Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved issues

The following issues have been fixed in version 7.0.1. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

705591

When av-scan is enabled on the load end box, the FortiGate CPU hits 100% for over one minute. Such high CPU might cause WAD daemon signal 6 abort during that period.

706454

When AV and sandbox submission is enabled, /tmp/cdr is not cleaned after a scan when there are multiple concurrent sessions.

707186

Scanunit crashes with signal 11 when users attach files in the Outlook Web App.

Data Leak Prevention

Bug ID

Description

709845

DLP file pattern ID is still referenced by AV profile analytics-wl-filetype after FortiSandbox is disabled.

DNS Filter

Bug ID

Description

715317

Web filter service is not start properly when DNS filter is configured in a firewall profile group.

Endpoint Control

Bug ID

Description

666426

IPsec VPN does not have FCT client IP to send to EMS if using DHCP-over-IPsec.

685549

Need to check EMSC entitlement periodically inside fcnacd.

707388

When EMS has an offline status, most of time the FortiClient de-registers from EMS and the client certificate will be empty in web browser certificate store.

Explicit Proxy

Bug ID

Description

681054

Web proxy users are disconnected due to external resource update flushing the user even if they do not have an authentication rule using the related proxy address or IP list.

697566

Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7.

700451

Wrong source IP used intermittently when FortiGate has SD-WAN and is transparently proxy forwarding to explicit proxy.

706078

Unable to access SSL exempt site with authentication TP proxy because certificate inspection does not learn the forward server object.

708851

When visiting a website for the first time in Firefox, the disclaimer page is shown and the webpage loads normally. When visiting a website for a second time, Firefox may take a few minutes to show the disclaimer and then another few minutes to load the webpage.

716224

In web proxy with transparent policy, the web filter rating fails when there is no SNI or CID.

Firewall

Bug ID

Description

591721

Viewing firewall shaping policy in the GUI will unset the traffic-shaper if class-id and traffic-shaper are both configured.

595949

Any changes to the security policy table causes the hit count to reset.

645010

Misleading GUI error when policy lookup fails due to source IP route lookup.

653137

VIP object associated with SD-WAN member interface from omni-select list of destination addresses should not be filtered out.

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

681893

Firewall policy Last Used information is different in the CLI and GUI.

694154

Dynamic traffic shapers are not consistent in their idle time limit.

696619

FGSP synchronized UDP sessions may be blocked in NGFW policy mode when asymmetric routing is used due to a policy matching failure. Other types of traffic may also be affected (such as TCP) in the case of failover of the reply direction traffic to a different FortiGate in the FGSP cluster.

705402

Server load-balancing on FortiGate is not working as expected when the active server is down.

707659

New ISBD object is not indicated in the GUI.

707854

FortiGate is not able to resolve FQDNs without DNS suffix for firewall address objects.

708159

Firewall policy is not applied correctly when using VNE tunnel interface with policy-based IPsec VPN.

709832

When there are multiple internet services configured that match a certain IP, port, or protocol, it may cause the wrong policy to be matched.

714198

When in transparent mode with AV and IPS, the original and reply direction traffic should be redirected only one time.

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

716317

IPS user quarantine ban event is marking the sessions as dirty.

717170

TCP MSS size for local traffic is not adjusted by the firewall policy.

717802

In transparent mode, a log has an irrelevant policyid.

724145

Expiration timer of expectation session may show a negative number.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

712580

When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN&bsol;username. The user is displayed with a \ in the CLI.

722543

FortiView does not arrange FortiGuard quota based on highest to lowest value and vice versa.

GUI

Bug ID

Description

585899

SAML auto configuration does not take admin-sport into account.

589231

Get Invalid IP/Wildcard mask. warning when editing the address object in the GUI.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

647431

After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not.

665597

When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI.

674548

When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

676104

Check mark for maximize bandwidth SD-WAN rule is not removed when member no longer meets SLA.

676306

httpsd has signal 6 and 11 crashes at cmf_query_create_child because of segfault in /api/v2/monitor/switch-controller/managed-switch/transceivers.

686592

GUI does not display statistical information on SD-WAN Performance SLA page.

689392

Port Errors counters for managed FortiSwitches show a zero when the port is actually shows errors.

690666

Enabling daylight saving time (DST) results in GUI and CLI system time differences when DST is active (end of March to end of October).

691620

Use Account Entitlement when checking for FSAC contract.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured. The workaround is to manage the option from the CLI.

696226

Interfaces and zones open slowly.

696573

Firewall policy is not visible in GUI when using set internet-service src enable.

701442

Cannot access GUI for FortiGate in FIPS-CC mode.

701742

Items added to Favorites are lost after a logout or reboot.

702065

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

703955

When editing the WAF profile in the GUI, changes to the WAF default-allowed-methods are not committed. The CLI must be used.

704209

When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size.

704503

Routing monitor is slow to load or does not load when the user has a full routing table.

704618

When the login banner is enabled and the user is forced to log in again to the GUI (due to password change or enabling VDOMs), the user may see a Bad Gateway error.

706340

When editing a firewall policy, copying and pasting in the Comments field gives an error.

706711

When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile.

706982

Unable to edit interface address, get Bits of the IP address will be truncated by the subnet mask error.

708121

After a user creates or edits an SSID interface, the GUI incorrectly navigates to the interfaces list instead of SSIDs list.

708211

Administrators with VDOM scope cannot change their own password in the GUI.

708467

Cannot configure ZTNA to enable an IP or MAC filter type firewall policy to add ZTNA tag.

709103

Unable to edit interfaces in the GUI, and httpsd is spiking the CPU cores.

709662

Static route for IPsec VPN shows tunnel ID as a gateway and provides an unreachable error.

710220

Unable to download MIB files from FortiGate.

710946

Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI.

713148

httpsd process has high CPU and memory usages, causing the unit to enter conserve mode.

713580

Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI.

715256

When the Security Fabric Connection is enabled on a VPN interface, the DHCP Server section disappears from the GUI.

715493

httpsd consumes high CPU when loading a GUI page.

716986

GUI and REST API show incorrect reference count for web filter after adding and removing it from a policy.

717405

Tooltip for FortiSandbox Cloud shows status as Unreachable or not authorized.

719620

Interface page does not load for an administrator user with netgrp read-write permissions and an IPsec VPN is configured.

719694

httpsd crashes when navigating between switch controller related GUI pages.

720006

GUI always shows duplicate entry when trying to create a NAC dynamic address and other types of firewall addresses.

HA

Bug ID

Description

659837

The HA secondary cannot synchronize a new virtual switch configuration from the primary.

670331

Management access not working in transparent mode cluster after upgrade.

678145

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

692384

High memory usage of hasync process on FGCP passive device.

694646

ICMP session cannot synchronize after the FortiGate where the session was first created reboots.

697066

When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary.

698732

Copied policy set to Deny contains unneeded lines.

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

703719

hasync is busy when receiving ARP when there is a huge number of ARPs in the network.

708928

The set override disable setting changes to enabled on main virtual cluster after rebooting (flag of second virtual cluster remains disabled).

709382

Creating an aggregate interface in HA causes the VMAC resolution to fail.

710236

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group | memory> after HA hbdev configuration changes.

711962

Incorrect uptime value for HA secondary shown in the GUI.

714113

GRE configuration should not be synchronized in multi-AZ HA, but the system does not allow it to be added in the VDOM exception.

714404

Every UDP packet in the reply direction triggers the session state update synchronization, even if the session state did not change.

715939

Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of intf_vd_changed events and recheck the MAC every time, which blocks hatalk from sending heartbeat packets for a long time so that the peer loses it.

716216

HA becomes out of sync when a backup device is updating the discarded duplicate BGP network table entry from the primary.

717251

In FGSP, session-sync-dev statistics of get system ha status disappear after reboot.

717525

FortiGate sends its serial number at the beginning of the file path via TFTP backup for CLI automation script or automation stitch when in the cluster.

717785

HA primary does not send anti spam and outbreak prevention license information to the secondary.

