Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 7.0.0. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

705591 When av-scan is enabled on the load end box, the FortiGate CPU hits 100% for over one minute. Such high CPU might cause WAD daemon signal 6 abort during that period.

Endpoint Control

Bug ID

Description

678370

Implement FortiOS side of EMS public address API.

707388

When EMS has an offline status, most of time the FortiClient de-registers from EMS and the client certificate will be empty in web browser certificate store.

Workaround: configure the FortiGate access proxy with set empty-cert-action block to block the SSL handshake if the client certificate is empty.

708545

The WAD daemon is triggered to fetch the FortiClient information based on a ZTNA EMS tag enabled for checking in a proxy policy. It is then possible to get a ZTNA EMS tag in the firewall dynamic address and get the expected traffic control.

Explicit Proxy

Bug ID

Description

697566

Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7.

708851

When visiting a website for the first time in Firefox, the disclaimer page is shown and the webpage loads normally. When visiting a website for a second time, Firefox may take a few minutes to show the disclaimer and then another few minutes to load the webpage.

Workaround:use Chrome and Edge to visit websites.

Firewall

Bug ID

Description

591721

Viewing a firewall shaping policy from GUI will unset the traffic shaper if the class ID and traffic shaper are both configured.

621453

FortiGate cannot get the FortiClient vulnerability detailed information from FortiAnalyzer.

645010

Misleading GUI error when policy lookup fails due to source IP route lookup.

653137

VIP object associated with SD-WAN member interface should not be filtered out from omni-select list of destination addresses.

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

681893

Firewall policy Last Used information is different in the CLI and GUI.

707659

New ISBD object is not indicated in the GUI.

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

712580

When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN&bsol;username. The user is displayed with a \ in the CLI.

GUI

Bug ID

Description

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

610572

If a guest user logs in via a WiFi portal while the administrator is actively editing the user's account in the GUI, after the administrator clicks OK in the user edit dialog, the user's current login session will not be subjected to the configured expiration time. The expiration time will be applied for the next login.

Workaround: click Cancel instead of OK to close the page.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

647431

After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not.

665597

When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI.

674548

When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

677806

State of IPsec tunnel interfaces that do not belong to the management VDOM show up in global view.

685431

GUI policy page takes around 30 seconds to load 24K policies.

686592

GUI does not display statistical information on SD-WAN Performance SLA page.

690666

Enabling daylight saving time (DST) results in GUI and CLI system time differences when DST is active (end of March to end of October).

691620

Use Account Entitlement when checking for FSAC contract.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured. The workaround is to manage the option from the CLI.

696573

Firewall policy is not visible in GUI when using set internet-service src enable.

701742

Items added to Favorites are lost after a logout or reboot.

704209

When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size.

704618

When the login banner is enabled and the user is forced to log in again to the GUI (due to password change or enabling VDOMs), the user may see a Bad Gateway error.

Workaround: refresh the browser.

706711

When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile.

707589

System > Certificates list sometimes shows incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Usesr should be able to delete the certificate after all references are removed.

708121

After a user creates or edits an SSID interface, the GUI incorrectly navigates to the interfaces list instead of SSIDs list.

708211

Administrators with VDOM scope cannot change their own password in the GUI.

Workaround: use the CLI to change the password.

708467

Cannot configure ZTNA to enable an IP or MAC filter type firewall policy to add ZTNA tag.

708947

Policy dialogs (firewall, NAT46, NAT64, proxy) sometimes get stuck loading due to an error when generating a security rating report.

Workaround: manually re-run the security rating report from the Security Fabric > Security Rating page.

710946

Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI.

713580

Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI.

715256

When the Security Fabric Connection is enabled on a VPN interface, the DHCP Server section disappears from the GUI.

717405

Tooltip for FortiSandbox Cloud shows status as Unreachable or not authorized.

719620

Interface page keep loading when administrator user has netgrp read-write permissions only and interface contains IPsec VPN.

