When AV and sandbox submission is enabled, /tmp/cdr is not cleaned after a scan when there are multiple concurrent sessions.

IPsec VPN does not have FCT client IP to send to EMS if using DHCP-over-IPsec.

Need to check EMSC entitlement periodically inside fcnacd.

Proxy policy matching should support choosing the best internet service name when the IP matches multiple object names.

Web proxy users are disconnected due to external resource update flushing the user even if they do not have an authentication rule using the related proxy address or IP list.

Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7.

Wrong source IP used intermittently when FortiGate has SD-WAN and is transparently proxy forwarding to explicit proxy.

Unable to access SSL exempt site with authentication TP proxy because certificate inspection does not learn the forward server object.

When visiting a website for the first time in Firefox, the disclaimer page is shown and the webpage loads normally. When visiting a website for a second time, Firefox may take a few minutes to show the disclaimer and then another few minutes to load the webpage.

Viewing firewall shaping policy in the GUI will unset the traffic-shaper if class-id and traffic-shaper are both configured.

Any changes to the security policy table causes the hit count to reset.

Misleading GUI error when policy lookup fails due to source IP route lookup.

VIP object associated with SD-WAN member interface from omni-select list of destination addresses should not be filtered out.

In NGFW policy mode, sessions are not re-validated when security policies are changed.

Firewall policy Last Used information is different in the CLI and GUI.

The CLI should give a warning message when changing the address type from iprange to ipmask and there is no subnet input.

Dynamic traffic shapers are not consistent in their idle time limit.

FGSP synchronized UDP sessions may be blocked in NGFW policy mode when asymmetric routing is used due to a policy matching failure. Other types of traffic may also be affected (such as TCP) in the case of failover of the reply direction traffic to a different FortiGate in the FGSP cluster.

Server load-balancing on FortiGate is not working as expected when the active server is down.

New ISBD object is not indicated in the GUI.

FortiGate is not able to resolve FQDNs without DNS suffix for firewall address objects.

Firewall policy is not applied correctly when using VNE tunnel interface with policy-based IPsec VPN.

When there are multiple internet services configured that match a certain IP, port, or protocol, it may cause the wrong policy to be matched.

When in transparent mode with AV and IPS, the original and reply direction traffic should be redirected only one time.

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

IPS user quarantine ban event is marking the sessions as dirty.

TCP MSS size for local traffic is not adjusted by the firewall policy.

In transparent mode, a log has an irrelevant policyid.

Some policy entries are lost when restoring a VDOM configuration if the inspection-mode is flow, and the dstaddr is the server load balance VIP.

Load balancing is not allowed with a flow-based policy, even if the server type is configured as IP or TCP.

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

On the Dashboard > FortiView Web Sites_FAZ page, many websites have an Unrated category, and drilling down on these results displays no data.

When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN&bsol;username. The user is displayed with a \ in the CLI.

SAML auto configuration does not take admin-sport into account.

When using the GUI to edit an IP/Wildcard Mask that was created using the CLI, the error message Invalid IP/Wildcard mask. is displayed.

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 and FortiSwitch 7.0.1.

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not.

When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI.

When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed.

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

Check mark for maximize bandwidth SD-WAN rule is not removed when member no longer meets SLA.

When there is a connection issue between the FortiGate and a managed FortiSwitch, unexpected behavior might occur in httpsd when navigating between Switch Controller related GUI pages.

GUI does not display statistical information on SD-WAN Performance SLA page.

Port Errors counters for managed FortiSwitches show a zero when the port is actually shows errors.

Enabling daylight saving time (DST) results in GUI and CLI system time differences when DST is active (end of March to end of October).

Use Account Entitlement when checking for FSAC contract.

The save function does not work as expected for policies with certain applications selected.

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured.

Interfaces and zones open slowly.

Firewall policy is not visible in GUI when using set internet-service src enable.

Cannot access GUI for FortiGate in FIPS-CC mode.

Items added to Favorites are lost after a logout or reboot.

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

When editing the WAF profile in the GUI, changes to the WAF default-allowed-methods are not committed. The CLI must be used.

When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size.

Routing monitor is slow to load or does not load when the user has a full routing table.

When login banner is enabled, and a user is forced to re-login to the GUI (due to password enforcement or VDOM enablement), users may see a Bad gateway error and HTTPSD crash.

When editing a firewall policy, copying and pasting in the Comments field gives an error.

When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile.

Unable to edit interface address, get Bits of the IP address will be truncated by the subnet mask error.

