When UTM status is enabled and the AV profile has no configuration, all SLL traffic is dropped and there is no WAD output.

FortiOS should support EMS 7.2.1 auth API status code changes.

When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.

Sessions between the explicit proxy and server stay in SYN_SENT state when using IP pools in the explicit proxy policy for source NAT, even though the sessions have established. Traffic is not impacted.

Denied explicit proxy keeps using the Fortinet_CA_SSL default certificate, even if the configured certificate is different.

Wrong source IP address used for packets through explicit proxy routed to a member of SD-WAN interface.

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Load Balance Monitor detects a server in standby mode as being down.

NPD failed to parse zone in the source interface of a DoS/ACL policy and failed to offload.

After traffic flow changes to FGSP peer from owner, iprope information for synchronized sessions does not update on the peer side.

Traffic drops between two back-to-back EMAC VLAN interfaces.

Egress interface cannot be intermittently matched for Wake-on-LAN (broadcast) packets.

Traffic issues occur with virtual servers after upgrading.

Implicit deny policy is allowing "icmp/0/0" traffic.

Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode.

Firewall Policy list may show empty sequence grouping sections if multiple policies are sharing the same global-label.

Optimize CPU usage caused by a rare error condition which leads to no data being sent to the collector.

UDP fragments dropped due to DF being set. Only the set honor-df global option.

New sessions are created and evaluated after a certain number of UDP packets, even if set block-session-timer 300 is set.

In an environment where the Security Fabric is enabled and there are more than 100 firewall object conflicts between the root and downstream FortiGates, the Firewall Object Synchronization pane does not list the details.

Unable to authorize a newly discovered FortiAP from the WiFi Controller > Managed FortiAPs page.

When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration.

Network > SD-WAN > SD-WAN Zones and SD-WAN Rules pages do not load if a shortcut tunnel is triggered.

GUI policy table cannot display sequence grouping section titles correctly if they are duplicated in the global label.

Disabling gui-wireless-controller on the root VDOM impacts other VDOMs (unable to add or show WiFi widgets on first load).

HA secondary synchronization fails and keeps rebooting when the primary has a split port configuration.

Platforms in an HA environment get stuck in a reboot loop while attempting to synchronize configurations that differ in split ports.

After upgrading, rebooting the primary in HA (A-A) results in unusually high bandwidth utilization on redundant interfaces.

When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.

After an HA split-brain event, the PPPoE interfaces are not recovered.

On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the GUI top banner, and as Current HA mode in the CLI.

FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces.

Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on VDOMs in vcluster2.

Cannot access out-of-band IPv6 address on HA secondary unit.

When NP7 platforms enable the GTP enhanced mode it does not use uninterruptible upgrade.

Lost management connectivity to the standby node via in-band management.

FortiGate sent ARP request with loopback IP address as the source address.

FGCP primary-secondary cluster only uses one session-sync-dev, in spite of having multiple session-sync-dev.

When adding a new interface, some other interfaces have the wrong virtual MAC address.

The System > HA page is missing from the GUI on 5K models.

HA events not synchronizing between members, leading to unexpected HA status.

When configuring an HA management interface, the GUI does not allow the same interface to be used for multiple management interfaces.

Traffic is not forwarded on L2 peer to keep FGSP with an available L2 connection.

The IPv6 neighbor cache configuration is missing after executing a reboot or flush command.

With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic.

First-time HA failover after upgrading causes long service interruption to NAT44.

Failover on clustered web application using keepalived daemon does not work seamlessly.

IPv6 with hardware offloading and IPS drops traffic (msg="anti-replay check fails, drop).

Unexpected behavior in IPS engine when executing diagnose test application ipsmonitor 44.

[?Q?ci_" sekret=] causes the parser to create a new field, "sekret=".

Source MAC changes and the packet drops due to both sides of the session using the same source MAC address.

HTTPS traffic slows when IPS with NTurbo is used over a virtual wire pair.

Constant reloading of the external domain table is causing high CPU due to lock contention when reloading the table.

Constant reloading of the shared memory external domain table is causing high CPU usage due to lock contention when reloading the table.

FortiGate does not accept secondary tunnel IP address in the same subnet as the primary tunnel.

ASCII-encoded byte code of remote gateway IP is displayed in the GUI and CLI when a VPN tunnel is formed using IKEv1 or v2 if the peer-id is not configured.

Proxy ARP stops working for a client connected to a dialup IPsec when the previous VPN was established and is deleted.

Forwarded broadcast traffic on ADVPN shortcut tunnel interface dropped.

In an L2TP configuration, set enforce-ipsec enable is not working as expected after upgrading.

IPsec tunnels that have external DHCP services for IP assignment have an extra selector added after upgrading to 7.0.11.

Firewall becoming unresponsive to DPD/IKE messages, causing IPsec VPNs to drop.

Traffic through a shortcut got dropped after an HA failover.

IPsec VPN connection should allow % in FortiClient Connect REG_PASSWD field.

EAP in IKEv2 dialup IPsec connection does not work with two firewall polices, each using both the IKEv2 interface and user group.