HA

Bug ID

Description

678145

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

692384

High memory usage of hasync process on FGCP passive device.

698732

Cloned policy where some settings are changed to deny contain unneeded configuration.

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

710236

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group | memory> after HA hbdev configuration changes.

711962

Incorrect value shown in GUI for the HA secondary unit's uptime.

714113

GRE configuration should not be synchronized in multi-AZ HA, but the system does not allow it to be added in the VDOM exception.

717525

FortiGate sends its serial number at the beginning of the file path via TFTP backup for CLI automation script or automation stitch when in the cluster.

IPsec VPN

Bug ID

Description

691718

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

708940

When ADVPN with BGP has routing-protocol and link-down-failover enabled, establishing the ADVPN shortcut establish causes the BGP neighbor to flap and affect traffic.

713763

IPsec aggregate is not sending outbound ESP traffic on FortiOS 7.0.

Log & Report

Bug ID

Description

710344

Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode.

Proxy

Bug ID

Description

663088

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

701513

WAD encounters segmentation fault crash at wad_http_scan_engine__on_unblock.

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

REST API

Bug ID

Description

597494

REST API incorrectly returns error code 401 (authentication error) instead of 403 (authorization error) for requests that pass the authentication check but are not permitted to access the resource.

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

670031

LDAP traffic that originates from the FortiGate is not following SD-WAN rule.

682455

Checkmark is not shown beside the interface currently selected by the SD-WAN rules (Network > SD-WAN Rules page).

697645

FortiGate deletes prefix-list configuration due to concurrent administrator SSH sessions.

699122

Issues with SD-WAN zone's availability to select it as an OSPF interface.

701027

No speed test button for PPPoE interface in GUI on Interfaces page.

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

707713

Restore the change of routing code so the tunnel ID is a legitimate unicast address.

708614

Firewall policy rule with destination interface as virtual-wan-link cannot match traffic in some cases.

719788

Policy Routes GUI page does not show red exclamation mark when a source or destination is negated, like on Firewall Policy page.

Security Fabric

Bug ID

Description

672218

Root FortiGate VDOM topology view page still shows CSF tree for all VDOMs if set to multi-VDOM mode.

685642

Link to Login toFortiAnalyzer on Physical Topology page does not open, and FortiAnalyzer HTTPS is no longer configured on port 443.

708172

Automation stitch action does not work when trigger is an AV and IPS database update.

714807

Security rating two-factor authentication test shows as failed for IPsec and SSL VPN, but all users have two-factor authentication enabled.

718469

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

718581

If HA management interface is configured, the Kubernetes connector fails to connect.

719029

Automation stitch action no longer understands %%log.date%% and %%log.time%% variables.

SSL VPN

Bug ID

Description

550819

guacd is consuming too much memory and CPU resources during operation.

695763

FortiClient iOS 6.4.5. has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

Switch Controller

Bug ID

Description

682430

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

699533

In FortiOS 7.0.0, the default authentication protocol for a switch controller SNMP user is SHA256, as opposed to the default SHA1 in previous versions.

717506

Unable to add description on shared FortiSwitch port.

System

Bug ID

Description

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

627734

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

644616

NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface.

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

666418

SFP interfaces on FG-330xE do not show link light.

674616

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

678704

FortiGate cannot join FortiManager.

679035

NP6 drops and bandwidth is limited to under 10 Gbps.

685674

FortiGate did not restart after restoring the backup configuration.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

699358

Cannot change FEC (forward error correction) on port group 13-16.

700272

ddnsd did not update the new IP address of dynupdate.no-ip.com, so it failed to connect to the DDNS server.

700314

ARP reply sent out by FortiGate but was not received on neighbor device.

701911

FortiGate entered conserve mode (service=kernel), possibly due to large number of log creation requests.

710934

FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer's DHCP server (a router) to fail to assign the only available IP in the pool.

712506

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

713529

HTTPSD crashes multiple times.

