Fortinet black logo

Known issues

Known issues

The following issues have been identified in version 7.0.10. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Endpoint Control

Bug ID

Description

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

Explicit Proxy

Bug ID

Description

817582

When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.

Firewall

Bug ID

Description

843554

If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

897849

Firewall Policy list may show empty sequence grouping sections if multiple policies are sharing the same global-label.

Workaround: drag and drop the policy to the correct sequence group in the GUI, or remove the global-label for each member policy in the group except for the leading policy. For example, in the configuration, policy 2 will be automatically grouped under group1 without the need of adding the same global-label.

  • Policy 1 (global-label "group")
  • Policy 2
  • Policy 3 (global-label "group2")
  • Policy 4

860480

FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later.

861990

Increased CPU usage in softIRQ after upgrading from 7.0.5 to 7.0.6.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

755177

When upgrading firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

810225

An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.

853352

On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries.

HA

Bug ID

Description

810286

FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect.

818432

When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.

Hyperscale

Bug ID

Description

795853

VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM.

807476

After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled.

811109

FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG.

836976

Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log-processor setting from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.

838654

Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic.

839958

service-negate does not work as expected in a hyperscale deny policy.

842659

srcaddr-negate and dstaddr-negate are not working properly for IPv6 traffic with FTS.

843197

Output of diagnose sys npu-session list/list-full does not mention policy route information.

843266

Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM.

843305

Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up.

844421

The diagnose firewall ippool list command does not show the correct output for overload type IP pools.

846520

NPD/LPMD process killed by out of memory killer after running mixed sessions and HA failover.

877696

Get KTRIE invalid node related error and kernel panic on standby after adding a second device into A-P mode HA cluster.

IPsec VPN

Bug ID

Description

761754

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

810833

IPsec static router gateway IP is set to the gateway of the tunnel interface when it is not specified.

822651

NP dropping packet in the incoming direction for SoC4 models.

Log & Report

Bug ID

Description

850642

Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes.

Proxy

Bug ID

Description

727629

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

Routing

Bug ID

Description

846107

IPv6 VRRP backup is sending RA, which causes routing issues.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

794703

Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.

825291

Security rating test for FortiAnalyzer fails when connected to FortiAnalyzer Cloud.

SSL VPN

Bug ID

Description

819754

Multiple DNS suffixes cannot be set for the SSL VPN portal.

852566

User peer feature for one group to match to multiple user peers in the authentication rules is broken.

System

Bug ID

Description

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

Workaround: set the auto-asic-offload option to disable in the firewall policy.

799570

High memory usage occurs on FG-200F.

812957

When setting the speed of 1G SFP ports on FG-180xF platforms to 1000full, the interface does not come up after rebooting.

847314

NP7 platforms may encounter random kernel crash after reboot or factory reset.

847664

Console may display mce: [Hardware Error] error message after fresh image burn or reboot.

850683

Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF.

850688

FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs.

882187

Optimize memory usage caused by the high volume of disk traffic logs.

883071

Kernel panic occurs due to null pointer dereference.

884023

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.

901721

In a certain edge case, traffic directed towards a VLAN interface could trigger a kernel panic.

Upgrade

Bug ID

Description

854550

After upgrading to 7.0.8, replacemsg utm parameters are not taken over and revert to the default. Affected replacement messages under config system replacemsg utm: virus-html, virus-text, dlp-html, dlp-text, and appblk-html.

User & Authentication

Bug ID

Description

765184

RADIUS authentication failover between two servers for high availability does not work as expected.

853793

FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

VM

Bug ID

Description

764392

Incorrect VMDK file size in the OVF file for hw13 and hw15.

Workaround: manually correct the hw13 and hw15 OVF file's ovf:size value.

Web Filter

Bug ID

Description

766126

Block replacement page is not pushed automatically to replace the video content when using a video filter.

ZTNA

Bug ID

Description

848222

ZTNA TCP forwarding is not working when a real server is configured with an FQDN address type.

An FQDN address type that can resolve public IPs is not recommended for ZTNA TCP forwarding on real servers because the defined internal DNS database zone is trying to override it at the same time. By doing so, the internal private address may not take effect after rebooting, and causes a ZTNA TCP forwarding failure due to the real server not being found.

Known issues

The following issues have been identified in version 7.0.10. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Endpoint Control

Bug ID

Description

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

Explicit Proxy

Bug ID

Description

817582

When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.

