Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 7.0.0. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

705591 When av-scan is enabled on the load end box, the FortiGate CPU hits 100% for over one minute. Such high CPU might cause WAD daemon signal 6 abort during that period.

Endpoint Control

Bug ID

Description

707388

When EMS has an offline status, most of time the FortiClient de-registers from EMS and the client certificate will be empty in web browser certificate store.

Workaround: configure the FortiGate access proxy with set empty-cert-action block to block the SSL handshake if the client certificate is empty.

708545

The WAD daemon is triggered to fetch the FortiClient information based on a ZTNA EMS tag enabled for checking in a proxy policy. It is then possible to get a ZTNA EMS tag in the firewall dynamic address and get the expected traffic control.

Explicit Proxy

Bug ID

Description

697566

Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7.

708851

When visiting a website for the first time in Firefox, the disclaimer page is shown and the webpage loads normally. When visiting a website for a second time, Firefox may take a few minutes to show the disclaimer and then another few minutes to load the webpage.

Workaround:use Chrome and Edge to visit websites.

Firewall

Bug ID

Description

591721

Viewing a firewall shaping policy from GUI will unset the traffic shaper if the class ID and traffic shaper are both configured.

621453

FortiGate cannot get the FortiClient vulnerability detailed information from FortiAnalyzer.

645010

Misleading GUI error when policy lookup fails due to source IP route lookup.

653137

VIP object associated with SD-WAN member interface should not be filtered out from omni-select list of destination addresses.

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

681893

Firewall policy Last Used information is different in the CLI and GUI.

707659

New ISBD object is not indicated in the GUI.

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

712580

When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN&bsol;username. The user is displayed with a \ in the CLI.

722543

The Used Quota cannot be sorted on the FortiGuard Quota Monitor.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

589231

When using the GUI to edit an IP/Wildcard Mask that was created using the CLI, the error message Invalid IP/Wildcard mask. is displayed.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

Workaround: do not click the OK button. Click the Cancel button to close the page.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

647431

After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not.

665597

When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI.

674548

When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

686592

GUI does not display statistical information on SD-WAN Performance SLA page.

690666

Enabling daylight saving time (DST) results in GUI and CLI system time differences when DST is active (end of March to end of October).

691620

Use Account Entitlement when checking for FSAC contract.

695264

The save function does not work as expected for policies with certain applications selected.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

Workaround: manage the option from the CLI.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

701442

Cannot access GUI for FortiGate in FIPS-CC mode.

701742

Items added to Favorites are lost after a logout or reboot.

704209

When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size.

704503

Routing monitor is slow to load or does not load when the user has a full routing table.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

706340

When editing a firewall policy, copying and pasting in the Comments field gives an error.

706711

When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile.

706982

Unable to edit interface address, get Bits of the IP address will be truncated by the subnet mask error.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

708121

After a user creates or edits an SSID interface, the GUI incorrectly navigates to the interfaces list instead of SSIDs list.

708211

Administrators with VDOM scope cannot change their own password in the GUI.

Workaround: use the CLI to change the password.

708467

Cannot configure ZTNA to enable an IP or MAC filter type firewall policy to add ZTNA tag.

708947

Policy dialogs (Firewall, NAT46, NAT64, Proxy) sometimes get stuck loading due to an error when generating a security rating report.

Workaround: manually re-run the security rating report from the Security Fabric > Security Rating page.

710220

Unable to download MIB files from FortiGate.

710946

Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI.

713580

Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI.

715256

When the Security Fabric Connection is enabled on a VPN interface, the DHCP Server section disappears from the GUI.

716986

GUI and REST API show incorrect reference count for web filter after adding and removing it from a policy.

717405

Tooltip for FortiSandbox Cloud shows status as Unreachable or not authorized.

719620

Interface page does not load for an administrator user with netgrp read-write permissions and an IPsec VPN is configured.

720006

GUI always shows duplicate entry when trying to create a NAC dynamic address and other types of firewall addresses.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

Workaround: use the CLI.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

734417

GUI incorrectly displays a warning saying there is not a valid upgrade path when upgrading firmware from 7.0.0 or 7.0.1 to 7.0.1 or 7.0.2.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

HA

Bug ID

Description

678145

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

692384

High memory usage of hasync process on FGCP passive device.