715043

Guest Management page Expire column shows incorrect value for guest groups when set to expire after on first login.

Upgrade

Bug ID

Description

701571

After upgrading from 6.4.5 to 7.0.0, all flow-based polices are switched to proxy if there is a SIP profile attached to the firewall policy.

708250

Console prints __set_clr_flag:wwan ioctl failed, flag:0x0200 errno:19 when upgrading from 6.4.5 to 7.0.0.

710465

Policy inspection mode gets changed to proxy after upgrading to 7.0.0.

713724

SD-WAN health check over IPsec interfaces no longer work if there is a specified gateway under the IPsec SD-WAN member.

Workaround: remove the specified gateway.

713878

Under config system dns-database, the set type slave configuration in 6.4.5 does not change to set type secondary after upgrading to 7.0.0.

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

698602

LDAP query from GUI does work in non-management and non-root VDOM.

704708

Local CA certificate, Fortinet_CA_SSL, cannot be restored from saved configuration file after the FortiGate factory reset.

707868

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

VM

Bug ID

Description

685782

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

710941

FortiOS GUI shows Unable to connect to FortiGuard servers warning when offline license is being used.

713279

After rebooting a GCP FortiGate, it takes more than 30 to 40 minutes to come up and affects passthrough traffic during this period.

714682

GENEVE tunnel with loopback interface is not working.

719655

IPsec does not work on FG-VM after upgrading to 7.0.

WAN Optimization

Bug ID

Description

702876

FortiGate web cache does not work in proxy mode.

Web Filter

Bug ID

Description

593203

Cannot enter a name for the web rating override or save it due to name input error.

WiFi Controller

Bug ID

Description

529727

The configured MAC address of the VAP interface did not take effect after rebooting.

645328

Operating channel is 0 for both radios of FAP-421E.

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

685593

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

703685

VLAN-tagged CAPWAP traffic was dropped by NP6XLite FortiGate when FortiAP is connected through aggregate FortiLink FortiSwitch.

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

Known issues

The following issues have been identified in version 7.0.0. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

705591 When av-scan is enabled on the load end box, the FortiGate CPU hits 100% for over one minute. Such high CPU might cause WAD daemon signal 6 abort during that period.

Endpoint Control

Bug ID

Description

678370

Implement FortiOS side of EMS public address API.

707388

When EMS has an offline status, most of time the FortiClient de-registers from EMS and the client certificate will be empty in web browser certificate store.

Workaround: configure the FortiGate access proxy with set empty-cert-action block to block the SSL handshake if the client certificate is empty.

708545

The WAD daemon is triggered to fetch the FortiClient information based on a ZTNA EMS tag enabled for checking in a proxy policy. It is then possible to get a ZTNA EMS tag in the firewall dynamic address and get the expected traffic control.

Explicit Proxy

Bug ID

Description

697566

Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7.

708851

When visiting a website for the first time in Firefox, the disclaimer page is shown and the webpage loads normally. When visiting a website for a second time, Firefox may take a few minutes to show the disclaimer and then another few minutes to load the webpage.

Workaround:use Chrome and Edge to visit websites.

Firewall

Bug ID

Description

591721

Viewing a firewall shaping policy from GUI will unset the traffic shaper if the class ID and traffic shaper are both configured.

621453

FortiGate cannot get the FortiClient vulnerability detailed information from FortiAnalyzer.

645010

Misleading GUI error when policy lookup fails due to source IP route lookup.

653137

VIP object associated with SD-WAN member interface should not be filtered out from omni-select list of destination addresses.

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

681893

Firewall policy Last Used information is different in the CLI and GUI.

707659

New ISBD object is not indicated in the GUI.

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

712580

When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN&bsol;username. The user is displayed with a \ in the CLI.

GUI

Bug ID

Description

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

610572

If a guest user logs in via a WiFi portal while the administrator is actively editing the user's account in the GUI, after the administrator clicks OK in the user edit dialog, the user's current login session will not be subjected to the configured expiration time. The expiration time will be applied for the next login.