After a user creates or edits an SSID interface, the GUI incorrectly navigates to the interfaces list instead of SSIDs list.

Administrators with VDOM scope cannot change their own password in the GUI.

Cannot configure ZTNA to enable an IP or MAC filter type firewall policy to add ZTNA tag.

Policy dialogs (Firewall, NAT46, NAT64, Proxy) sometimes get stuck loading due to an error when generating a security rating report.

For certain configurations, editing interfaces from the GUI causes the httpsd process to spike in CPU usage.

Static route for IPsec VPN shows tunnel ID as a gateway and provides an unreachable error.

Unable to download MIB files from FortiGate.

Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI.

For certain configurations, various pages that have interface selects can cause high memory usage from httpsd and put the FortiGate into conserve mode.

Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI.

When the Security Fabric Connection is enabled on a VPN interface, the DHCP Server section disappears from the GUI.

For certain configurations, httpsd consumes high CPU when loading Firewall pages in a browser.

GUI and REST API show incorrect reference count for web filter after adding and removing it from a policy.

Tooltip for FortiSandbox Cloud shows status as Unreachable or not authorized.

Interface page does not load for an administrator user with netgrp read-write permissions and an IPsec VPN is configured.

The HA secondary cannot synchronize a new virtual switch configuration from the primary.

Management access not working in transparent mode cluster after upgrade.

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

High memory usage of hasync process on FGCP passive device.

ICMP session cannot synchronize after the FortiGate where the session was first created reboots.

When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary.

Copied policy set to Deny contains unneeded lines.

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

hasync is busy when receiving ARP when there is a huge number of ARPs in the network.

The set override disable setting changes to enabled on main virtual cluster after rebooting (flag of second virtual cluster remains disabled).

Creating an aggregate interface in HA causes the VMAC resolution to fail.

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group | memory> after HA hbdev configuration changes.

When HA failover happens, there is a time difference between the old secondary becoming the new primary and the new primary's HA ID getting updated. If a session is created in between, the session gets a wrong HA ID, which indicates incorrectly that the session's traffic needs to be handled by the new secondary.

Incorrect uptime value for HA secondary shown in the GUI.

GRE configuration should not be synchronized in multi-AZ HA, but the system does not allow it to be added in the VDOM exception.

Every UDP packet in the reply direction triggers the session state update synchronization, even if the session state did not change.

Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of intf_vd_changed events and recheck the MAC every time, which blocks hatalk from sending heartbeat packets for a long time so that the peer loses it.

HA becomes out of sync when a backup device is updating the discarded duplicate BGP network table entry from the primary.

In FGSP, session-sync-dev statistics of get system ha status disappear after reboot.

FortiGate sends its serial number at the beginning of the file path via TFTP backup for CLI automation script or automation stitch when in the cluster.

HA primary does not send anti-spam and outbreak prevention license information to the secondary.

CLI help text should not list FortiManager as an option for ha-direct.

Performance degradation of session synchronization after upgrading.

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

IPS signatures are not working with VIP in proxy mode.

ipshelper CPU spikes when configuration changes are made.

Flow-based AV scanning does not send specific extension files to FortiSandbox.

IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading.

L2TP-over-IPsec tunnels frequently disconnect and hardly reconnect. CPU0 and CPU2 are at over 80%.

Split tunnel is not working with L2TP IPsec VPN on Windows native VPN.

Certificate-based IPsec authentication succeeds when the strict-crl-check is enabled and the CRL is not reachable.

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

Framed IPv6 address is not used in IPsec or SSL VPN tunnels.

After failover, the static tunnel interface's remote IP static routes are missing on the new primary.

When ADVPN with BGP has routing-protocol and link-down-failover enabled, establishing the ADVPN shortcut establish causes the BGP neighbor to flap and affect traffic.

Duplicate IP assigned by IKE Mode Config due to static gateway being out of sync after HA flapping. The tunnel that is out of sync cannot receive the deletion from the hub and holds on to an IP that has already been released.

Hub is dropping packets due to Failed to find IPsec Common after upgrading from 6.2.6 to 6.2.7.

ADVPN using BGP cannot bring up second shortcut after first shortcut is established with net-device enabled.

IPsec aggregate is not sending outbound ESP traffic on FortiOS 7.0.

In a redundant mode IPsec aggregate, the first aggregate member is always used to output traffic even if it is down.

Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector.