721482

CLI help text should not list FortiManager as an option for ha-direct.

721720

Performance degradation of session synchronization after upgrading.

722284

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

Intrusion Prevention

Bug ID

Description

680501

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

682071

IPS signatures are not working with VIP in proxy mode.

686301

ipshelper CPU spikes when configuration changes are made.

689259

Flow-based AV scanning does not send specific extension files to FortiSandbox.

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

578879, 676728

IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading.

620907

L2TP-over-IPsec tunnels frequently disconnect and hardly reconnect. CPU0 and CPU2 are at over 80%.

642760

Split tunnel is not working with L2TP IPsec VPN on Windows native VPN.

674576

Certificate-based IPsec authentication succeeds when the strict-crl-check is enabled and the CRL is not reachable.

691718

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

708590

Framed IPv6 address is not used in IPsec or SSL VPN tunnels.

708870

After failover, the static tunnel interface's remote IP static routes are missing on the new primary.

708940

When ADVPN with BGP has routing-protocol and link-down-failover enabled, establishing the ADVPN shortcut establish causes the BGP neighbor to flap and affect traffic.

709850

Duplicate IP assigned by IKE Mode Config due to static gateway being out of sync after HA flapping. The tunnel that is out of sync cannot receive the deletion from the hub and holds on to an IP that has already been released.

710961

Hub is dropping packets due to Failed to find IPsec Common after upgrading from 6.2.6 to 6.2.7.

711072

ADVPN using BGP cannot bring up second shortcut after first shortcut is established with net-device enabled.

713763

IPsec aggregate is not sending outbound ESP traffic on FortiOS 7.0.

713839

In a redundant mode IPsec aggregate, the first aggregate member is always used to output traffic even if it is down.

714400

Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector.

715070

OCVPN configuration change in one member reloads the BGP configuration of all the OCVPN members.

715651

iked crashed when clients from the same peer connect to two different dynamic server configurations that are using RADIUS authentication.

717082

FortiGate keeps initiating DHCP SA rekey after lifetime expires.

719655

IPsec does not work in FG-VM after upgrading to 7.0.

Log & Report

Bug ID

Description

708890

Traffic log of ZTNA HTTPS proxy and TCP forwarding is missing policy name and FortiClient ID.

710344

Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode.

711946

FortiAnalyzer cannot process the packet loss field in the log because the field has a % in it.

722315

System might generate garbage administrator log events upon session timeout.

Proxy

Bug ID

Description

663088

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

670339

Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination.

676419

WAD crash at wad_async_queue in FOH connect case.

683844

In cases when WAD fails to resolve a firewall policy for the session, WAD crashes at wad_ssl_proxy_can_bypass() when a missed condition check allows the session to still pass through.

700073, 714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

700481

Unable to authenticate to FTP server when firewall policy is set to proxy-based and AV is enabled.

701513

WAD encounters segmentation fault crash at wad_http_scan_engine__on_unblock.

704323

In IPS TCP proxy handover, the firewall policy tcp-mss-sender, tcp-mss-receiver, and interface tcp-mss settings are not used.

706555

WAD crashes at wad_ssl_port_p2s_set_server_cert.

706556

WAD crashes at wad_http_scan_safe_proc_msg.

708514

WAD crash at flush sec_profile after deleting VDOM.

709391

Enhance link monitor health check for access proxy real server in ZTNA.

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

710125

All load-balancing methods should be supported for ZTNA access proxy.

711484

Certificate authentication support should be added to the normal proxy policy authentication.

714610

Explicit proxy policy (ISDB and IP pool) cannot be set in the GUI or CLI.

715327

The cert-probe-failure option is not available when inspect-all certificate-inspection is enabled.

716400

Certificate inspection is not working as expected when an external proxy is used.

719681

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

724445

Local TCP/853 unexpectedly open as soon any proxy mode inspection policy with UTM is enabled.

726801

When FortiGuard is updating, an external resource build might happen at the same time with other RAM consuming update operations, causing the system to enter conserve mode.

728078

Rating request does not always check cache.

REST API

Bug ID

Description

597494

REST API incorrectly returns error code 401 (authentication error) instead of 403 (authorization error) for requests that pass the authentication check but are not permitted to access the resource.

710198

/api/v2/monitor/system/available-interfaces takes over one minute for a response.

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

579884

VRF configuration in WWAN interface has no effect after reboot.

670031

LDAP traffic that originates from the FortiGate is not following SD-WAN rule.

682455

Checkmark is not shown beside the interface currently selected by the SD-WAN rules (Network > SD-WAN Rules page).

688317

Blackhole route to the gateway of policy route makes the PBR inactive/disabled.

697645

FortiGate deletes prefix-list configuration due to concurrent administrator SSH sessions.

699122

Issues with SD-WAN zone's availability to select it as an OSPF interface.

700840

VRF should support for IPv6 in static route and BGP VRF leaking table.

701027

No speed test button for PPPoE interface in GUI on Interfaces page.

702463

Security rating traffic does not follow SD-WAN rules.

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

705767

SD-WAN rules are not working with route tags and VRF.

706237

ICMP Destination Host Unreachable responses are sent in reverse order.

707143

Suggest adding an option for NetFlow to use SD-WAN.

707713

Restore the change of routing code.

708614

Firewall policy rule with destination interface as virtual-wan-link cannot match traffic in some cases.

710606

Some static routes disappear from RIB/FIB after modifying or installing static routes by running a script in the GUI.

712586

SNAT sessions on the original preferred SD-WAN member will be flushed after the preferred SD-WAN member changes, so existing SNAT traffic will be interrupted.

715274

Enabling SD-WAN on interfaces with full BGP routes leads to device going into conserve mode.

718950

Local out routing does not work with PPPoE interface.

719788

Policy Routes GUI page does not show red exclamation mark when a source or destination is negated, like on Firewall Policy page.

722343

SD-WAN rule not matched with MAC address object and ISDB in policy.

723550

Load-balance service mode and maximize bandwidth (SLA) in SD-WAN rule does not work as expected in 7.0.0.

723726

BGP session drops between virtual wire pair with auto-asic-offload enabled in policy.

724250

Enabling preserve-session-route does not take effect in SD-WAN scenario.

Security Fabric

Bug ID

Description

672218

In multi-VDOM environment, when viewing logical topology under a specific VDOM view, the GUI incorrectly shows interfaces and devices from all VDOMs.

685642

Link to Login toFortiAnalyzer on Physical Topology page does not open, and FortiAnalyzer HTTPS is no longer configured on port 443.

695040

Unable to connect to vCenter using ESXi SDN connector with password containing certain characters.

708172

Automation stitch action does not work when trigger is an AV and IPS database update.

714807

Security rating two-factor authentication test shows as failed for IPsec and SSL VPN, but all users have two-factor authentication enabled.

718469

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

718581

If HA management interface is configured, the Kubernetes connector fails to connect.

719029

Automation stitch action no longer understands %%log.date%% and %%log.time%% variables.

722950

Topology page is empty in robot Security Fabric setup.

SSL VPN

Bug ID

Description

500664

SSL VPN RDP bookmark not working with CVE-2018-0886.

515519

guacd uses 99% CPU when SSL VPN web portal connects to RDP server.

542815

SSL VPN web portal RDP connections to RDS session hosts fails.

550819

guacd is consuming too much memory and CPU resources during operation.

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

630068

When SSL VPN SSH times out, SSH to SES will crash when SSH is empty.

659581

Google Maps and 2gis.ru page do not display the map at all in SSL VPN web portal.

669707

The jstor.org webpage is not loading via SSL VPN bookmark.

671647

Imported certificate cannot be used in IPsec tunnel only (-3: Entry not found).

676333

Unable to type accents using dead keys in RDP using Spanish keyboard layout over SSL VPN web mode in macOS.

677031

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

677548

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

677668

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

678757

vCenter (*.be***.tld) page does not load in SSL VPN web mode.

689465

RDS redirect not working on SSL VPN web portal.

