Fortinet black logo

FortiGate-6000 and FortiGate-7000 Release Notes

Home FortiGate / FortiOS 7.0.10 FortiGate-6000 and FortiGate-7000 Release Notes
7.0.10
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7

Resolved issues

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 7.0.10 Build 0117. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 7.0.10 release notes also apply to FortiGate-6000 and 7000 FortiOS 7.0.10 Build 0117.

Bug ID

Description
664063 The diagnose sys ha dump_by device command now displays device information for the secondary FortiGate-6000 or 7000 in an FGCP HA cluster.

674979

The GUI now shows the correct amount of traffic on FortiGate-6000 HA interfaces.
714476 Resolved an issue that prevented console baud rate changes from being synchronized to all FPCs or FPMs if the baud rate change was made from a console session.

735464

The diagnose ips filter command is now successfully broadcast from the management board or the primary FIM to all FPCs or FPMs.
763820 Resolved an issue that prevented configuring the FortiGate-7000F to use some management interfaces as HA management interfaces even though the interface was available.

768931

The FortiGate-7000F GUI now correctly shows FPM-7620F P1 and P2 split interfaces.

781387

Resolved an issue that could cause the httpsd process to crash when working with a large complex configuration.

787646 878934

Resolved an issue related to how FortiOS updates large routing configurations that could cause the fctrlproxyd process to periodically use excessive amounts of CPU time (up to 99%), usually as a result of routing configuration changes.

Restarting the fctrlproxyd process no longer causes interface flapping.

803536 Resolved an issue that could cause a FortiGate-6000 or 7000 to incorrectly synchronize routes after various failover scenarios.
814343 Resolved an issue that could cause the FortiGate-6000 management board freeze while starting up and display a message similar to [cmf_get_entry_size:83] table=0x7f54b8ab8054, node_id=0.

814434

Resolved an issue that caused a kernel crash when changing the max-miss-heartbeat option of the config load-balance setting command.
814698 852406 Multiple improvements to FGSP session synchronization.
815874 822410 Resolved an issue with retrieving dynamic addresses and resolved a GUI issue that prevented the FortiGate-6000 and 7000 from supporting ZTNA.

819329

Resolved an issue that prevented administrators from pinging the remote interface of a GRE tunnel from the FortiGate-6000 or 7000 CLI.
823129

The FortiGate-7121F now correctly forwards all ICMPv6 non-0x80/81 traffic to the primary FPM.
824205

If an FPM completes starting up when no FIMs are running the FPM can't download the current miglogdisk_info file from the primary FIM. If this happens, the FPM will restart by which time an FIM should be running.
828623 The diagnose sys sdn status command now shows the correct information for a Cisco ACI connector.
830454 Changing the FPC or FPM that an IPsec tunnel is using no longer causes traffic in the tunnel to be blocked.
833488 Resolved a CMDB issue that can cause the fcnacd process to add a VDOM during stress testing.
835277 860240 Resolved an issue that resulted in the FortiGate-7000 session counter reporting incorrect session counts.
835847 Resolved an issue that prevented automation stitches from updating the password policy.
839887

Resolved an issue that prevented the miglogdisk_info file from being updated correctly when a FortiGate-7121F starts up or restarts.The miglogdisk_info file that is present on all FIMs and FPMs should be updated by reading current log disk information every time a FortiGate-7121F chassis restarts. This problem also caused FPMs to be out of synchronization.

839987

Resolved an issue with FGCP HA status synchronization between the management board and FPCs or between FIMs and FPMs that could cause traffic to be blocked. The problem would usually occur after the FortiGate-6000s or 7000s in the cluster restarted (for example, after a firmware upgrade).
840459 The information displayed by the diagnose load-balance switch stats egress command is now correct.

844424

A Transceiver is not detected message is no longer displayed for FIM-7921F interfaces for some supported transceivers.
845278 Resolved an issue that prevented ICMP error messages from being broadcast to all FortiGate-7000 FPMs when asymmetric routing is enabled.
847503 Resolved an issue with how SDN connector dynamic addresses are handled that prevented dynamic SDN connector addresses from being synchronized to all FPCs or FPMs in the secondary FortiGate-6000 or 7000.

848609

Resolved an issue that blocked IPv6 VIP traffic.