OCVPN configuration change in one member reloads the BGP configuration of all the OCVPN members.

iked crashed when clients from the same peer connect to two different dynamic server configurations that are using RADIUS authentication.

FortiGate keeps initiating DHCP SA rekey after lifetime expires.

In an IPsec tunnel XAuth with RADIUS, the RADIUS Accounting Stop packet is missing the Acct-Input-Octets/Acct-Output-Octets attribute.

Traffic log of ZTNA HTTPS proxy and TCP forwarding is missing policy name and FortiClient ID.

Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode.

FortiAnalyzer cannot process the packet loss field in the log because the field has a % in it.

FortiAnalyzer OFTP connection is re-initialized every 30 seconds when the FortiGate connects to an unauthorized FortiAnalyzer.

System might generate garbage administrator log events upon session timeout.

Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination.

WAD crash at wad_async_queue in FOH connect case.

In cases when WAD fails to resolve a firewall policy for the session, WAD crashes at wad_ssl_proxy_can_bypass() when a missed condition check allows the session to still pass through.

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

Unable to authenticate to FTP server when firewall policy is set to proxy-based and AV is enabled.

WAD encounters segmentation fault crash at wad_http_scan_engine__on_unblock.

In IPS TCP proxy handover, the firewall policy tcp-mss-sender, tcp-mss-receiver, and interface tcp-mss settings are not used.

WAD crashes at wad_ssl_port_p2s_set_server_cert.

WAD crashes at wad_http_scan_safe_proc_msg.

WAD crash at flush sec_profile after deleting VDOM.

Enhance link monitor health check for access proxy real server in ZTNA.

WAD crashes seen in user information upon user purge and during signal handling of user information history.

All load-balancing methods should be supported for ZTNA access proxy.

For firewall policies with http-policy-redirect enabled and ssl-ssh-profile is set to inspect-all certificate-inspection, WAD is unable to block the traffic when proxy policy matching fails.

Certificate authentication support should be added to the normal proxy policy authentication.

Explicit proxy policy (ISDB and IP pool) cannot be set in the GUI or CLI.

The cert-probe-failure option is not available when inspect-all certificate-inspection is enabled.

Certificate inspection is not working as expected when an external proxy is used.

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

Local TCP/853 unexpectedly open as soon any proxy mode inspection policy with UTM is enabled.

Certificate inspection profile is doing a deep scan for an FTPS SSL exchange.

When FortiGuard is updating, an external resource build might happen at the same time with other RAM consuming update operations, causing the system to enter conserve mode.

REST API incorrectly returns error code 401 (authentication error) instead of 403 (authorization error) for requests that pass the authentication check but are not permitted to access the resource.

/api/v2/monitor/system/available-interfaces takes over one minute for a response.

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

VRF configuration in WWAN interface has no effect after reboot.

LDAP traffic that originates from the FortiGate is not following SD-WAN rule.

Checkmark is not shown beside the interface currently selected by the SD-WAN rules (Network > SD-WAN Rules page).

Blackhole route to the gateway of policy route makes the PBR inactive/disabled.

FortiGate deletes prefix-list configuration due to concurrent administrator SSH sessions.

Issues with SD-WAN zone's availability to select it as an OSPF interface.

VRF should support for IPv6 in static route and BGP VRF leaking table.

No speed test button for PPPoE interface in GUI on Interfaces page.

Security rating traffic does not follow SD-WAN rules.

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

SD-WAN rules are not working with route tags and VRF.

ICMP Destination Host Unreachable responses are sent in reverse order.

Suggest adding an option for NetFlow to use SD-WAN.

Restore the change of routing code.

Firewall policy rule with destination interface as virtual-wan-link cannot match traffic in some cases.

Some static routes disappear from RIB/FIB after modifying or installing static routes by running a script in the GUI.

SNAT sessions on the original preferred SD-WAN member will be flushed after the preferred SD-WAN member changes, so existing SNAT traffic will be interrupted.

Enabling SD-WAN on interfaces with full BGP routes leads to device going into conserve mode.

Local out routing does not work with PPPoE interface.

Policy Routes GUI page does not show red exclamation mark when a source or destination is negated, like on Firewall Policy page.

SD-WAN rule not matched with MAC address object and ISDB in policy.

Load-balance service mode and maximize bandwidth (SLA) in SD-WAN rule does not work as expected in 7.0.0.

TCP session drops between virtual wire pair with auto-asic-offload enabled in policy.

Enabling preserve-session-route does not take effect in SD-WAN scenario.

set interface-select-method takes a long time to take effect for DNS local out traffic when the source IP is specified.