693200

Error when logging out SSL VPN bookmark website.

693237

DCE/RPC sessions are randomly dropped (no session matched).

693347

Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic.

693519

SSL VPN authentication fails for PKI user with LDAP.

693718

FortiClient SSL VPN users are unable to authenticate when zero-trust tag IP address is used as the host IP under limited access.

694226

SSL VPN web mode removes ant-tree components in HTML source.

694346

Report section of internal web server (https://lm***.lm***.au***.vw***/ar***/) is not accessible via the SSL VPN web portal.

694671

PDF files on internal web server, https://co***.ag***.em***.vw***:8443, are not opening in SSL VPN web portal.

695404

WALLIX personal bookmark issue in SSL VPN portal.

695457

JS error thrown when accessing HTTPS bookmark (mk***.ag***.cp***.vw***) via SSL VPN web portal.

695763

FortiClient iOS 6.4.5 has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

696533

Certain URLs are not rewritten for bookmarked HTTPS external site http://www.sz***.hu.

697551

Unable to save record on internal website https://1**.1**.8*.3*/Login.jsp via SSL VPN web mode.

701119

SSL VPN DTLS tunnel could not be established in some cases when the tunnel link is still under negotiation. Some IP packets were sent to the client, causing the client's logic to fail.

704597

Search option on internal website, kp***.kd****.ca, not working while accessing via SSL VPN web mode.

705278

DTLS SSL VPN connection cannot be established via FortiTester.

705370

Back-end server (va***.ra***.com.ar) is not working in SSL VPN web mode.

706185

OWA user details are not showing in SSL VPN web mode.

708021

SSO authentication to FortiMail webmail is not working using SSL VPN bookmark.

708639

Idle timeout does not send log out request to IdP for SAML login on SSL VPN portal.

710163

SSL VPN stuck loading https://el***.***-data.pl when wrong credential was entered.

711503

SSL VPN web mode access to internal web server http://10.2.1.78 is broken after upgrading to 7.0.0.

711690

QNAP NAS web page hangs on loading page after entering the credentials in SSL VPN web mode.

711944

POP3 authentication failed for SSL VPN.

712880

Windows Admin Center webpage (ge***.ov***) does not load correctly in SSL VPN web mode.

714604

SSL VPN daemon may crash when connection releases.

714700

SSL VPN proxy error in web mode due to requests to loopback IP.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

716622

Due to change on samld side that increases the length of the SAML attribute name to 256, SSL VPN could not correctly parse the username from the SAML response when the username attribute has a long name.

717193

Website cannot be accessed in SSL VPN web mode.

717382

Website, co***.gob.pe, is not shown properly in SSL VPN web mode.

718142

The map integrated in the public site is not visible when using SSL VPN web mode.

718159

Webpage, http://10.3.24.8/ma***, is not displaying correctly in SSL VPN web mode.

718170

SSL VPN web portal does not show thumbnails of videos for an internal JS-based web server.

718262

Traffic cannot go through SSL VPN tunnel when a second user kicks first session off.

719069

iprope records for SSL VPN policies are removed after upgrading to 7.0.0 or during the reboot.

720290

Internal webpage, https://172.3**.***.164/ce***/, is not loading in SSL VPN web mode.

721427

Unable to load NetApp OnCommand Unified Manager webpages due to reloading loop in SSL VPN web mode.

724830

FortiGate sends authentication request to all RADIUS servers instead of only those in the default realm.

726576

Internal webpage with JavaScript is not loading in SSL VPN web mode.

726641

Unable to load pi***.vi***-ga***.org in SSL VPN web mode.

Switch Controller

Bug ID

Description

647817

Configuration changes on the FortiGate not taking effect on the FortiSwitch.

682430

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

699533

In FortiOS 7.0.0, the default authentication protocol for a switch controller SNMP user is SHA256, as opposed to the default SHA1 in previous versions.

702942

FortiLink trunk is not formed on FortiSwitch connecting to FortiGate. When managed switches are learned on the software switch and hardware switch, they were deleted from the CLI, and fortilinkd did not clear the states for those switches so new switches were not learned.

717506

Unable to add description on shared FortiSwitch port.

System

Bug ID

Description

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

572038

VPN throughput dropped when FEC is enabled.

613947

Redundant interface cannot pick up traffic if one member is down.

627734

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

651626

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

664856

A VWP named .. can be created in the GUI, but it cannot be edited or deleted.

666418

SFP interfaces on FG-330xE do not show link light.

667307

Console prints out NP6XLITE: np6xlite_hw_ipl_rw_mem_channel timeout message on SoC4 platforms.

671332

httpsd crashed after changing VDOM for interface.

674616

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

683387, 711698

Change WWAN interface default netmask to /32 and default distance to 1.

686903

DHCP option 121 as a client not working on FortiGate.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

687833

Add DNS server selection method to change how DNS servers are configured and prioritized.

688009

Update built-in modem firmware that comes with the device in order for the SIM to be correctly identified and make LTE link work properly.

689317, 698927

After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0.

690797

Huawei E8372h-320 LTE modem does not receive IP on FG-30E.

693757

Secondary FG-5001D blades in SLBC cluster do not show updated contract dates.

696550

Mirroring of decrypted SSL traffic does not work in flow mode; if the receiving side is a VM machine, the receiver is unable to receive SSL decrypted packets.

696556

Support gtp-enhance-mode (GTP-U) on FG-3815D.

696622

FortiGate cannot get gateway from built-in LTE modem on all LTE capable FortiGate platforms.

697287

FOS 6.2.6 in FIPS mode with LB VIP and custom ciphers does not allow traffic through.

698005

In some environments, host-side DPDK affects the benchmark result.

699358

Cannot change FEC (forward error correction) on port group 13-16.

699902

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

700272

ddnsd did not update the new IP address of dynupdate.no-ip.com, so it failed to connect to the DDNS server.

700314

ARP reply sent out by FortiGate but was not received on neighbor device.

701911

FortiGate entered conserve mode (service=kernel), possibly due to large number of log creation requests.

702135

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

703131

Split-task VDOM does not update IPS/AV from ha-direct connected internal FortiManager.

704981

LLDP transmission fails if there are nested software switches.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

706131

When processing visibility log requests and passively learning FQDNs and wildcard FQDN addresses at a high rate, the CPU usage of dnsproxy can reach 90% or higher.

709513

SD-WAN reports phantom packet loss.

710807

FGR-60F WAN1 and WAN2 fail to connect to the network due to board ID GPIO assignment being incorrect.

710934

FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer's DHCP server (a router) to fail to assign the only available IP in the pool.

712203

Memory leak happens in forticron process, if GUI REST API caching is enabled.

712321

Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D.

712506

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

712905

Daylight saving time changes will not reflect for time zone 16.

713324

Command fail when running execute private-encryption-key <xxx>.

714164

SNMP times out or has slow response when SNMP queries FortiGate session table OIDs.

714192

diagnose sys bcm_intf cli "2:" and diagnose sys bcm_intf cli "ps" try to access a non-existent BCM switches, which leads to kernel panic.

714256

A softirq happened in an unprotected session read lock and caused a self-deadlock.

714402

FortiGate crashes after reboot (kernel BUG at drivers/net/macvlan.c:869).

714711

NP offloading is blocking backup traffic.

714805

FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev.

715043

Guest Management page Expire column shows incorrect value for guest groups when set to expire after on first login.

715048

When there is no PRP setting in the 6.4 configuration, after upgrading from 6.4 to 7.0, kernel panic happens after enabling PRP.

715571

config match command is not available in the user group configuration within the root VDOM when split-task VDOM is used.

716483

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

717203

When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file.

717791

execute restore vmlicense tftp fails with tftp: bind: Address already in use.

718322

FortiGate sends an invalid configuration to FortiManager, which causes the FortiManager policy packages to have an unknown status.

718501

Problem resolving DNS TXT type queries with FortiGate.

718571

In cases where there are a lot of DHCP relay interfaces (such as 1000) and an interface is added or deleted, DHCP relay takes a long time to release and initialize all interfaces before it works again.