Firewall

Bug ID

Description

843554

If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

897849

Firewall Policy list may show empty sequence grouping sections if multiple policies are sharing the same global-label.

Workaround: drag and drop the policy to the correct sequence group in the GUI, or remove the global-label for each member policy in the group except for the leading policy. For example, in the configuration, policy 2 will be automatically grouped under group1 without the need of adding the same global-label.

  • Policy 1 (global-label "group")
  • Policy 2
  • Policy 3 (global-label "group2")
  • Policy 4

860480

FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later.

861990

Increased CPU usage in softIRQ after upgrading from 7.0.5 to 7.0.6.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

755177

When upgrading firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

810225

An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.

853352

On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries.

HA

Bug ID

Description

810286

FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect.

818432

When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.

Hyperscale

Bug ID

Description

795853

VDOM ID and IP addresses in the IPL table are incorrect after disabling EIF/EIM.

807476

After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled.

811109

FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG.

836976

Sessions being processed by hyperscale firewall policies with hardware logging may be dropped when dynamically changing the log-processor setting from hardware to host for the hardware log sever added to the hyperscale firewall policy. To avoid dropping sessions, change the log-processor setting during quiet periods.

838654

Hit count not ticking for implicit deny policy for hardware session in case of NAT46 and NAT64 traffic.

839958

service-negate does not work as expected in a hyperscale deny policy.

842659

srcaddr-negate and dstaddr-negate are not working properly for IPv6 traffic with FTS.

843197

Output of diagnose sys npu-session list/list-full does not mention policy route information.

843266

Diagnose command should be available to show hit_count/last_used for policy route and NPU session on hyperscale VDOM.

843305

Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when system boots up.

844421

The diagnose firewall ippool list command does not show the correct output for overload type IP pools.

846520

NPD/LPMD process killed by out of memory killer after running mixed sessions and HA failover.

877696

Get KTRIE invalid node related error and kernel panic on standby after adding a second device into A-P mode HA cluster.

IPsec VPN

Bug ID

Description

761754

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

810833

IPsec static router gateway IP is set to the gateway of the tunnel interface when it is not specified.

822651

NP dropping packet in the incoming direction for SoC4 models.

Log & Report

Bug ID

Description

850642

Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes.

Proxy

Bug ID

Description

727629

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

Routing

Bug ID

Description

846107

IPv6 VRRP backup is sending RA, which causes routing issues.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

794703

Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.

825291

Security rating test for FortiAnalyzer fails when connected to FortiAnalyzer Cloud.

SSL VPN

Bug ID

Description

819754

Multiple DNS suffixes cannot be set for the SSL VPN portal.

852566

User peer feature for one group to match to multiple user peers in the authentication rules is broken.

System

Bug ID

Description

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

Workaround: set the auto-asic-offload option to disable in the firewall policy.

799570

High memory usage occurs on FG-200F.

812957

When setting the speed of 1G SFP ports on FG-180xF platforms to 1000full, the interface does not come up after rebooting.

847314

NP7 platforms may encounter random kernel crash after reboot or factory reset.

847664

Console may display mce: [Hardware Error] error message after fresh image burn or reboot.

850683

Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF.

850688

FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs.

882187

Optimize memory usage caused by the high volume of disk traffic logs.

883071

Kernel panic occurs due to null pointer dereference.

884023

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.

901721

In a certain edge case, traffic directed towards a VLAN interface could trigger a kernel panic.

Upgrade

Bug ID

Description

854550

After upgrading to 7.0.8, replacemsg utm parameters are not taken over and revert to the default. Affected replacement messages under config system replacemsg utm: virus-html, virus-text, dlp-html, dlp-text, and appblk-html.

User & Authentication

Bug ID

Description

765184

RADIUS authentication failover between two servers for high availability does not work as expected.

853793

FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

VM

Bug ID

Description

764392

Incorrect VMDK file size in the OVF file for hw13 and hw15.

Workaround: manually correct the hw13 and hw15 OVF file's ovf:size value.

Web Filter

Bug ID

Description

766126

Block replacement page is not pushed automatically to replace the video content when using a video filter.

ZTNA

Bug ID

Description

848222

ZTNA TCP forwarding is not working when a real server is configured with an FQDN address type.

An FQDN address type that can resolve public IPs is not recommended for ZTNA TCP forwarding on real servers because the defined internal DNS database zone is trying to override it at the same time. By doing so, the internal private address may not take effect after rebooting, and causes a ZTNA TCP forwarding failure due to the real server not being found.