Workaround: click Cancel instead of OK to close the page.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

647431

After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not.

665597

When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI.

674548

When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

677806

State of IPsec tunnel interfaces that do not belong to the management VDOM show up in global view.

685431

GUI policy page takes around 30 seconds to load 24K policies.

686592

GUI does not display statistical information on SD-WAN Performance SLA page.

690666

Enabling daylight saving time (DST) results in GUI and CLI system time differences when DST is active (end of March to end of October).

691620

Use Account Entitlement when checking for FSAC contract.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured. The workaround is to manage the option from the CLI.

696573

Firewall policy is not visible in GUI when using set internet-service src enable.

701742

Items added to Favorites are lost after a logout or reboot.

704209

When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size.

704618

When the login banner is enabled and the user is forced to log in again to the GUI (due to password change or enabling VDOMs), the user may see a Bad Gateway error.

Workaround: refresh the browser.

706711

When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile.

707589

System > Certificates list sometimes shows incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Usesr should be able to delete the certificate after all references are removed.

708121

After a user creates or edits an SSID interface, the GUI incorrectly navigates to the interfaces list instead of SSIDs list.

708211

Administrators with VDOM scope cannot change their own password in the GUI.

Workaround: use the CLI to change the password.

708467

Cannot configure ZTNA to enable an IP or MAC filter type firewall policy to add ZTNA tag.

708947

Policy dialogs (firewall, NAT46, NAT64, proxy) sometimes get stuck loading due to an error when generating a security rating report.

Workaround: manually re-run the security rating report from the Security Fabric > Security Rating page.

710946

Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI.

713580

Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI.

715256

When the Security Fabric Connection is enabled on a VPN interface, the DHCP Server section disappears from the GUI.

717405

Tooltip for FortiSandbox Cloud shows status as Unreachable or not authorized.

719620

Interface page keep loading when administrator user has netgrp read-write permissions only and interface contains IPsec VPN.

HA

Bug ID

Description

678145

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

692384

High memory usage of hasync process on FGCP passive device.

698732

Cloned policy where some settings are changed to deny contain unneeded configuration.

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

710236

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group | memory> after HA hbdev configuration changes.

711962

Incorrect value shown in GUI for the HA secondary unit's uptime.

714113

GRE configuration should not be synchronized in multi-AZ HA, but the system does not allow it to be added in the VDOM exception.

717525

FortiGate sends its serial number at the beginning of the file path via TFTP backup for CLI automation script or automation stitch when in the cluster.

IPsec VPN

Bug ID

Description

691718

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

708940

When ADVPN with BGP has routing-protocol and link-down-failover enabled, establishing the ADVPN shortcut establish causes the BGP neighbor to flap and affect traffic.

713763

IPsec aggregate is not sending outbound ESP traffic on FortiOS 7.0.

Log & Report

Bug ID

Description

710344

Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode.

Proxy

Bug ID

Description

663088

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

701513

WAD encounters segmentation fault crash at wad_http_scan_engine__on_unblock.

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

REST API

Bug ID

Description

597494

REST API incorrectly returns error code 401 (authentication error) instead of 403 (authorization error) for requests that pass the authentication check but are not permitted to access the resource.

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

670031

LDAP traffic that originates from the FortiGate is not following SD-WAN rule.

682455

Checkmark is not shown beside the interface currently selected by the SD-WAN rules (Network > SD-WAN Rules page).

697645

FortiGate deletes prefix-list configuration due to concurrent administrator SSH sessions.

699122

Issues with SD-WAN zone's availability to select it as an OSPF interface.

701027

No speed test button for PPPoE interface in GUI on Interfaces page.

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

707713

Restore the change of routing code so the tunnel ID is a legitimate unicast address.

708614

Firewall policy rule with destination interface as virtual-wan-link cannot match traffic in some cases.

719788

Policy Routes GUI page does not show red exclamation mark when a source or destination is negated, like on Firewall Policy page.