721733

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

721789

Account profile settings changed after firmware upgrade.

722287

The set key-outbound and set key-inbound parameters are missing for GRE tunnels under config system gre-tunnel.

723491

When ACME service is enabled on an interface, HTTPD responds to HTTP TRACE method with HTTP 200 OK.

723643

FortiGate NTP server cannot synchronize time for Linux client on IPv6.

725934

Running execute tac report or diagnose debug report via SSH leaves a tac_report* file in /tmp.

Upgrade

Bug ID

Description

701571

After upgrading from 6.4.5 to 7.0.0, all flow-based polices are switched to proxy if there is a SIP profile attached to the firewall policy.

708250

Console prints __set_clr_flag:wwan ioctl failed, flag:0x0200 errno:19 when upgrading from 6.4.5 to 7.0.0.

710465

Policy inspection mode gets changed to proxy after upgrading to 7.0.0.

713724

SD-WAN health check over IPsec interfaces no longer work if there is a specified gateway under the IPsec SD-WAN member.

713878

Under config system dns-database, the set type slave configuration in 6.4.5 does not change to set type secondary after upgrading to 7.0.0.

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

688989

Two-factor authentication can be bypassed with some configurations.

697278

SAML entity ID can only be entered in HTTP format, but as per standard should also support URN.

698602

LDAP query from GUI does work in non-management and non-root VDOM.

698716

RADIUS password encoding does not work.

700838

FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2.

704708

Local CA certificate, Fortinet_CA_SSL, cannot be restored from saved configuration file after the FortiGate factory reset.

707578

If a certificate authentication job expires in fnbamd, an error is returned to caller that makes the proxy block client traffic.

707868

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

710212

RADIUS accounting port is occasionally missing.

712354

Firewall policy does not allow multiple SAML users that reference the same SAML server.

VM

Bug ID

Description

685782

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

703457

Password reset via Azure portal does not work in cases where the DependencyAgentLinux extension is installed.

708768

On FG-VM-AWS, secondary IPs are missing after failover event.

710941

FortiOS GUI shows Unable to connect to FortiGuard servers warning when offline license is being used.

713279

After rebooting a GCP FortiGate, it takes more than 30 to 40 minutes to come up and affects passthrough traffic during this period.

714682

GENEVE tunnel with loopback interface is not working.

715750

EIP information is not automatically updated after instance reboot.

716161

Azure HA failover encounters error when doing route failover.

722227

If GCP SDN connector is using batch API call to collect dynamic addresses and any of the individual API calls in a batch all failed, cmdbsvr daemon CPU usage will be high, which may cause the GUI to get stuck and be unable to make configuration changes.

VoIP

Bug ID

Description

682983

SIP ALG does not DNAT all IP addresses in the SIP response messages (route field).

WAN Optimization

Bug ID

Description

702876

FortiGate web cache does not work in proxy mode.

Web Filter

Bug ID

Description

593203

Cannot enter a name for the web rating override or save it due to name input error.

723610

Antiphishing LDAP domain verification is not matching credentials.

WiFi Controller

Bug ID

Description

502080

TARGET ASSERT error in WiFi driver causes kernel panic.

529727

The configured MAC address of the VAP interface did not take effect after rebooting.

662615

FG-80F series should support a total of 96 WTP entries (48 normal).

645328

Operating channel is 0 for both of the FAP radios (FAP-421E).

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

685593

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

693217

Physical AP leave log messages showing reason="N/A".

693973

Captive portal/disclaimer is not shown for SSIDs not belonging to the default VRF.

697058

Unable to change AP state under rogue AP's monitor page.

698961

FWF-60F/61F and FWF-40F encounters kernel panic (LR is at capwap_find_sta_by_mac) when one managed FortiAP is authenticating WiFi clients.

699905

FAP-421E does not come online over IPsec tunnel and shows a certificate error.

703685

VLAN-tagged CAPWAP traffic was dropped by NP6XLite FortiGate when FortiAP is connected through aggregate FortiLink FortiSwitch.

709824

Dynamic VLAN SSID traffic cannot pass through VDOM link when capwap-offload is enabled.

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

710759

Automation trigger for rogue AP on wire sends email alerts for rogue AP not on wire.

717227

get wireless-controller wtp-status output only shows only one AP entry.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

712334

FortiOS7.0.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-26110

Resolved issues

The following issues have been fixed in version 7.0.1. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

705591

When av-scan is enabled on the load end box, the FortiGate CPU hits 100% for over one minute. Such high CPU might cause WAD daemon signal 6 abort during that period.

706454

When AV and sandbox submission is enabled, /tmp/cdr is not cleaned after a scan when there are multiple concurrent sessions.

707186

Scanunit crashes with signal 11 when users attach files in the Outlook Web App.

Data Leak Prevention

Bug ID

Description

709845

DLP file pattern ID is still referenced by AV profile analytics-wl-filetype after FortiSandbox is disabled.

DNS Filter

Bug ID

Description

715317

Web filter service is not start properly when DNS filter is configured in a firewall profile group.

Endpoint Control

Bug ID

Description

666426

IPsec VPN does not have FCT client IP to send to EMS if using DHCP-over-IPsec.

685549

Need to check EMSC entitlement periodically inside fcnacd.

707388

When EMS has an offline status, most of time the FortiClient de-registers from EMS and the client certificate will be empty in web browser certificate store.

Explicit Proxy

Bug ID

Description

681054

Web proxy users are disconnected due to external resource update flushing the user even if they do not have an authentication rule using the related proxy address or IP list.

697566

Explicit proxy unable to access a particular URL (https://***.my.salesforce.com) after upgrading from 5.6.12 to 6.2.7.

700451

Wrong source IP used intermittently when FortiGate has SD-WAN and is transparently proxy forwarding to explicit proxy.

706078

Unable to access SSL exempt site with authentication TP proxy because certificate inspection does not learn the forward server object.

708851

When visiting a website for the first time in Firefox, the disclaimer page is shown and the webpage loads normally. When visiting a website for a second time, Firefox may take a few minutes to show the disclaimer and then another few minutes to load the webpage.

716224

In web proxy with transparent policy, the web filter rating fails when there is no SNI or CID.

Firewall

Bug ID

Description

591721

Viewing firewall shaping policy in the GUI will unset the traffic-shaper if class-id and traffic-shaper are both configured.

595949

Any changes to the security policy table causes the hit count to reset.

645010

Misleading GUI error when policy lookup fails due to source IP route lookup.

653137

VIP object associated with SD-WAN member interface from omni-select list of destination addresses should not be filtered out.

654356

In NGFW policy mode, sessions are not re-validated when security policies are changed.

681893

Firewall policy Last Used information is different in the CLI and GUI.

694154

Dynamic traffic shapers are not consistent in their idle time limit.

696619

FGSP synchronized UDP sessions may be blocked in NGFW policy mode when asymmetric routing is used due to a policy matching failure. Other types of traffic may also be affected (such as TCP) in the case of failover of the reply direction traffic to a different FortiGate in the FGSP cluster.

705402

Server load-balancing on FortiGate is not working as expected when the active server is down.

707659

New ISBD object is not indicated in the GUI.

707854

FortiGate is not able to resolve FQDNs without DNS suffix for firewall address objects.

708159

Firewall policy is not applied correctly when using VNE tunnel interface with policy-based IPsec VPN.

709832

When there are multiple internet services configured that match a certain IP, port, or protocol, it may cause the wrong policy to be matched.

714198

When in transparent mode with AV and IPS, the original and reply direction traffic should be redirected only one time.

714647

Proxy-based policy with AV and web filter profile will cause VIP hairpin to work abnormally.

716317

IPS user quarantine ban event is marking the sessions as dirty.

717170

TCP MSS size for local traffic is not adjusted by the firewall policy.

717802

In transparent mode, a log has an irrelevant policyid.

724145

Expiration timer of expectation session may show a negative number.