698732

Cloned policy where some settings are changed to deny contain unneeded configuration.

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

711962

Incorrect value shown in GUI for the HA secondary unit's uptime.

714113

GRE configuration should not be synchronized in multi-AZ HA, but the system does not allow it to be added in the VDOM exception.

717525

FortiGate sends its serial number at the beginning of the file path via TFTP backup for CLI automation script or automation stitch when in the cluster.

697066

When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary.

709382

Creating an aggregate interface in HA causes the VMAC resolution to fail.

Intrusion Prevention

Bug ID

Description

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

691718

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

708870

After failover, the static tunnel interface's remote IP static routes are missing on the new primary.

708940

When ADVPN with BGP has routing-protocol and link-down-failover enabled, establishing the ADVPN shortcut establish causes the BGP neighbor to flap and affect traffic.

713763

IPsec aggregate is not sending outbound ESP traffic on FortiOS 7.0.

719655

IPsec does not work in FG-VM after upgrading to 7.0.

Log & Report

Bug ID

Description

710344

Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode.

Proxy

Bug ID

Description

701513

WAD encounters segmentation fault crash at wad_http_scan_engine__on_unblock.

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

724670

Crash seen in WAD user information daemon when updating user group count upon user log off.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

597494

REST API incorrectly returns error code 401 (authentication error) instead of 403 (authorization error) for requests that pass the authentication check but are not permitted to access the resource.

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

682455

Checkmark is not shown beside the interface currently selected by the SD-WAN rules (Network > SD-WAN Rules page).

697645

FortiGate deletes prefix-list configuration due to concurrent administrator SSH sessions.

699122

Issues with SD-WAN zone's availability to select it as an OSPF interface.

701027

No speed test button for PPPoE interface in GUI on Interfaces page.

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

707713

Restore the change of routing code so the tunnel ID is a legitimate unicast address.

708614

Firewall policy rule with destination interface as virtual-wan-link cannot match traffic in some cases.

719788

Policy Routes GUI page does not show red exclamation mark when a source or destination is negated, like on Firewall Policy page.

Security Fabric

Bug ID

Description

685642

Link to Login toFortiAnalyzer on Physical Topology page does not open, and FortiAnalyzer HTTPS is no longer configured on port 443.

708172

Automation stitch action does not work when trigger is an AV and IPS database update.

714807

Security rating two-factor authentication test shows as failed for IPsec and SSL VPN, but all users have two-factor authentication enabled.

718469

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

718581

If HA management interface is configured, the Kubernetes connector fails to connect.

719029

Automation stitch action no longer understands %%log.date%% and %%log.time%% variables.

722950

Topology page is empty in robot Security Fabric setup.

726831

Security rating for Local Log Disk Not Full reporting as failed for FortiGate models without log disks.

SSL VPN

Bug ID

Description

693347

Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic.

695763

FortiClient iOS 6.4.5. has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

Switch Controller

Bug ID

Description

682430

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

699533

In FortiOS 7.0.0, the default authentication protocol for a switch controller SNMP user is SHA256, as opposed to the default SHA1 in previous versions.

717506

Unable to add description on shared FortiSwitch port.

System

Bug ID

Description

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

627734

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

666418

SFP interfaces on FG-330xE do not show link light.

674616

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

678704

FortiGate cannot join FortiManager.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

699358

Cannot change FEC (forward error correction) on port group 13-16.

700272

ddnsd did not update the new IP address of dynupdate.no-ip.com, so it failed to connect to the DDNS server.

700314

ARP reply sent out by FortiGate but was not received on neighbor device.

701911

FortiGate entered conserve mode (service=kernel), possibly due to large number of log creation requests.

703872

Unable to change speed and status of hardware switch member on SoC3 and SoC4 platforms with virtual switch feature.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

710934

FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer's DHCP server (a router) to fail to assign the only available IP in the pool.

712203

Memory leak happens in forticron process, if GUI REST API caching is enabled.

712506

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

715043

Guest Management page Expire column shows incorrect value for guest groups when set to expire after on first login.

715048

When there is no PRP setting in the 6.4 configuration, after upgrading from 6.4 to 7.0, kernel panic happens after enabling PRP.

715978

NTurbo does not work with EMAC VLAN interface.

717203

When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file.

721789

Account profile settings changed after firmware upgrade.