Policy route is not matching ESP traffic.

The forward traffic log show exabytes of data being sent and received from external to external IP addresses in multiple VDOMs.

When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.

FortiAnalyzer override settings are not taking effect when ha-direct is enabled.

The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted.

IPS alert email not being sent when IPS attack event has triggered.

Traffic log can show exabytes of data sent and received when generating log task is triggered from userspace.

An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled.

Unexpected behavior in WAD when multiple DHCP servers are configured.

CPU usage issue in proxyd caused by the absence of TCP teardown.

Proxy mode inspection is slow when testing a single TCP stream from fast.com, which causes bandwidth slowness on FG-100F and FG-200F devices.

Unexpected behavior in WAD due to the activation of firewall protocol options, with both client and server comfort features enabled.

Memory usage issue caused by the WAD user info process while authenticating the LDAP users.

Updating the HA monitor interface using the REST API PUT request fails and returns a -37 error.

Unexpected behavior in forticron process when restoring a VDOM configuration.

link-down-failover does not bring the BGP peering down.

The SD-WAN service with load-balance mode is disabled, even though there is still a member alive in the service rule.

Using set load-balance-mode weight-based in SD-WAN implicit rule does not take effect occasionally.

Static route through an IPsec interface is not removed after the BFD neighbor goes down.

OSPF summary address for route redistribution from static route via IPsec VPN always persists.

SD-WAN SLA log information has incorrect inbound and outbound bandwidth values.

config redistribute routing subsections cannot be configured when in workspace mode.

Make OSPFv3 update the translator role and translated Type-5 LSA when the ASBR table is updated.

Static routes are installed on hub FortiGate with add-route disabled in ADVPN scenario.

When there are a lot of policies (several thousands), the interface member selection for the SD-WAN Zone dialog may take up to a minute to load.

Sessions with csf_syncd_log flag in a Security Fabric are not logged.

Allow comments and IP addresses to be on the same line for external IP address threat feeds.

Send Fabric API calls with pagination filter.

Unexpected behavior in Security Fabric daemon (CSFD) caused by triggering HA failover while using Security Fabric.

Non-management VDOM is not allowed to set a source-ip for config system external-resource.

Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.

Customer bookmark (*.tr***.pt) is not accessible when using SSL VPN web mode.

FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode.

SSL VPN web mode does not load when connecting to customer's internal site.

FortiGate misses the closing parenthesis when running the function to rewrite the URL.

Webpage opened in SSL VPN web portal is not displayed correctly.

Found bad login for SSL VPN web-based access when enabling URL obscuration.

Disconnecting from SSL VPN using the SSL-VPN widget does not disconnect the SSL VPN tunnel.

Web mode bookmark showing blank page due to JS rewrite.

Some buttons in URL are not working in SSL VPN web mode.

SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in the middle of a post request.

When a user needs to enter credentials through a pop-up window, the key events for modification key detected by SDL were ignored.

FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs.

Internal website keeps asking for credential with SSL VPN web mode.

The external DHCP server is not receiving hostnames in SSL VPN and DHCP relay.

DHCP option 12 hostname needed for SSL VPN with external DHCP servers.

SSL VPN tunnel down log message not generated when an IP address is disassociated before the old tunnel times out.

FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.

SSL VPN connected/disconnected endpoint event log can be in the wrong sequence.

FortiLink VLAN interface should be renamed from default to _default after upgrading to 7.0.10.

One discovery one transmit buffer was allocated and was not released on connection terminations.

Unable to configure more than one NAC policy using the same EMS tag for different FortiSwitch groups.

Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.

FortiGate loses QoS ip-dscp-map configuration after reboot.

CPU usage issue is observed caused by reloading the system when the system has cfg-save set to revert.

Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E.

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses.

Polling fgfwpolid returns disabled policies.

A disabled EMAC VLAN interface is replying to a ping.

The cmdbsvr process may crash when there are many addresses and address groups that include each other recursively.

FortiGate 200F interfaces stop passing traffic after some time.

False alarm of the PSU2 occurs with only one installed.

SNMP poll for fgExplicitProxyRequests returns 0.

FortiGate 40F-3G4G WWAN connection unstable on Verizon Carrier.

CPU usage issue caused by the new Linux kernel.

The FEC configuration under the interface is not respected when port23 and port24 are members of an LACP and the connection is 100G. Affected platforms: FGT-340xE, FGT-360xE.

If the original packet was forwarded with NAT, generated ICMP error is routed back to SNAT'ed address.

CPSS usage goes to 99% and causes initiation issues when traffic is flowing upon boot. Affected platforms: FG-40xF, FG-60xF, FG-300xF.

ssh-rsa should be disabled under the SSH server_host_key_algorithm.

No output of execute sensor list is displayed after rebooting.

If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway.

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is grayed out.

Sensor showing temperature of 0.00 Celsius.

Auto-script causes FortiGate to repeat commands.

Daylight saving time is not applied for Cairo time zone.

Interface release from cmdb and iprope keep updating when DHCP client renewal fails.