849022

IPv6 router advertisement (RA) packets received by the management board or primary FIM are now broadcast to all FPCs or FPMs.

850284

Active FTP data sessions are no longer handled by different FPCs or FPMs in the FortiGate-6000s or 7000s in an FGSP cluster.
851129 Log messages now correcty include the correct slot number of the reporting device in the slot= field.

852236

Resolved an issue that caused interface bandwidth dashboard widgets to show incorrect bandwidth usage spikes on interfaces used for FGCP HA heartbeat traffic when the HA cluster is processing high amounts of traffic.

852500

The FortiGate-6000F management board and FPCs now have the same default IPS socket size. FortiGate-7000 FIMs and FPMs now also all have the same default IPS socket size.

852500

The FortiGate-6000F management board and FPCs now have the same default IPS socket size. FortiGate-7000 FIMs and FPMs now also all have the same default IPS socket size.

852770

Resolved an issue that could prevent the GUI or CLI from displaying correct information about the transceivers installed in management interfaces.

853079 849650 848879

Resolved multiple issues related to support for EMAC VLAN interfaces.
855340 Resolved an issue that prevented LDAP user authentication from timing out when LDAP users were configured with auth-timeout-type set to hard-timeout.
859366 Resolved an issue that prevented IPv6 static routes added to a transparent mode VDOM from being synchronized to all FPCs or FPMs.

860197

Resolved an issue that could cause users to see an incomplete web filter override page.
861137 DLP fingerprinting now correctly downloads a DLP fingerprint data base when the FortiGate-6000 or 70000 first starts up and the period option of a DLP fingerprint configuration is set to none.
861381 Resolved an issue that prevented FPCs or FPMs from downloading DLP fingerprint files from an SMB server through the mgmt-vdom VDOM.

861449

DLP fingerprint files are now downloaded from an SMB server by the management board or primary FIM and then synchronized to the FPCs or FPMs. In previous releases, individual FPCs or FPMs would independently download DLP fingerprint files from the SMB server.
863640 FortiGate-7000 FIM and FPMs no longer have different default values for proxy-worker-count, scanunit-count, sslvpn-max-worker-count, and wad-worker-count.
863756 The diagnose debug flow filter <vdom-name> command now correctly synchronizes the <vdom-name> to all FPCs or FPMs.
864629 Resolved an issue that caused excessive CPU usage when entering a command similar to dnsproxy-worker-count 48.
867044 837304 Restoring a VDOM configuration no longer changes the IPv6 interface ra-send-mtu setting.
867093 Resolved an issue that could sometime cause IPsec VPN NAT traversal UDP sessions to be installed on the wrong FPC or FPM.
868372 Resolved an issue that caused FGSP to stop working if the FGSP configuration includes cluster synch entries that use different peer VDOMs.
871289 Firmware image protection has been added to the FortiGate-6000 and 7000 platforms.
871978 Resolved a FortiGate-6000 issue that could cause some interfaces to flap after manually disabling and re-enabling an interface.
872852 Improved SLBC and HA configuration synchronization because of the extra data overhead involved in synchronizing the configuration to the secondary FortiGate 7121F in an HA cluster when each FortiGate 7121F has up to 440 interfaces.

874339

Resolved an configuration system looping issue that could cause excessive CPU usage.

874355

Resolved an issue that under some network conditions, could result in lost HA heartbeats , causing an HA failover for an FortiGate-6000 or 7000 FGCP HA cluster.
874491 Resolved an issue that prevented the execute load-balance slot command from allowing access to some of the FPMs in a FortiGate-7060E.

879293

Administrators with read only access can now use the diagnose sniffer packet command.
882040 725821

Support for multihop BFD (MBFD) was added to FortiOS 7.0.6 (see BFD for multihop path for BGP) and is supported by FortiGate-6000 and 7000 for FortiOS 7.0.10.

The following flow rule has been added to the FortiOS 7.0.10 default flow rules for traffic that cannot be load balanced to send all multihop control traffic to the primary FPC or FPM. This flow rule should be enabled if you configure multihop BFD support on your FortiGate-6000 or 7000.

config load-balance flow-rule

edit 22

set status disable

set vlan 0

set ether-type ip

set protocol udp

set src-l4port 0-0

set dst-l4port 4784-4784

set action forward

set forward-slot master

set priority 5

set comment "Flow Rule for Multihop BFD"

end
Previous
Next

Resolved issues

The following issues have been fixed in FortiGate-6000 and FortiGate-7000 FortiOS 7.0.10 Build 0117. For inquires about a particular bug, please contact Customer Service & Support. The Resolved issues described in the FortiOS 7.0.10 release notes also apply to FortiGate-6000 and 7000 FortiOS 7.0.10 Build 0117.