723491

When ACME service is enabled on an interface, HTTPD responds to HTTP TRACE method with HTTP 200 OK.

723643

FortiGate NTP server cannot synchronize time for Linux client on IPv6.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

Upgrade

Bug ID

Description

701571

After upgrading from 6.4.5 to 7.0.0, all flow-based polices are switched to proxy if there is a SIP profile attached to the firewall policy.

708250

Console prints __set_clr_flag:wwan ioctl failed, flag:0x0200 errno:19 when upgrading from 6.4.5 to 7.0.0.

710465

Policy inspection mode gets changed to proxy after upgrading to 7.0.0.

713724

SD-WAN health check over IPsec interfaces no longer work if there is a specified gateway under the IPsec SD-WAN member.

Workaround: remove the specified gateway.

713878

Under config system dns-database, the set type slave configuration in 6.4.5 does not change to set type secondary after upgrading to 7.0.0.

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

698602

LDAP query from GUI does work in non-management and non-root VDOM.

704708

Local CA certificate, Fortinet_CA_SSL, cannot be restored from saved configuration file after the FortiGate factory reset.

707868

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

712354

Firewall policy does not allow multiple SAML users that reference the same SAML server.

VM

Bug ID

Description

685782

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

710941

FortiOS GUI shows Unable to connect to FortiGuard servers warning when offline license is being used.

713279

After rebooting a GCP FortiGate, it takes more than 30 to 40 minutes to come up and affects passthrough traffic during this period.

714682

GENEVE tunnel with loopback interface is not working.

WAN Optimization

Bug ID

Description

702876

FortiGate web cache does not work in proxy mode.

Web Filter

Bug ID

Description

593203

Cannot enter a name for the web rating override or save it due to name input error.

WiFi Controller

Bug ID

Description

529727

The configured MAC address of the VAP interface did not take effect after rebooting.

645328

Operating channel is 0 for both radios of FAP-421E.

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

685593

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

703685

VLAN-tagged CAPWAP traffic was dropped by NP6XLite FortiGate when FortiAP is connected through aggregate FortiLink FortiSwitch.

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

Known issues

The following issues have been identified in version 7.0.0. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

705591 When av-scan is enabled on the load end box, the FortiGate CPU hits 100% for over one minute. Such high CPU might cause WAD daemon signal 6 abort during that period.

Endpoint Control

Bug ID

Description

707388

When EMS has an offline status, most of time the FortiClient de-registers from EMS and the client certificate will be empty in web browser certificate store.

Workaround: configure the FortiGate access proxy with set empty-cert-action block to block the SSL handshake if the client certificate is empty.

708545

The WAD daemon is triggered to fetch the FortiClient information based on a ZTNA EMS tag enabled for checking in a proxy policy. It is then possible to get a ZTNA EMS tag in the firewall dynamic address and get the expected traffic control.

Explicit Proxy

Bug ID

Description

697566

Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7.

708851

When visiting a website for the first time in Firefox, the disclaimer page is shown and the webpage loads normally. When visiting a website for a second time, Firefox may take a few minutes to show the disclaimer and then another few minutes to load the webpage.

Workaround:use Chrome and Edge to visit websites.

Firewall

Bug ID

Description

591721

Viewing a firewall shaping policy from GUI will unset the traffic shaper if the class ID and traffic shaper are both configured.

621453

FortiGate cannot get the FortiClient vulnerability detailed information from FortiAnalyzer.

645010

Misleading GUI error when policy lookup fails due to source IP route lookup.

653137

VIP object associated with SD-WAN member interface should not be filtered out from omni-select list of destination addresses.

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

681893

Firewall policy Last Used information is different in the CLI and GUI.

707659

New ISBD object is not indicated in the GUI.

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

712580

When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN&bsol;username. The user is displayed with a \ in the CLI.

722543

The Used Quota cannot be sorted on the FortiGuard Quota Monitor.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

589231

When using the GUI to edit an IP/Wildcard Mask that was created using the CLI, the error message Invalid IP/Wildcard mask. is displayed.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

Workaround: do not click the OK button. Click the Cancel button to close the page.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

647431

After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not.

665597

When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI.

674548

When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

686592

GUI does not display statistical information on SD-WAN Performance SLA page.

690666

Enabling daylight saving time (DST) results in GUI and CLI system time differences when DST is active (end of March to end of October).