Security Fabric

Bug ID

Description

672218

Root FortiGate VDOM topology view page still shows CSF tree for all VDOMs if set to multi-VDOM mode.

685642

Link to Login toFortiAnalyzer on Physical Topology page does not open, and FortiAnalyzer HTTPS is no longer configured on port 443.

708172

Automation stitch action does not work when trigger is an AV and IPS database update.

714807

Security rating two-factor authentication test shows as failed for IPsec and SSL VPN, but all users have two-factor authentication enabled.

718469

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

718581

If HA management interface is configured, the Kubernetes connector fails to connect.

719029

Automation stitch action no longer understands %%log.date%% and %%log.time%% variables.

SSL VPN

Bug ID

Description

550819

guacd is consuming too much memory and CPU resources during operation.

695763

FortiClient iOS 6.4.5. has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

Switch Controller

Bug ID

Description

682430

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

699533

In FortiOS 7.0.0, the default authentication protocol for a switch controller SNMP user is SHA256, as opposed to the default SHA1 in previous versions.

717506

Unable to add description on shared FortiSwitch port.

System

Bug ID

Description

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

627734

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

644616

NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface.

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

666418

SFP interfaces on FG-330xE do not show link light.

674616

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

678704

FortiGate cannot join FortiManager.

679035

NP6 drops and bandwidth is limited to under 10 Gbps.

685674

FortiGate did not restart after restoring the backup configuration.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

699358

Cannot change FEC (forward error correction) on port group 13-16.

700272

ddnsd did not update the new IP address of dynupdate.no-ip.com, so it failed to connect to the DDNS server.

700314

ARP reply sent out by FortiGate but was not received on neighbor device.

701911

FortiGate entered conserve mode (service=kernel), possibly due to large number of log creation requests.

710934

FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer's DHCP server (a router) to fail to assign the only available IP in the pool.

712506

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

713529

HTTPSD crashes multiple times.

715043

Guest Management page Expire column shows incorrect value for guest groups when set to expire after on first login.

Upgrade

Bug ID

Description

701571

After upgrading from 6.4.5 to 7.0.0, all flow-based polices are switched to proxy if there is a SIP profile attached to the firewall policy.

708250

Console prints __set_clr_flag:wwan ioctl failed, flag:0x0200 errno:19 when upgrading from 6.4.5 to 7.0.0.

710465

Policy inspection mode gets changed to proxy after upgrading to 7.0.0.

713724

SD-WAN health check over IPsec interfaces no longer work if there is a specified gateway under the IPsec SD-WAN member.

Workaround: remove the specified gateway.

713878

Under config system dns-database, the set type slave configuration in 6.4.5 does not change to set type secondary after upgrading to 7.0.0.

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

698602

LDAP query from GUI does work in non-management and non-root VDOM.

704708

Local CA certificate, Fortinet_CA_SSL, cannot be restored from saved configuration file after the FortiGate factory reset.

707868

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

VM

Bug ID

Description

685782

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

710941

FortiOS GUI shows Unable to connect to FortiGuard servers warning when offline license is being used.

713279

After rebooting a GCP FortiGate, it takes more than 30 to 40 minutes to come up and affects passthrough traffic during this period.

714682

GENEVE tunnel with loopback interface is not working.

719655

IPsec does not work on FG-VM after upgrading to 7.0.

WAN Optimization

Bug ID

Description

702876

FortiGate web cache does not work in proxy mode.

Web Filter

Bug ID

Description

593203

Cannot enter a name for the web rating override or save it due to name input error.

WiFi Controller

Bug ID

Description

529727

The configured MAC address of the VAP interface did not take effect after rebooting.

645328

Operating channel is 0 for both radios of FAP-421E.

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

685593

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

703685

VLAN-tagged CAPWAP traffic was dropped by NP6XLite FortiGate when FortiAP is connected through aggregate FortiLink FortiSwitch.

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.