FortiView

Bug ID

Description

621453

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

683654

FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

712580

When viewing FortiView Sources or Destinations, some usernames in the format of <DOMAIN\username> are displayed as DOMAIN&bsol;username. The user is displayed with a \ in the CLI.

722543

FortiView does not arrange FortiGuard quota based on highest to lowest value and vice versa.

GUI

Bug ID

Description

585899

SAML auto configuration does not take admin-sport into account.

589231

Get Invalid IP/Wildcard mask. warning when editing the address object in the GUI.

602397

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

610572

Guest user credentials never expire if a guest user logs in via the WiFi portal while an administrator is actively viewing the user's account via the GUI. If the administrator clicks OK in the user edit dialog after the guest user has logged in, the user's current login session is not subject to the configured expiration time.

645158

When logging into the GUI via FortiAuthenticator with two-factor authentication, the FortiToken Mobile push notification is not sent until the user clicks Login.

647431

After removing an image name on the Replacement Messages Edit page, an image list should be displayed when hovering the mouse over the image URL link, but it is not.

665597

When set server-identity-check is enabled, Test User Credentials fails when performed on the CLI and passes when run from the GUI. The GUI implementation has been updated to match that of the CLI.

674548

When searching for a Firewall Policy, if the search keyword is found in the policy name and there are spaces adjacent to it, the search results will be displayed without the adjacent spaces. The actual policy name is not changed.

674592

When config ha-mgmt-interfaces is configured, the GUI incorrectly shows an error when setting overlapping IP address.

676104

Check mark for maximize bandwidth SD-WAN rule is not removed when member no longer meets SLA.

676306

httpsd has signal 6 and 11 crashes at cmf_query_create_child because of segfault in /api/v2/monitor/switch-controller/managed-switch/transceivers.

686592

GUI does not display statistical information on SD-WAN Performance SLA page.

689392

Port Errors counters for managed FortiSwitches show a zero when the port is actually shows errors.

690666

Enabling daylight saving time (DST) results in GUI and CLI system time differences when DST is active (end of March to end of October).

691620

Use Account Entitlement when checking for FSAC contract.

695815

When editing the external connector Poll Active Directory Server from the GUI, the Users/Groups option is always an empty value, even if there is an existing group configured. The workaround is to manage the option from the CLI.

696226

Interfaces and zones open slowly.

696573

Firewall policy is not visible in GUI when using set internet-service src enable.

701442

Cannot access GUI for FortiGate in FIPS-CC mode.

701742

Items added to Favorites are lost after a logout or reboot.

702065

After upgrading to 6.4.4, the RADIUS server with non-FortiToken two-factor authentication does not work in the GUI.

703955

When editing the WAF profile in the GUI, changes to the WAF default-allowed-methods are not committed. The CLI must be used.

704209

When updating the Disclaimer Page replacement message, if the message is too long, the Save button is disabled and a red warning displays the current buffer size compared to the allowed size.

704503

Routing monitor is slow to load or does not load when the user has a full routing table.

704618

When the login banner is enabled and the user is forced to log in again to the GUI (due to password change or enabling VDOMs), the user may see a Bad Gateway error.

706340

When editing a firewall policy, copying and pasting in the Comments field gives an error.

706711

When accprofile is set to fwgrp custom with all read-write permissions, some GUI menus will not be visible. Affected menu items include IP Pools, Protocol Options, Traffic Shapers, and Traffic Shaping Policy/Profile.

706982

Unable to edit interface address, get Bits of the IP address will be truncated by the subnet mask error.

708121

After a user creates or edits an SSID interface, the GUI incorrectly navigates to the interfaces list instead of SSIDs list.

708211

Administrators with VDOM scope cannot change their own password in the GUI.

708467

Cannot configure ZTNA to enable an IP or MAC filter type firewall policy to add ZTNA tag.

709103

Unable to edit interfaces in the GUI, and httpsd is spiking the CPU cores.

709662

Static route for IPsec VPN shows tunnel ID as a gateway and provides an unreachable error.

710220

Unable to download MIB files from FortiGate.

710946

Special characters not allowed in the OU field of a CSR signing request, from both the GUI and CLI.

713148

httpsd process has high CPU and memory usages, causing the unit to enter conserve mode.

713580

Non-FortiToken RADIUS two-factor authentication not working when logging into the GUI.

715256

When the Security Fabric Connection is enabled on a VPN interface, the DHCP Server section disappears from the GUI.

715493

httpsd consumes high CPU when loading a GUI page.

716986

GUI and REST API show incorrect reference count for web filter after adding and removing it from a policy.

717405

Tooltip for FortiSandbox Cloud shows status as Unreachable or not authorized.

719620

Interface page does not load for an administrator user with netgrp read-write permissions and an IPsec VPN is configured.

719694

httpsd crashes when navigating between switch controller related GUI pages.

720006

GUI always shows duplicate entry when trying to create a NAC dynamic address and other types of firewall addresses.

HA

Bug ID

Description

659837

The HA secondary cannot synchronize a new virtual switch configuration from the primary.

670331

Management access not working in transparent mode cluster after upgrade.

678145

GUI shows a warning icon that the cluster is out of sync although the cluster is in sync.

692384

High memory usage of hasync process on FGCP passive device.

694646

ICMP session cannot synchronize after the FortiGate where the session was first created reboots.

697066

When SLBC HA has a fast flip, there is a chance that the route will be deleted from the secondary when it changes to the primary.

698732

Copied policy set to Deny contains unneeded lines.

703047

hbdev goes up and down quickly, then the cluster keeps changing rapidly. hasync objects might access invalid cluster information that causes it to crash.

703719

hasync is busy when receiving ARP when there is a huge number of ARPs in the network.

708928

The set override disable setting changes to enabled on main virtual cluster after rebooting (flag of second virtual cluster remains disabled).

709382

Creating an aggregate interface in HA causes the VMAC resolution to fail.

710236

Heartbeat interfaces do not get updated under diagnose sys ha dump-by <group | memory> after HA hbdev configuration changes.

711962

Incorrect uptime value for HA secondary shown in the GUI.

714113

GRE configuration should not be synchronized in multi-AZ HA, but the system does not allow it to be added in the VDOM exception.

714404

Every UDP packet in the reply direction triggers the session state update synchronization, even if the session state did not change.

715939

Cluster is unstable when running interface configuration scripts. For example, when inserting many VLANs, hatalk will get a lot of intf_vd_changed events and recheck the MAC every time, which blocks hatalk from sending heartbeat packets for a long time so that the peer loses it.

716216

HA becomes out of sync when a backup device is updating the discarded duplicate BGP network table entry from the primary.

717251

In FGSP, session-sync-dev statistics of get system ha status disappear after reboot.

717525

FortiGate sends its serial number at the beginning of the file path via TFTP backup for CLI automation script or automation stitch when in the cluster.

717785

HA primary does not send anti spam and outbreak prevention license information to the secondary.

721482

CLI help text should not list FortiManager as an option for ha-direct.

721720

Performance degradation of session synchronization after upgrading.

722284

When there is a large number of VLAN interfaces (around 600), the FortiGate reports VLAN heartbeat lost on subinterface vlan error for multiple VLANs.

Intrusion Prevention

Bug ID

Description

680501

Destination interfaces are set to unknown for previous ADVPN shortcuts sessions.

682071

IPS signatures are not working with VIP in proxy mode.

686301

ipshelper CPU spikes when configuration changes are made.

689259

Flow-based AV scanning does not send specific extension files to FortiSandbox.

721462

Memory usage increases up to conserve mode after upgrading IPS engine to 5.00239.

IPsec VPN

Bug ID

Description

578879, 676728

IPsec tunnel bandwidth usage is not correct on the GUI widget and SNMP graph when NPU is doing host offloading.

620907

L2TP-over-IPsec tunnels frequently disconnect and hardly reconnect. CPU0 and CPU2 are at over 80%.

642760

Split tunnel is not working with L2TP IPsec VPN on Windows native VPN.

674576

Certificate-based IPsec authentication succeeds when the strict-crl-check is enabled and the CRL is not reachable.