Bug ID

Description
664063 The diagnose sys ha dump_by device command now displays device information for the secondary FortiGate-6000 or 7000 in an FGCP HA cluster.

674979

The GUI now shows the correct amount of traffic on FortiGate-6000 HA interfaces.
714476 Resolved an issue that prevented console baud rate changes from being synchronized to all FPCs or FPMs if the baud rate change was made from a console session.

735464

The diagnose ips filter command is now successfully broadcast from the management board or the primary FIM to all FPCs or FPMs.
763820 Resolved an issue that prevented configuring the FortiGate-7000F to use some management interfaces as HA management interfaces even though the interface was available.

768931

The FortiGate-7000F GUI now correctly shows FPM-7620F P1 and P2 split interfaces.

781387

Resolved an issue that could cause the httpsd process to crash when working with a large complex configuration.

787646 878934

Resolved an issue related to how FortiOS updates large routing configurations that could cause the fctrlproxyd process to periodically use excessive amounts of CPU time (up to 99%), usually as a result of routing configuration changes.

Restarting the fctrlproxyd process no longer causes interface flapping.

803536 Resolved an issue that could cause a FortiGate-6000 or 7000 to incorrectly synchronize routes after various failover scenarios.
814343 Resolved an issue that could cause the FortiGate-6000 management board freeze while starting up and display a message similar to [cmf_get_entry_size:83] table=0x7f54b8ab8054, node_id=0.

814434

Resolved an issue that caused a kernel crash when changing the max-miss-heartbeat option of the config load-balance setting command.
814698 852406 Multiple improvements to FGSP session synchronization.
815874 822410 Resolved an issue with retrieving dynamic addresses and resolved a GUI issue that prevented the FortiGate-6000 and 7000 from supporting ZTNA.

819329

Resolved an issue that prevented administrators from pinging the remote interface of a GRE tunnel from the FortiGate-6000 or 7000 CLI.
823129

The FortiGate-7121F now correctly forwards all ICMPv6 non-0x80/81 traffic to the primary FPM.
824205

If an FPM completes starting up when no FIMs are running the FPM can't download the current miglogdisk_info file from the primary FIM. If this happens, the FPM will restart by which time an FIM should be running.
828623 The diagnose sys sdn status command now shows the correct information for a Cisco ACI connector.
830454 Changing the FPC or FPM that an IPsec tunnel is using no longer causes traffic in the tunnel to be blocked.
833488 Resolved a CMDB issue that can cause the fcnacd process to add a VDOM during stress testing.
835277 860240 Resolved an issue that resulted in the FortiGate-7000 session counter reporting incorrect session counts.
835847 Resolved an issue that prevented automation stitches from updating the password policy.
839887

Resolved an issue that prevented the miglogdisk_info file from being updated correctly when a FortiGate-7121F starts up or restarts.The miglogdisk_info file that is present on all FIMs and FPMs should be updated by reading current log disk information every time a FortiGate-7121F chassis restarts. This problem also caused FPMs to be out of synchronization.

839987

Resolved an issue with FGCP HA status synchronization between the management board and FPCs or between FIMs and FPMs that could cause traffic to be blocked. The problem would usually occur after the FortiGate-6000s or 7000s in the cluster restarted (for example, after a firmware upgrade).
840459 The information displayed by the diagnose load-balance switch stats egress command is now correct.

844424

A Transceiver is not detected message is no longer displayed for FIM-7921F interfaces for some supported transceivers.
845278 Resolved an issue that prevented ICMP error messages from being broadcast to all FortiGate-7000 FPMs when asymmetric routing is enabled.
847503 Resolved an issue with how SDN connector dynamic addresses are handled that prevented dynamic SDN connector addresses from being synchronized to all FPCs or FPMs in the secondary FortiGate-6000 or 7000.

848609

Resolved an issue that blocked IPv6 VIP traffic.

849022

IPv6 router advertisement (RA) packets received by the management board or primary FIM are now broadcast to all FPCs or FPMs.