691620

Use Account Entitlement when checking for FSAC contract.

695264

The save function does not work as expected for policies with certain applications selected.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

Workaround: manage the option from the CLI.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

701442

Cannot access GUI for FortiGate in FIPS-CC mode.

701742

Items added to Favorites are lost after a logout or reboot.

704209

When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size.

704503

Routing monitor is slow to load or does not load when the user has a full routing table.

704618

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

Workaround: refresh the browser.

706340

When editing a firewall policy, copying and pasting in the Comments field gives an error.

706711

When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile.

706982

Unable to edit interface address, get Bits of the IP address will be truncated by the subnet mask error.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

708121

After a user creates or edits an SSID interface, the GUI incorrectly navigates to the interfaces list instead of SSIDs list.

708211

Administrators with VDOM scope cannot change their own password in the GUI.

Workaround: use the CLI to change the password.

708467

Cannot configure ZTNA to enable an IP or MAC filter type firewall policy to add ZTNA tag.

708947

Policy dialogs (Firewall, NAT46, NAT64, Proxy) sometimes get stuck loading due to an error when generating a security rating report.

Workaround: manually re-run the security rating report from the Security Fabric > Security Rating page.

710220

Unable to download MIB files from FortiGate.

710946

Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI.

713580

Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI.

715256

When the Security Fabric Connection is enabled on a VPN interface, the DHCP Server section disappears from the GUI.

716986

GUI and REST API show incorrect reference count for web filter after adding and removing it from a policy.

717405

Tooltip for FortiSandbox Cloud shows status as Unreachable or not authorized.

719620

Interface page does not load for an administrator user with netgrp read-write permissions and an IPsec VPN is configured.

720006

GUI always shows duplicate entry when trying to create a NAC dynamic address and other types of firewall addresses.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

Workaround: use the CLI.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

734417

GUI incorrectly displays a warning saying there is not a valid upgrade path when upgrading firmware from 7.0.0 or 7.0.1 to 7.0.1 or 7.0.2.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

HA

Bug ID

Description

678145

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

692384

High memory usage of hasync process on FGCP passive device.

698732

Cloned policy where some settings are changed to deny contain unneeded configuration.

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

711962

Incorrect value shown in GUI for the HA secondary unit's uptime.

714113

GRE configuration should not be synchronized in multi-AZ HA, but the system does not allow it to be added in the VDOM exception.

717525

FortiGate sends its serial number at the beginning of the file path via TFTP backup for CLI automation script or automation stitch when in the cluster.

697066

When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary.

709382

Creating an aggregate interface in HA causes the VMAC resolution to fail.

Intrusion Prevention

Bug ID

Description

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

691718

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

708870

After failover, the static tunnel interface's remote IP static routes are missing on the new primary.

708940

When ADVPN with BGP has routing-protocol and link-down-failover enabled, establishing the ADVPN shortcut establish causes the BGP neighbor to flap and affect traffic.

713763

IPsec aggregate is not sending outbound ESP traffic on FortiOS 7.0.

719655

IPsec does not work in FG-VM after upgrading to 7.0.

Log & Report

Bug ID

Description

710344

Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode.

Proxy

Bug ID

Description

701513

WAD encounters segmentation fault crash at wad_http_scan_engine__on_unblock.

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

724670

Crash seen in WAD user information daemon when updating user group count upon user log off.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

REST API

Bug ID

Description

597494

REST API incorrectly returns error code 401 (authentication error) instead of 403 (authorization error) for requests that pass the authentication check but are not permitted to access the resource.

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

Workaround: set CORS to an explicit domain.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

682455

Checkmark is not shown beside the interface currently selected by the SD-WAN rules (Network > SD-WAN Rules page).

697645

FortiGate deletes prefix-list configuration due to concurrent administrator SSH sessions.

699122

Issues with SD-WAN zone's availability to select it as an OSPF interface.

701027

No speed test button for PPPoE interface in GUI on Interfaces page.

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

707713

Restore the change of routing code so the tunnel ID is a legitimate unicast address.

708614

Firewall policy rule with destination interface as virtual-wan-link cannot match traffic in some cases.

719788

Policy Routes GUI page does not show red exclamation mark when a source or destination is negated, like on Firewall Policy page.