691718

Traffic cannot pass through IPsec tunnel after FEC is enabled on server side if NAT is enabled between VPN peers.

708590

Framed IPv6 address is not used in IPsec or SSL VPN tunnels.

708870

After failover, the static tunnel interface's remote IP static routes are missing on the new primary.

708940

When ADVPN with BGP has routing-protocol and link-down-failover enabled, establishing the ADVPN shortcut establish causes the BGP neighbor to flap and affect traffic.

709850

Duplicate IP assigned by IKE Mode Config due to static gateway being out of sync after HA flapping. The tunnel that is out of sync cannot receive the deletion from the hub and holds on to an IP that has already been released.

710961

Hub is dropping packets due to Failed to find IPsec Common after upgrading from 6.2.6 to 6.2.7.

711072

ADVPN using BGP cannot bring up second shortcut after first shortcut is established with net-device enabled.

713763

IPsec aggregate is not sending outbound ESP traffic on FortiOS 7.0.

713839

In a redundant mode IPsec aggregate, the first aggregate member is always used to output traffic even if it is down.

714400

Dynamic IKEv2 IPsec VPN fails to establish after adding new phase 2 with mismatched traffic selector.

715070

OCVPN configuration change in one member reloads the BGP configuration of all the OCVPN members.

715651

iked crashed when clients from the same peer connect to two different dynamic server configurations that are using RADIUS authentication.

717082

FortiGate keeps initiating DHCP SA rekey after lifetime expires.

719655

IPsec does not work in FG-VM after upgrading to 7.0.

Log & Report

Bug ID

Description

708890

Traffic log of ZTNA HTTPS proxy and TCP forwarding is missing policy name and FortiClient ID.

710344

Reliable syslog is sent in the wrong format when flushing the logs queued in the log daemon when working in TCP reliable mode.

711946

FortiAnalyzer cannot process the packet loss field in the log because the field has a % in it.

722315

System might generate garbage administrator log events upon session timeout.

Proxy

Bug ID

Description

663088

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

670339

Proxy-based SSL out-band-probe session has local out connection. Since the local out session will not learn the router policy, it makes all outbound connections fail if there is no static router to the destination.

676419

WAD crash at wad_async_queue in FOH connect case.

683844

In cases when WAD fails to resolve a firewall policy for the session, WAD crashes at wad_ssl_proxy_can_bypass() when a missed condition check allows the session to still pass through.

700073, 714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

700481

Unable to authenticate to FTP server when firewall policy is set to proxy-based and AV is enabled.

701513

WAD encounters segmentation fault crash at wad_http_scan_engine__on_unblock.

704323

In IPS TCP proxy handover, the firewall policy tcp-mss-sender, tcp-mss-receiver, and interface tcp-mss settings are not used.

706555

WAD crashes at wad_ssl_port_p2s_set_server_cert.

706556

WAD crashes at wad_http_scan_safe_proc_msg.

708514

WAD crash at flush sec_profile after deleting VDOM.

709391

Enhance link monitor health check for access proxy real server in ZTNA.

709623

WAD crashes seen in user information upon user purge and during signal handling of user information history.

710125

All load-balancing methods should be supported for ZTNA access proxy.

711484

Certificate authentication support should be added to the normal proxy policy authentication.

714610

Explicit proxy policy (ISDB and IP pool) cannot be set in the GUI or CLI.

715327

The cert-probe-failure option is not available when inspect-all certificate-inspection is enabled.

716400

Certificate inspection is not working as expected when an external proxy is used.

719681

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

724445

Local TCP/853 unexpectedly open as soon any proxy mode inspection policy with UTM is enabled.

726801

When FortiGuard is updating, an external resource build might happen at the same time with other RAM consuming update operations, causing the system to enter conserve mode.

728078

Rating request does not always check cache.

REST API

Bug ID

Description

597494

REST API incorrectly returns error code 401 (authentication error) instead of 403 (authorization error) for requests that pass the authentication check but are not permitted to access the resource.

710198

/api/v2/monitor/system/available-interfaces takes over one minute for a response.

713445

For API user tokens with CORS enabled and set to wildcard *, direct API requests using this token are not processed properly. This issue impacts FortiOS version 5.6.1 and later.

714075

When CORS is enabled for REST API administrators, POST and PUT requests with body data do not work with CORS due to the pre-flight requests being handled incorrectly. This only impacts newer browser versions that use pre-flight requests.

Routing

Bug ID

Description

579884

VRF configuration in WWAN interface has no effect after reboot.

670031

LDAP traffic that originates from the FortiGate is not following SD-WAN rule.

682455

Checkmark is not shown beside the interface currently selected by the SD-WAN rules (Network > SD-WAN Rules page).

688317

Blackhole route to the gateway of policy route makes the PBR inactive/disabled.

697645

FortiGate deletes prefix-list configuration due to concurrent administrator SSH sessions.

699122

Issues with SD-WAN zone's availability to select it as an OSPF interface.

700840

VRF should support for IPv6 in static route and BGP VRF leaking table.

701027

No speed test button for PPPoE interface in GUI on Interfaces page.

702463

Security rating traffic does not follow SD-WAN rules.

703782

Traffic to FortiToken Mobile push server does not follow SD-WAN/PBR rules.

705767

SD-WAN rules are not working with route tags and VRF.

706237

ICMP Destination Host Unreachable responses are sent in reverse order.

707143

Suggest adding an option for NetFlow to use SD-WAN.

707713

Restore the change of routing code.

708614

Firewall policy rule with destination interface as virtual-wan-link cannot match traffic in some cases.

710606

Some static routes disappear from RIB/FIB after modifying or installing static routes by running a script in the GUI.

712586

SNAT sessions on the original preferred SD-WAN member will be flushed after the preferred SD-WAN member changes, so existing SNAT traffic will be interrupted.

715274

Enabling SD-WAN on interfaces with full BGP routes leads to device going into conserve mode.

718950

Local out routing does not work with PPPoE interface.

719788

Policy Routes GUI page does not show red exclamation mark when a source or destination is negated, like on Firewall Policy page.

722343

SD-WAN rule not matched with MAC address object and ISDB in policy.

723550

Load-balance service mode and maximize bandwidth (SLA) in SD-WAN rule does not work as expected in 7.0.0.

723726

BGP session drops between virtual wire pair with auto-asic-offload enabled in policy.

724250

Enabling preserve-session-route does not take effect in SD-WAN scenario.

Security Fabric

Bug ID

Description

672218

In multi-VDOM environment, when viewing logical topology under a specific VDOM view, the GUI incorrectly shows interfaces and devices from all VDOMs.

685642

Link to Login toFortiAnalyzer on Physical Topology page does not open, and FortiAnalyzer HTTPS is no longer configured on port 443.

695040

Unable to connect to vCenter using ESXi SDN connector with password containing certain characters.

708172

Automation stitch action does not work when trigger is an AV and IPS database update.

714807

Security rating two-factor authentication test shows as failed for IPsec and SSL VPN, but all users have two-factor authentication enabled.

718469

Wrong timestamp printed in the event log received in email from event triggered from email alert automation stitch.

718581

If HA management interface is configured, the Kubernetes connector fails to connect.

719029

Automation stitch action no longer understands %%log.date%% and %%log.time%% variables.

722950

Topology page is empty in robot Security Fabric setup.

SSL VPN

Bug ID

Description

500664

SSL VPN RDP bookmark not working with CVE-2018-0886.

515519

guacd uses 99% CPU when SSL VPN web portal connects to RDP server.

542815

SSL VPN web portal RDP connections to RDS session hosts fails.

550819

guacd is consuming too much memory and CPU resources during operation.

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

630068

When SSL VPN SSH times out, SSH to SES will crash when SSH is empty.

659581

Google Maps and 2gis.ru page do not display the map at all in SSL VPN web portal.

669707

The jstor.org webpage is not loading via SSL VPN bookmark.

671647

Imported certificate cannot be used in IPsec tunnel only (-3: Entry not found).