Link to Login toFortiAnalyzer on Physical Topology page does not open, and FortiAnalyzer HTTPS is no longer configured on port 443.

Unable to connect to vCenter using ESXi SDN connector with password containing certain characters.

Automation stitch action does not work when trigger is an AV and IPS database update.

The security rating for Admin Idle Timeout incorrectly fails for a FortiAnalyzer with less than 10 minutes.

Security rating two-factor authentication test shows as failed for IPsec and SSL VPN, but all users have two-factor authentication enabled.

Multiple ACI Direct connectors are not supported.

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

If HA management interface is configured, the Kubernetes connector fails to connect.

Automation stitch action no longer understands %%log.date%% and %%log.time%% variables.

SSL VPN RDP bookmark not working with CVE-2018-0886.

guacd uses 99% CPU when SSL VPN web portal connects to RDP server.

SSL VPN web portal RDP connections to RDS session hosts fails.

guacd is consuming too much memory and CPU resources during operation.

The policy script-src 'self' will block the SSL VPN proxy URL.

When SSL VPN SSH times out, SSH to SES will crash when SSH is empty.

Google Maps and 2gis.ru page do not display the map at all in SSL VPN web portal.

The jstor.org webpage is not loading via SSL VPN bookmark.

Imported certificate cannot be used in IPsec tunnel only (-3: Entry not found).

Unable to type accents using dead keys in RDP using Spanish keyboard layout over SSL VPN web mode in macOS.

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

SSL VPN firewall policy creation via CLI does not require setting user identity.

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

vCenter (*.be***.tld) page does not load in SSL VPN web mode.

RDS redirect not working on SSL VPN web portal.

Error when logging out SSL VPN bookmark website.

DCE/RPC sessions are randomly dropped (no session matched).

Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic.

SSL VPN authentication fails for PKI user with LDAP.

FortiClient SSL VPN users are unable to authenticate when zero-trust tag IP address is used as the host IP under limited access.

SSL VPN web mode removes ant-tree components in HTML source.

Report section of internal web server (https://lm***.lm***.au***.vw***/ar***/) is not accessible via the SSL VPN web portal.

PDF files on internal web server, https://co***.ag***.em***.vw***:8443, are not opening in SSL VPN web portal.

WALLIX personal bookmark issue in SSL VPN portal.

JS error thrown when accessing HTTPS bookmark (mk***.ag***.cp***.vw***) via SSL VPN web portal.

FortiClient iOS 6.4.5 has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

Certain URLs are not rewritten for bookmarked HTTPS external site http://www.sz***.hu.

Unable to save record on internal website https://1**.1**.8*.3*/Login.jsp via SSL VPN web mode.

SSL VPN DTLS tunnel could not be established in some cases when the tunnel link is still under negotiation. Some IP packets were sent to the client, causing the client's logic to fail.

Search option on internal website, kp***.kd****.ca, not working while accessing via SSL VPN web mode.

DTLS SSL VPN connection cannot be established via FortiTester.

Back-end server (va***.ra***.com.ar) is not working in SSL VPN web mode.

OWA user details are not showing in SSL VPN web mode.

SSL VPN connection breaks when deleting irrelevant CA and PKI is involved.

SSO authentication to FortiMail webmail is not working using SSL VPN bookmark.

Idle timeout does not send log out request to IdP for SAML login on SSL VPN portal.

SSL VPN stuck loading https://el***.***-data.pl when wrong credential was entered.

SSL VPN web mode access to internal web server http://10.2.1.78 is broken after upgrading to 7.0.0.

QNAP NAS web page hangs on loading page after entering the credentials in SSL VPN web mode.

POP3 authentication failed for SSL VPN.

Windows Admin Center webpage (ge***.ov***) does not load correctly in SSL VPN web mode.

SSL VPN daemon may crash when connection releases.

SSL VPN proxy error in web mode due to requests to loopback IP.

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

Due to change on samld side that increases the length of the SAML attribute name to 256, SSL VPN could not correctly parse the username from the SAML response when the username attribute has a long name.

Website cannot be accessed in SSL VPN web mode.

Website, co***.gob.pe, is not shown properly in SSL VPN web mode.

The map integrated in the public site is not visible when using SSL VPN web mode.

Webpage, http://10.3.24.8/ma***, is not displaying correctly in SSL VPN web mode.

SSL VPN web portal does not show thumbnails of videos for an internal JS-based web server.