Security Fabric

Bug ID

Description

685642

Link to Login toFortiAnalyzer on Physical Topology page does not open, and FortiAnalyzer HTTPS is no longer configured on port 443.

708172

Automation stitch action does not work when trigger is an AV and IPS database update.

714807

Security rating two-factor authentication test shows as failed for IPsec and SSL VPN, but all users have two-factor authentication enabled.

718469

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

718581

If HA management interface is configured, the Kubernetes connector fails to connect.

719029

Automation stitch action no longer understands %%log.date%% and %%log.time%% variables.

722950

Topology page is empty in robot Security Fabric setup.

726831

Security rating for Local Log Disk Not Full reporting as failed for FortiGate models without log disks.

SSL VPN

Bug ID

Description

693347

Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic.

695763

FortiClient iOS 6.4.5. has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

Switch Controller

Bug ID

Description

682430

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

699533

In FortiOS 7.0.0, the default authentication protocol for a switch controller SNMP user is SHA256, as opposed to the default SHA1 in previous versions.

717506

Unable to add description on shared FortiSwitch port.

System

Bug ID

Description

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

627734

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

666418

SFP interfaces on FG-330xE do not show link light.

674616

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

678704

FortiGate cannot join FortiManager.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

699358

Cannot change FEC (forward error correction) on port group 13-16.

700272

ddnsd did not update the new IP address of dynupdate.no-ip.com, so it failed to connect to the DDNS server.

700314

ARP reply sent out by FortiGate but was not received on neighbor device.

701911

FortiGate entered conserve mode (service=kernel), possibly due to large number of log creation requests.

703872

Unable to change speed and status of hardware switch member on SoC3 and SoC4 platforms with virtual switch feature.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

710934

FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer's DHCP server (a router) to fail to assign the only available IP in the pool.

712203

Memory leak happens in forticron process, if GUI REST API caching is enabled.

712506

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

715043

Guest Management page Expire column shows incorrect value for guest groups when set to expire after on first login.

715048

When there is no PRP setting in the 6.4 configuration, after upgrading from 6.4 to 7.0, kernel panic happens after enabling PRP.

715978

NTurbo does not work with EMAC VLAN interface.

717203

When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file.

721789

Account profile settings changed after firmware upgrade.

723491

When ACME service is enabled on an interface, HTTPD responds to HTTP TRACE method with HTTP 200 OK.

723643

FortiGate NTP server cannot synchronize time for Linux client on IPv6.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

Upgrade

Bug ID

Description

701571

After upgrading from 6.4.5 to 7.0.0, all flow-based polices are switched to proxy if there is a SIP profile attached to the firewall policy.

708250

Console prints __set_clr_flag:wwan ioctl failed, flag:0x0200 errno:19 when upgrading from 6.4.5 to 7.0.0.

710465

Policy inspection mode gets changed to proxy after upgrading to 7.0.0.

713724

SD-WAN health check over IPsec interfaces no longer work if there is a specified gateway under the IPsec SD-WAN member.

Workaround: remove the specified gateway.

713878

Under config system dns-database, the set type slave configuration in 6.4.5 does not change to set type secondary after upgrading to 7.0.0.

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

698602

LDAP query from GUI does work in non-management and non-root VDOM.

704708

Local CA certificate, Fortinet_CA_SSL, cannot be restored from saved configuration file after the FortiGate factory reset.

707868

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

712354

Firewall policy does not allow multiple SAML users that reference the same SAML server.

VM

Bug ID

Description

685782

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

710941

FortiOS GUI shows Unable to connect to FortiGuard servers warning when offline license is being used.

713279

After rebooting a GCP FortiGate, it takes more than 30 to 40 minutes to come up and affects passthrough traffic during this period.

714682

GENEVE tunnel with loopback interface is not working.

WAN Optimization

Bug ID

Description

702876

FortiGate web cache does not work in proxy mode.

Web Filter

Bug ID

Description

593203

Cannot enter a name for the web rating override or save it due to name input error.

WiFi Controller

Bug ID

Description

529727

The configured MAC address of the VAP interface did not take effect after rebooting.

645328

Operating channel is 0 for both radios of FAP-421E.

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

685593

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

703685

VLAN-tagged CAPWAP traffic was dropped by NP6XLite FortiGate when FortiAP is connected through aggregate FortiLink FortiSwitch.

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.