Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

Home FortiGate / FortiOS 7.0.10 FortiGate-6000 and FortiGate-7000 Release Notes

Known issues

7.0.10
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
Copy Link
Copy Doc ID e3b3a3c7-b2c1-11ed-8e6d-fa163e15d75b:532364
Download PDF

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 7.0.10 Build 0117. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 7.0.10 release notes also apply to FortiGate-6000 and 7000 FortiOS 7.0.10 Build 0117.

Bug ID

Description

700630

Some GUI pages may randomly take longer to load than expected or not load at all.
724543 Interface bandwidth dashboard widgets show incorrect outbound bandwidth usage.
782978 When setting up a FortiGate-6000 or 7000 FGCP HA cluster, one of the FortiGates in the cluster may be running an older firmware version. During cluster formation, the newer firmware version is installed on FortiGate running the older firmware version. After the firmware is downloaded and before the FortiGate restarts, the console may display incorrect error messages. Even when these error messages appear the FortiGate should start up normally, running the newer firmware version, and should be able to join the cluster.
785815 An FPM may display an incorrect checksum message on the console while restarting. The FPM will continue to operate normally after fully starting.

803082

Policy statistics data that appear on the GUI firewall policy pages and in FortiView may be incorrect.

807425

After successfully resetting a managed FortiSwitich from the FortiGate-6000 or 7000 GUI, a Failed to factory reset FortiSwitich message may appear.
813569 Operating a FortiGate-6000 or 7000 as an SSL VPN client is not supported.
830454 Changing the FPC or FPM that an IPsec tunnel is using can cause traffic in the tunnel to be blocked. The problem is a timing issue, so sometimes traffic will be unaffected when making this configuration change and other times it may be blocked.
832353 After factory resetting an FPM, if the configuration synchronized to it contains EMAC VLAN interfaces, the MAC addresses of the EMAC VLAN interfaces on the FPM may be different from the MAC addresses of the same EMAC VLAN interfaces on the primary FIM. The configuration synchronization checksum for the FPM is the same as for the other FPMs and FIMs, even though the EMAC VLAN interfaces have different MAC addresses.

840762

In some cases, the GUI will not display the Configuration Sync Monitor GUI page. You can work around this issue by stopping the node.js process. Once the node.js process is stopped, you will loose access to the GUI for a few seconds. Once node.js restarts you can access the GUI and the Configuration Sync Monitor GUI page should be available.

You can use the following command to find the node.js process number:

diagnose sys process pidof node

The output of this command will be the node.js process number. Enter the following command to stop the node.js process.

diagnose sys kill 9 <node.js-process-number>

843473

The checksum of the root VDOM is missing from some parts of the output of the diagnose sys confsync showcsum command.

846164

In some cases IPv6 traffic fails because the DP processor sends IPv6 traffic to the wrong FPC.

856706

After an IPsec tunnel is started on a primary FortiGate-6000 or 7000 in an FGCP HA configuration, the IPsec SA is synchronized on the secondary FortiGate-6000 or 7000 in the cluster. However, after a short while, the IPsec SA can be deleted from the secondary FortiGate. If this causes IPsec tunnels to go down after a failover, you can enter the command diagnose vpn ike gateway flush on the new primary FortiGate-6000 or 7000 to flush and then restore all IPsec VPN tunnels.

871968

Fragmented packets are blocked by EMAC VLAN interfaces.

879106

FortiGate-6000 and 7000 do not support adding an EMAC VLAN interface to a VLAN interface. You can add an EMAC VLAN interface to a VLAN interface, but this could result in duplicate MAC addresses and duplicate HA virtual MAC addresses.

881414

In some rare cases, an FPC or FPM may assign one or more FortiGate-6000 or FortiGate-7000 FIM network interfaces the HA virtual mac address 00:00:00:00:00:00.

You can use the diagnose hardware deviceinfo nic command to find the Current_HWaddr address assigned to each interface by each FPC or FPM.

You can work around this issue by running the diagnose sys ha mac command from the FortiGate-6000 management board CLI or FortiGate-7000 primary FIM CLI to recalculate HA virtual MAC addresses for all interfaces for all FPCs or FPMs. This command has been temporarily added for this release to help with this issue.