Traffic cannot go through SSL VPN tunnel when a second user kicks first session off.

iprope records for SSL VPN policies are removed after upgrading to 7.0.0 or during the reboot.

Internal webpage, https://172.3**.***.164/ce***/, is not loading in SSL VPN web mode.

Unable to load NetApp OnCommand Unified Manager webpages due to reloading loop in SSL VPN web mode.

Sometimes in tunnel mode with a lot of tunnels, the file descriptor to the mux dev is not closed, which causes the memory to linger until the process is killed.

FortiGate sends authentication request to all RADIUS servers instead of only those in the default realm.

Internal webpage with JavaScript is not loading in SSL VPN web mode.

Configuration changes on the FortiGate not taking effect on the FortiSwitch.

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

In FortiOS 7.0.0, the default authentication protocol for a switch controller SNMP user is SHA256, as opposed to the default SHA1 in previous versions.

FortiLink trunk is not formed on FortiSwitch connecting to FortiGate. When managed switches are learned on the software switch and hardware switch, they were deleted from the CLI, and fortilinkd did not clear the states for those switches so new switches were not learned.

TFTP client always tries binding to port 1069, which is a part of dynamic port range. Other daemons sometimes use this port, which results in a TFTP bind failure.

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

VPN throughput dropped when FEC is enabled.

Redundant interface cannot pick up traffic if one member is down.

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

A VWP named .. can be created in the GUI, but it cannot be edited or deleted.

SFP interfaces on FG-330xE do not show link light.

Console prints out NP6XLITE: np6xlite_hw_ipl_rw_mem_channel timeout message on SoC4 platforms.

httpsd crashed after changing VDOM for interface.

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

Change WWAN interface default netmask to /32 and default distance to 1.

DHCP option 121 as a client not working on FortiGate.

Add DNS server selection method to change how DNS servers are configured and prioritized.

Update built-in modem firmware that comes with the device in order for the SIM to be correctly identified and make LTE link work properly.

After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0.

Huawei E8372h-320 LTE modem does not receive IP on FG-30E.

Secondary FG-5001D blades in SLBC cluster do not show updated contract dates.

Mirroring of decrypted SSL traffic does not work in flow mode; if the receiving side is a VM machine, the receiver is unable to receive SSL decrypted packets.

Support gtp-enhance-mode (GTP-U) on FG-3815D.

FortiGate cannot get gateway from built-in LTE modem on all LTE capable FortiGate platforms.

FOS 6.2.6 in FIPS mode with LB VIP and custom ciphers does not allow traffic through.

In some environments, host-side DPDK affects the benchmark result.

Cannot change FEC (forward error correction) on port group 13-16.

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

ddnsd did not update the new IP address of dynupdate.no-ip.com, so it failed to connect to the DDNS server.

ARP reply sent out by FortiGate but was not received on neighbor device.

CLI console shows poll loop hangs error messages after booting up the device.

FortiGate entered conserve mode (service=kernel), possibly due to large number of log creation requests.

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

Unable to change speed and status of hardware switch member on SoC3 and SoC4 platforms with virtual switch feature.

LLDP transmission fails if there are nested software switches.

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

When processing visibility log requests and passively learning FQDNs and wildcard FQDN addresses at a high rate, the CPU usage of dnsproxy can reach 90% or higher.

SD-WAN reports phantom packet loss.

FGR-60F WAN1 and WAN2 fail to connect to the network due to board ID GPIO assignment being incorrect.

FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer's DHCP server (a router) to fail to assign the only available IP in the pool.

Memory leak happens in forticron process, if GUI REST API caching is enabled.

Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D.

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

Daylight saving time changes will not reflect for time zone 16.

Command fail when running execute private-encryption-key <xxx>.

SNMP times out or has slow response when SNMP queries FortiGate session table OIDs.

diagnose sys bcm_intf cli "2:" and diagnose sys bcm_intf cli "ps" try to access a non-existent BCM switches, which leads to kernel panic.

A softirq happened in an unprotected session read lock and caused a self-deadlock.

FortiGate crashes after reboot (kernel BUG at drivers/net/macvlan.c:869).

NP offloading is blocking backup traffic.

FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev.

Guest Management page Expire column shows incorrect value for guest groups when set to expire after on first login.

When there is no PRP setting in the 6.4 configuration, after upgrading from 6.4 to 7.0, kernel panic happens after enabling PRP.