676333

Unable to type accents using dead keys in RDP using Spanish keyboard layout over SSL VPN web mode in macOS.

677031

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

677548

In SSL VPN web mode, options pages are not shown after clicking the option tag on the left side of the webpage on an OWA server.

677668

sslvpnd crashes due to wrong application index referencing the wrong shared memory when daemons are busy. Crash found when RADIUS user uses Framed-IP.

678757

vCenter (*.be***.tld) page does not load in SSL VPN web mode.

689465

RDS redirect not working on SSL VPN web portal.

693200

Error when logging out SSL VPN bookmark website.

693237

DCE/RPC sessions are randomly dropped (no session matched).

693347

Forward traffic for SSL VPN with EMS tags dynamic address is failing apart from helper-based traffic.

693519

SSL VPN authentication fails for PKI user with LDAP.

693718

FortiClient SSL VPN users are unable to authenticate when zero-trust tag IP address is used as the host IP under limited access.

694226

SSL VPN web mode removes ant-tree components in HTML source.

694346

Report section of internal web server (https://lm***.lm***.au***.vw***/ar***/) is not accessible via the SSL VPN web portal.

694671

PDF files on internal web server, https://co***.ag***.em***.vw***:8443, are not opening in SSL VPN web portal.

695404

WALLIX personal bookmark issue in SSL VPN portal.

695457

JS error thrown when accessing HTTPS bookmark (mk***.ag***.cp***.vw***) via SSL VPN web portal.

695763

FortiClient iOS 6.4.5 has new feature that allows bypassing of 2FA for SSL VPN 2FA. The FortiGate should allow access when 2FA is skipped on FortiClient.

696533

Certain URLs are not rewritten for bookmarked HTTPS external site http://www.sz***.hu.

697551

Unable to save record on internal website https://1**.1**.8*.3*/Login.jsp via SSL VPN web mode.

701119

SSL VPN DTLS tunnel could not be established in some cases when the tunnel link is still under negotiation. Some IP packets were sent to the client, causing the client's logic to fail.

704597

Search option on internal website, kp***.kd****.ca, not working while accessing via SSL VPN web mode.

705278

DTLS SSL VPN connection cannot be established via FortiTester.

705370

Back-end server (va***.ra***.com.ar) is not working in SSL VPN web mode.

706185

OWA user details are not showing in SSL VPN web mode.

708021

SSO authentication to FortiMail webmail is not working using SSL VPN bookmark.

708639

Idle timeout does not send log out request to IdP for SAML login on SSL VPN portal.

710163

SSL VPN stuck loading https://el***.***-data.pl when wrong credential was entered.

711503

SSL VPN web mode access to internal web server http://10.2.1.78 is broken after upgrading to 7.0.0.

711690

QNAP NAS web page hangs on loading page after entering the credentials in SSL VPN web mode.

711944

POP3 authentication failed for SSL VPN.

712880

Windows Admin Center webpage (ge***.ov***) does not load correctly in SSL VPN web mode.

714604

SSL VPN daemon may crash when connection releases.

714700

SSL VPN proxy error in web mode due to requests to loopback IP.

715928

SSL VPN signal 11 crashes at sslvpn_ppp_associate_fd_to_ipaddr. For RADIUS users with Framed-IP using tunnel mode, the first user logs in successfully, then a second user with the same user name logs in and kicks the first user out. SSL VPN starts a five-second timer to wait for the first user resource to clean up. However, before the timer times out, the PPP tunnel setup fails and the PPP context is released. When the five-second timer times out, SSL VPN still tries to use the PPP context that has already been released and causes the crash.

716622

Due to change on samld side that increases the length of the SAML attribute name to 256, SSL VPN could not correctly parse the username from the SAML response when the username attribute has a long name.

717193

Website cannot be accessed in SSL VPN web mode.

717382

Website, co***.gob.pe, is not shown properly in SSL VPN web mode.

718142

The map integrated in the public site is not visible when using SSL VPN web mode.

718159

Webpage, http://10.3.24.8/ma***, is not displaying correctly in SSL VPN web mode.

718170

SSL VPN web portal does not show thumbnails of videos for an internal JS-based web server.

718262

Traffic cannot go through SSL VPN tunnel when a second user kicks first session off.

719069

iprope records for SSL VPN policies are removed after upgrading to 7.0.0 or during the reboot.

720290

Internal webpage, https://172.3**.***.164/ce***/, is not loading in SSL VPN web mode.

721427

Unable to load NetApp OnCommand Unified Manager webpages due to reloading loop in SSL VPN web mode.

724830

FortiGate sends authentication request to all RADIUS servers instead of only those in the default realm.

726576

Internal webpage with JavaScript is not loading in SSL VPN web mode.

726641

Unable to load pi***.vi***-ga***.org in SSL VPN web mode.

Switch Controller

Bug ID

Description

647817

Configuration changes on the FortiGate not taking effect on the FortiSwitch.

682430

Entry created in NTP under interface configuration after failing to enable FortiLink interface.

699533

In FortiOS 7.0.0, the default authentication protocol for a switch controller SNMP user is SHA256, as opposed to the default SHA1 in previous versions.

702942

FortiLink trunk is not formed on FortiSwitch connecting to FortiGate. When managed switches are learned on the software switch and hardware switch, they were deleted from the CLI, and fortilinkd did not clear the states for those switches so new switches were not learned.

717506

Unable to add description on shared FortiSwitch port.

System

Bug ID

Description

568399

FG-200E has np6lite_lacp_lifc error message when booting up a device if there are more than seven groups of LAGs configured.

572038

VPN throughput dropped when FEC is enabled.

613947

Redundant interface cannot pick up traffic if one member is down.

627734

Optimize interface dialog and configuration view for /api/v2/monitor/system/available-interfaces (phase 1).

651626

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

664856

A VWP named .. can be created in the GUI, but it cannot be edited or deleted.

666418

SFP interfaces on FG-330xE do not show link light.

667307

Console prints out NP6XLITE: np6xlite_hw_ipl_rw_mem_channel timeout message on SoC4 platforms.

671332

httpsd crashed after changing VDOM for interface.

674616

VDOM list is slow to load in GUI when there are many VDOMs configured on FG-3000D.

683387, 711698

Change WWAN interface default netmask to /32 and default distance to 1.

686903

DHCP option 121 as a client not working on FortiGate.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

687833

Add DNS server selection method to change how DNS servers are configured and prioritized.

688009

Update built-in modem firmware that comes with the device in order for the SIM to be correctly identified and make LTE link work properly.

689317, 698927

After pushing the interface configuration from FortiManager, the device index is incorrectly set to 0.

690797

Huawei E8372h-320 LTE modem does not receive IP on FG-30E.

693757

Secondary FG-5001D blades in SLBC cluster do not show updated contract dates.

696550

Mirroring of decrypted SSL traffic does not work in flow mode; if the receiving side is a VM machine, the receiver is unable to receive SSL decrypted packets.

696556

Support gtp-enhance-mode (GTP-U) on FG-3815D.

696622

FortiGate cannot get gateway from built-in LTE modem on all LTE capable FortiGate platforms.

697287

FOS 6.2.6 in FIPS mode with LB VIP and custom ciphers does not allow traffic through.

698005

In some environments, host-side DPDK affects the benchmark result.

699358

Cannot change FEC (forward error correction) on port group 13-16.

699902

SNMP query of fgFwPolTables (1.3.6.1.4.1.123456.101.5.1.2.1) causes high CPU on a specific configuration.

700272

ddnsd did not update the new IP address of dynupdate.no-ip.com, so it failed to connect to the DDNS server.

700314

ARP reply sent out by FortiGate but was not received on neighbor device.

701911

FortiGate entered conserve mode (service=kernel), possibly due to large number of log creation requests.

702135

cmdbsvr memory leak due to unreleased memory allocated by OpenSSL.

703131

Split-task VDOM does not update IPS/AV from ha-direct connected internal FortiManager.

704981

LLDP transmission fails if there are nested software switches.