If the FortiGate-6000 or 70000 restarts or if you change the interface configuration (for example by changing the split interface configuration), the problematic HA virtual MAC address may revert to 00:00:00:00:00:00 and you will have to run the diagnose sys ha mac command again.
Previous
Next

Known issues

The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 7.0.10 Build 0117. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 7.0.10 release notes also apply to FortiGate-6000 and 7000 FortiOS 7.0.10 Build 0117.

Bug ID

Description

700630

Some GUI pages may randomly take longer to load than expected or not load at all.
724543 Interface bandwidth dashboard widgets show incorrect outbound bandwidth usage.
782978 When setting up a FortiGate-6000 or 7000 FGCP HA cluster, one of the FortiGates in the cluster may be running an older firmware version. During cluster formation, the newer firmware version is installed on FortiGate running the older firmware version. After the firmware is downloaded and before the FortiGate restarts, the console may display incorrect error messages. Even when these error messages appear the FortiGate should start up normally, running the newer firmware version, and should be able to join the cluster.
785815 An FPM may display an incorrect checksum message on the console while restarting. The FPM will continue to operate normally after fully starting.

803082

Policy statistics data that appear on the GUI firewall policy pages and in FortiView may be incorrect.

807425

After successfully resetting a managed FortiSwitich from the FortiGate-6000 or 7000 GUI, a Failed to factory reset FortiSwitich message may appear.
813569 Operating a FortiGate-6000 or 7000 as an SSL VPN client is not supported.
830454 Changing the FPC or FPM that an IPsec tunnel is using can cause traffic in the tunnel to be blocked. The problem is a timing issue, so sometimes traffic will be unaffected when making this configuration change and other times it may be blocked.
832353 After factory resetting an FPM, if the configuration synchronized to it contains EMAC VLAN interfaces, the MAC addresses of the EMAC VLAN interfaces on the FPM may be different from the MAC addresses of the same EMAC VLAN interfaces on the primary FIM. The configuration synchronization checksum for the FPM is the same as for the other FPMs and FIMs, even though the EMAC VLAN interfaces have different MAC addresses.

840762

In some cases, the GUI will not display the Configuration Sync Monitor GUI page. You can work around this issue by stopping the node.js process. Once the node.js process is stopped, you will loose access to the GUI for a few seconds. Once node.js restarts you can access the GUI and the Configuration Sync Monitor GUI page should be available.

You can use the following command to find the node.js process number:

diagnose sys process pidof node

The output of this command will be the node.js process number. Enter the following command to stop the node.js process.

diagnose sys kill 9 <node.js-process-number>

843473

The checksum of the root VDOM is missing from some parts of the output of the diagnose sys confsync showcsum command.

846164

In some cases IPv6 traffic fails because the DP processor sends IPv6 traffic to the wrong FPC.

856706

After an IPsec tunnel is started on a primary FortiGate-6000 or 7000 in an FGCP HA configuration, the IPsec SA is synchronized on the secondary FortiGate-6000 or 7000 in the cluster. However, after a short while, the IPsec SA can be deleted from the secondary FortiGate. If this causes IPsec tunnels to go down after a failover, you can enter the command diagnose vpn ike gateway flush on the new primary FortiGate-6000 or 7000 to flush and then restore all IPsec VPN tunnels.

871968

Fragmented packets are blocked by EMAC VLAN interfaces.

879106

FortiGate-6000 and 7000 do not support adding an EMAC VLAN interface to a VLAN interface. You can add an EMAC VLAN interface to a VLAN interface, but this could result in duplicate MAC addresses and duplicate HA virtual MAC addresses.

881414

In some rare cases, an FPC or FPM may assign one or more FortiGate-6000 or FortiGate-7000 FIM network interfaces the HA virtual mac address 00:00:00:00:00:00.

You can use the diagnose hardware deviceinfo nic command to find the Current_HWaddr address assigned to each interface by each FPC or FPM.

You can work around this issue by running the diagnose sys ha mac command from the FortiGate-6000 management board CLI or FortiGate-7000 primary FIM CLI to recalculate HA virtual MAC addresses for all interfaces for all FPCs or FPMs. This command has been temporarily added for this release to help with this issue.

If the FortiGate-6000 or 70000 restarts or if you change the interface configuration (for example by changing the split interface configuration), the problematic HA virtual MAC address may revert to 00:00:00:00:00:00 and you will have to run the diagnose sys ha mac command again.
Previous
Next