Packets are dropped for 30 seconds during or after massive configuration commit.

config match command is not available in the user group configuration within the root VDOM when split-task VDOM is used.

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file.

execute restore vmlicense tftp fails with tftp: bind: Address already in use.

FortiGate sends an invalid configuration to FortiManager, which causes the FortiManager policy packages to have an unknown status.

Problem resolving DNS TXT type queries with FortiGate.

In cases where there are a lot of DHCP relay interfaces (such as 1000) and an interface is added or deleted, DHCP relay takes a long time to release and initialize all interfaces before it works again.

The forticron process uses high CPU.

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

Account profile settings changed after firmware upgrade.

The set key-outbound and set key-inbound parameters are missing for GRE tunnels under config system gre-tunnel.

When ACME service is enabled on an interface, HTTPD responds to HTTP TRACE method with HTTP 200 OK.

FortiGate NTP server cannot synchronize time for Linux client on IPv6.

After upgrading from 6.4.5 to 7.0.0, all flow-based polices are switched to proxy if there is a SIP profile attached to the firewall policy.

Console prints __set_clr_flag:wwan ioctl failed, flag:0x0200 errno:19 when upgrading from 6.4.5 to 7.0.0.

Policy inspection mode gets changed to proxy after upgrading to 7.0.0.

SD-WAN health check over IPsec interfaces no longer work if there is a specified gateway under the IPsec SD-WAN member.

Under config system dns-database, the set type slave configuration in 6.4.5 does not change to set type secondary after upgrading to 7.0.0.

Two-factor authentication can be bypassed with some configurations.

SAML entity ID can only be entered in HTTP format, but as per standard should also support URN.

LDAP query from GUI does work in non-management and non-root VDOM.

RADIUS password encoding does not work.

FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2.

Local CA certificate, Fortinet_CA_SSL, cannot be restored from saved configuration file after the FortiGate factory reset.

If a certificate authentication job expires in fnbamd, an error is returned to caller that makes the proxy block client traffic.

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

RADIUS accounting port is occasionally missing.

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

Password reset via Azure portal does not work in cases where the DependencyAgentLinux extension is installed.

On FG-VM-AWS, secondary IPs are missing after failover event.

FortiOS GUI shows Unable to connect to FortiGuard servers warning when offline license is being used.

After rebooting a GCP FortiGate, it takes more than 30 to 40 minutes to come up and affects passthrough traffic during this period.

GENEVE tunnel with loopback interface is not working.

EIP information is not automatically updated after instance reboot.

Azure HA failover encounters error when doing route failover.

Cannot enter a name for the web rating override or save it due to name input error.

Running a remote CLI script from FortiManager can create a duplicated FortiGuard web filter category.

TARGET ASSERT error in WiFi driver causes kernel panic.

The configured MAC address of the VAP interface did not take effect after rebooting.

FG-80F series should support a total of 96 WTP entries (48 normal).

Operating channel is 0 for both of the FAP radios (FAP-421E).

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

Physical AP leave log messages showing reason="N/A".

Captive portal/disclaimer is not shown for SSIDs not belonging to the default VRF.

Unable to change AP state under rogue AP's monitor page.

FWF-60F/61F and FWF-40F encounters kernel panic (LR is at capwap_find_sta_by_mac) when one managed FortiAP is authenticating WiFi clients.

FAP-421E does not come online over IPsec tunnel and shows a certificate error.

VLAN-tagged CAPWAP traffic was dropped by NP6XLite FortiGate when FortiAP is connected through aggregate FortiLink FortiSwitch.

CAPWAP traffic without VLAN tag was dropped by NP6XLite FortiGate when FortiAP is connected through an aggregate interface (no FortiLink).

Dynamic VLAN SSID traffic cannot pass through VDOM link when capwap-offload is enabled.

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

Automation trigger for rogue AP on wire sends email alerts for rogue AP not on wire.

FortiOS 7.0.1 is no longer vulnerable to the following CVE Reference:

• CVE-2022-26103

FortiOS 7.0.1 is no longer vulnerable to the following CVE Reference:

• CVE-2021-26110

FortiOS 7.0.1 is no longer vulnerable to the following CVE Reference:

• CVE-2021-32600

FortiOS 7.0.1 is no longer vulnerable to the following CVE Reference:

• CVE-2022-22306

FortiOS 7.0.1 is no longer vulnerable to the following CVE Reference:

• CVE-2021-24018

FortiOS 7.0.1 is no longer vulnerable to the following CVE Reference:

• CVE-2021-26110