705878

Local certificates could not be saved properly, which caused issues such as not being able to properly restore them with configuration files and causing certificates and keys to be mismatched.

706131

When processing visibility log requests and passively learning FQDNs and wildcard FQDN addresses at a high rate, the CPU usage of dnsproxy can reach 90% or higher.

709513

SD-WAN reports phantom packet loss.

710807

FGR-60F WAN1 and WAN2 fail to connect to the network due to board ID GPIO assignment being incorrect.

710934

FortiGate loses its DHCP lease, which is caused by the DHCP client interface turning into initial state (from that point dhcpcd will send out discover packets), but old IPs and router are still in the kernel, so it can reply to the ICMP request. That causes the customer's DHCP server (a router) to fail to assign the only available IP in the pool.

712203

Memory leak happens in forticron process, if GUI REST API caching is enabled.

712321

Multiple ports flapping when a single interface is manually brought up. Affected platforms: FG-3810D and FG-3815D.

712506

25G-capable ports do not receive any traffic. Affected platforms: FG-1100E and FG-1101E.

712905

Daylight saving time changes will not reflect for time zone 16.

713324

Command fail when running execute private-encryption-key <xxx>.

714164

SNMP times out or has slow response when SNMP queries FortiGate session table OIDs.

714192

diagnose sys bcm_intf cli "2:" and diagnose sys bcm_intf cli "ps" try to access a non-existent BCM switches, which leads to kernel panic.

714256

A softirq happened in an unprotected session read lock and caused a self-deadlock.

714402

FortiGate crashes after reboot (kernel BUG at drivers/net/macvlan.c:869).

714711

NP offloading is blocking backup traffic.

714805

FortiManager shows auto update for down port from FortiGate, but FortiGate event logs do not show any down port events when user shuts down the ha monitor dev.

715043

Guest Management page Expire column shows incorrect value for guest groups when set to expire after on first login.

715048

When there is no PRP setting in the 6.4 configuration, after upgrading from 6.4 to 7.0, kernel panic happens after enabling PRP.

715571

config match command is not available in the user group configuration within the root VDOM when split-task VDOM is used.

716483

DNS proxy is case sensitive when resolving FQDN, which may cause DNS failure in cases where local DNS forwarder is configured.

717203

When user changes a configurations in the CLI, cmdbsvr sends the auto update file to FortiManager at the same time. There is a timing issue that may cause the last command not be sent to FortiManager since cmdbsvr has finished sending it, but the last command is not yet stored in the auto update file.

717791

execute restore vmlicense tftp fails with tftp: bind: Address already in use.

718322

FortiGate sends an invalid configuration to FortiManager, which causes the FortiManager policy packages to have an unknown status.

718501

Problem resolving DNS TXT type queries with FortiGate.

718571

In cases where there are a lot of DHCP relay interfaces (such as 1000) and an interface is added or deleted, DHCP relay takes a long time to release and initialize all interfaces before it works again.

721733

IPv6 networks are not reachable shortly after FortiGate failover because an unsolicited neighbor advertisement is sent without a router flag.

721789

Account profile settings changed after firmware upgrade.

722287

The set key-outbound and set key-inbound parameters are missing for GRE tunnels under config system gre-tunnel.

723491

When ACME service is enabled on an interface, HTTPD responds to HTTP TRACE method with HTTP 200 OK.

723643

FortiGate NTP server cannot synchronize time for Linux client on IPv6.

725934

Running execute tac report or diagnose debug report via SSH leaves a tac_report* file in /tmp.

Upgrade

Bug ID

Description

701571

After upgrading from 6.4.5 to 7.0.0, all flow-based polices are switched to proxy if there is a SIP profile attached to the firewall policy.

708250

Console prints __set_clr_flag:wwan ioctl failed, flag:0x0200 errno:19 when upgrading from 6.4.5 to 7.0.0.

710465

Policy inspection mode gets changed to proxy after upgrading to 7.0.0.

713724

SD-WAN health check over IPsec interfaces no longer work if there is a specified gateway under the IPsec SD-WAN member.

713878

Under config system dns-database, the set type slave configuration in 6.4.5 does not change to set type secondary after upgrading to 7.0.0.

716912

SSH access may be lost in some cases after upgrading to 6.2.8, 6.4.6, or 7.0.0.

User & Authentication

Bug ID

Description

688989

Two-factor authentication can be bypassed with some configurations.

697278

SAML entity ID can only be entered in HTTP format, but as per standard should also support URN.

698602

LDAP query from GUI does work in non-management and non-root VDOM.

698716

RADIUS password encoding does not work.

700838

FortiOS does not prompt for token when using RADIUS and two-factor authentication to connect to IPsec IKEv2.

704708

Local CA certificate, Fortinet_CA_SSL, cannot be restored from saved configuration file after the FortiGate factory reset.

707578

If a certificate authentication job expires in fnbamd, an error is returned to caller that makes the proxy block client traffic.

707868

The authd daemon crashes due to invalid dynamic memory access when data size is over 64K.

710212

RADIUS accounting port is occasionally missing.

712354

Firewall policy does not allow multiple SAML users that reference the same SAML server.

VM

Bug ID

Description

685782

HTTPS administrative interface responds over heartbeat port on Azure FortiGate despite allowaccess settings.

703457

Password reset via Azure portal does not work in cases where the DependencyAgentLinux extension is installed.

708768

On FG-VM-AWS, secondary IPs are missing after failover event.

710941

FortiOS GUI shows Unable to connect to FortiGuard servers warning when offline license is being used.

713279

After rebooting a GCP FortiGate, it takes more than 30 to 40 minutes to come up and affects passthrough traffic during this period.

714682

GENEVE tunnel with loopback interface is not working.

715750

EIP information is not automatically updated after instance reboot.

716161

Azure HA failover encounters error when doing route failover.

722227

If GCP SDN connector is using batch API call to collect dynamic addresses and any of the individual API calls in a batch all failed, cmdbsvr daemon CPU usage will be high, which may cause the GUI to get stuck and be unable to make configuration changes.

VoIP

Bug ID

Description

682983

SIP ALG does not DNAT all IP addresses in the SIP response messages (route field).

WAN Optimization

Bug ID

Description

702876

FortiGate web cache does not work in proxy mode.

Web Filter

Bug ID

Description

593203

Cannot enter a name for the web rating override or save it due to name input error.

723610

Antiphishing LDAP domain verification is not matching credentials.

WiFi Controller

Bug ID

Description

502080

TARGET ASSERT error in WiFi driver causes kernel panic.

529727

The configured MAC address of the VAP interface did not take effect after rebooting.

662615

FG-80F series should support a total of 96 WTP entries (48 normal).

645328

Operating channel is 0 for both of the FAP radios (FAP-421E).

676689

RADIUS traffic not matching SD-WAN rule when using wpad daemon for wireless connection.

685593

Spectrum analysis graphs only presents a portion of the data for monitor mode radio when X-Axis is MHz.

693217

Physical AP leave log messages showing reason="N/A".

693973

Captive portal/disclaimer is not shown for SSIDs not belonging to the default VRF.

697058

Unable to change AP state under rogue AP's monitor page.

698961

FWF-60F/61F and FWF-40F encounters kernel panic (LR is at capwap_find_sta_by_mac) when one managed FortiAP is authenticating WiFi clients.

699905

FAP-421E does not come online over IPsec tunnel and shows a certificate error.

703685

VLAN-tagged CAPWAP traffic was dropped by NP6XLite FortiGate when FortiAP is connected through aggregate FortiLink FortiSwitch.

709824

Dynamic VLAN SSID traffic cannot pass through VDOM link when capwap-offload is enabled.

709871

After the firmware upgrade, the AP cannot register to the central WLC because NPU offload changed the source and destination ports from 4500 to 0.

710759

Automation trigger for rogue AP on wire sends email alerts for rogue AP not on wire.

717227

get wireless-controller wtp-status output only shows only one AP entry.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

712334

FortiOS7.0.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-26110