Incorrect temperature calculation appears in sensor list on FG-8xF, FWF-8xF, FG-9xE, FG-10xE, FG-20xE, and FG-14xE.

FSTR session ticket zero causes a memory leak.

SNMP OID, fgFwPolLastUsed (1.3.6.1.4.1.12356.101.5.1.2.1.1.4), does not show the correct information about the last time a specific policy was used.

After upgrading to 7.0.11, FortiOS cannot display QSFP+ transceiver information. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

Port speed 1000auto could not link up with a Cisco switch.

The FortiGate may display a false alarm message and subsequently initiate a reboot.

On FortiGate, the WWAN connection is not always stable due to a source IP issue with the VZW.

dnsproxy process aborts due to stack buffer overflow being detected upon function return.

Unexpected behavior caused by the Linux Out of Memory (OOM) killer when memory is very low.

Last reboot reason: power cycle after rebooting due to a kernel panic is misleading.

When a non-zero DSCP copied from ingress to egress packet for NAT64, the IP checksum is calculated incorrectly.

All members are up on an FG-600F, but the LACP status is showing as down after upgrading.

Transparent mode FortiGate does not reply to SYN ACK when communicating with FortiManager.

CPU usage issue observed in dnsproxyd caused by unused wildcard FQDN.

CPU usage issue observed in hasync daemon when session count is large.

FortiGate does not respond to ARP requests for the IP address on the WAN port when the interface is configured as EMAC.

System goes into halt state with Error: Package validation failed... message in cases where there are no engine files in the FortiGate when the BIOS security level is set to 2.

IPv6 local-in ping6 to management interface failed when newly configured.

Memory usage issue caused by repetitive log messages. Affected platforms: FG-100xF.

After a manual system administrator password change, the updated password-expire is not received by the FortiManager auto-update.

On D-series FortiGates, a false alarm during system integrity check failure causes the firewall to reboot.

Review the temperature sensor for the SoC4 system.

An error condition occurred in httpsd and newcli when trying to generate a TAC report from the GUI and CLI, respectively.

LTE modem is missing after upgrading.

When the URL filter requests the FortiGuard (FGD) rating server address using DNS, it will try to get both A (IPv4) and AAAA (IPv6) records.

Multiple spawns of hotplug process consuming high CPU resources.

Memory usage issue caused by excessive log files.

Unexpected behavior occurred in the kernel when creating EMAC VLAN interfaces based on an aggregate interface with the new kernel 4.1.9.

Enabling vdom-dns causes the VDOM DNS certificate to be blank instead of the default value.

DNAT does not work on software switch in explicit mode.

FortiGate is not able to resolve ARPs of few hosts due to their ARP replies not reaching the primary FPM.

Enabling NP7 offloading is causing packet drops when using a shaping profile.

An error condition occurred post-upgrade due to an invalid filter log ID.

All transparent VDOMs cannot synchronize because of switch-controller.auto-config.policy.

The FortiGate will not send a MAC-based authentication RADIUS authentication request for one of the devices on the network.

When a user's membership in AD or port range is changed, all of the user sessions are cleared.

SSL VPN and firewall authentication SAML does not work when the application requires SHA-256.

Dynamic address only has 100 IP addresses while FSSO group lists all 56K ACI endpoints.

FortiGate receives FSSO user in the format of HOSTNAME$.

Adding a new group membership to an FSSO user terminates all the user's open sessions.

FortiGate is sending Class(25) AVP with wrong length in RADIUS accounting when using 2FA with PUSH or external tokens.

An error condition occurs during the processing of the UDP packets when device identification is activated on an interface.

AWS external account list supports regional endpoints.

In the periodic status check of the OCI VM status, too many API calls caused a lot of 429 errors.

Restore operation overwrite passive configuration in AZURE A-P deployment based on SDN connector.

Event log alert Write Permission Violation to read-only file on VMware after taking snapshot.

In an Azure cluster, the NTP source-ip6 (IPv6) is synchronized while the source-ip (IPv4) is not.

Web filter is not logging all URLs properly.

FortiGuard block page image (logo) is missing when the Fortinet-Other ISDB is used.

An error condition occurs in WAD caused by the mismatch between the SNI host and CNAME.

The strict option for sni-server-cert-check is behaving the same as if it is set to enable, and logs are not generated upon SNI mismatch with the CN or SAN.

When accessing the managed FortiAP/Switch view with a large number of devices in the topology, the page takes a long time to load.

Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.

Workaround: use the CLI to update the profile to dual-5G mode.

In auth-logon and auth-logout logs, Wi-Fi users with random public IP addresses are observed.

An error condition occurred for the EAP proxy while sending the RADIUS Access-Request.

Unable to match first group attribute from SAML assertion for ZTNA rule.

After client device information is updated, the session is closed even though all information from the session still matches the policy.

FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

• CVE-2023-41677

FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

• CVE-2023-28002

FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

• CVE-2023-28001

FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

• CVE-2023-37935

FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

• CVE-2023-36641

FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

• CVE-2023-45583

FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference:

• CVE-2023-45586