850284

Active FTP data sessions are no longer handled by different FPCs or FPMs in the FortiGate-6000s or 7000s in an FGSP cluster.
851129 Log messages now correcty include the correct slot number of the reporting device in the slot= field.

852236

Resolved an issue that caused interface bandwidth dashboard widgets to show incorrect bandwidth usage spikes on interfaces used for FGCP HA heartbeat traffic when the HA cluster is processing high amounts of traffic.

852500

The FortiGate-6000F management board and FPCs now have the same default IPS socket size. FortiGate-7000 FIMs and FPMs now also all have the same default IPS socket size.

852500

The FortiGate-6000F management board and FPCs now have the same default IPS socket size. FortiGate-7000 FIMs and FPMs now also all have the same default IPS socket size.

852770

Resolved an issue that could prevent the GUI or CLI from displaying correct information about the transceivers installed in management interfaces.

853079 849650 848879

Resolved multiple issues related to support for EMAC VLAN interfaces.
855340 Resolved an issue that prevented LDAP user authentication from timing out when LDAP users were configured with auth-timeout-type set to hard-timeout.
859366 Resolved an issue that prevented IPv6 static routes added to a transparent mode VDOM from being synchronized to all FPCs or FPMs.

860197

Resolved an issue that could cause users to see an incomplete web filter override page.
861137 DLP fingerprinting now correctly downloads a DLP fingerprint data base when the FortiGate-6000 or 70000 first starts up and the period option of a DLP fingerprint configuration is set to none.
861381 Resolved an issue that prevented FPCs or FPMs from downloading DLP fingerprint files from an SMB server through the mgmt-vdom VDOM.

861449

DLP fingerprint files are now downloaded from an SMB server by the management board or primary FIM and then synchronized to the FPCs or FPMs. In previous releases, individual FPCs or FPMs would independently download DLP fingerprint files from the SMB server.
863640 FortiGate-7000 FIM and FPMs no longer have different default values for proxy-worker-count, scanunit-count, sslvpn-max-worker-count, and wad-worker-count.
863756 The diagnose debug flow filter <vdom-name> command now correctly synchronizes the <vdom-name> to all FPCs or FPMs.
864629 Resolved an issue that caused excessive CPU usage when entering a command similar to dnsproxy-worker-count 48.
867044 837304 Restoring a VDOM configuration no longer changes the IPv6 interface ra-send-mtu setting.
867093 Resolved an issue that could sometime cause IPsec VPN NAT traversal UDP sessions to be installed on the wrong FPC or FPM.
868372 Resolved an issue that caused FGSP to stop working if the FGSP configuration includes cluster synch entries that use different peer VDOMs.
871289 Firmware image protection has been added to the FortiGate-6000 and 7000 platforms.
871978 Resolved a FortiGate-6000 issue that could cause some interfaces to flap after manually disabling and re-enabling an interface.
872852 Improved SLBC and HA configuration synchronization because of the extra data overhead involved in synchronizing the configuration to the secondary FortiGate 7121F in an HA cluster when each FortiGate 7121F has up to 440 interfaces.

874339

Resolved an configuration system looping issue that could cause excessive CPU usage.

874355

Resolved an issue that under some network conditions, could result in lost HA heartbeats , causing an HA failover for an FortiGate-6000 or 7000 FGCP HA cluster.
874491 Resolved an issue that prevented the execute load-balance slot command from allowing access to some of the FPMs in a FortiGate-7060E.

879293

Administrators with read only access can now use the diagnose sniffer packet command.
882040 725821

Support for multihop BFD (MBFD) was added to FortiOS 7.0.6 (see BFD for multihop path for BGP) and is supported by FortiGate-6000 and 7000 for FortiOS 7.0.10.

The following flow rule has been added to the FortiOS 7.0.10 default flow rules for traffic that cannot be load balanced to send all multihop control traffic to the primary FPC or FPM. This flow rule should be enabled if you configure multihop BFD support on your FortiGate-6000 or 7000.

config load-balance flow-rule

edit 22

set status disable

set vlan 0

set ether-type ip

set protocol udp

set src-l4port 0-0

set dst-l4port 4784-4784

set action forward

set forward-slot master

set priority 5

set comment "Flow Rule for Multihop BFD"

end
Previous
Next