

713724

SD-WAN health check over IPsec interfaces no longer work if there is a specified gateway under the IPsec SD-WAN member.

Workaround: remove the specified gateway.

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

750551

DST_Root_CA_X3 certificate is expired.

Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

WAN Optimization

Bug ID

Description

702876

FortiGate web cache does not work in proxy mode.

WiFi Controller

Bug ID

Description

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.