Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 7.0.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Application Control

Bug ID

Description

752569

Per IP shaper under application list does not work as expected for some applications.

Endpoint Control

Bug ID

Description

708545

The WAD daemon is triggered to fetch the FortiClient information based on a ZTNA EMS tag enabled for checking in a proxy policy. It is then possible to get a ZTNA EMS tag in the firewall dynamic address and get the expected traffic control.

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page, when VDOM mode is enabled, the Global view shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

713529

When FortiAnalyzer is configured, the HTTPS daemon may crash while processing some FortiAnalyzer log requests. There is no apparent impact on the GUI operation.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

738027

The Device Inventory widget shows no results when there are two user_info parameters.

Workaround: use the CLI to retrieve the device list.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

748010

When creating or editing a ZTNA rule from the GUI, users cannot select the any option interface for Incoming Interface. Users can still configure this option in the CLI.

755177

When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

756420

On the Security Fabric > Fabric Connectors page, the connection to FortiManager is shown as down even if the connection is up.

Workaround: check the status in the CLI using diagnose fdsm central-mgmt-status.

HA

Bug ID

Description

701367

In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.

IPsec VPN

Bug ID

Description

740624

FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.

Workaround: configure the src-subnet on the client phase 2 interface. Then, static routes will be added by IKE on the server side (add-route enable is required).

config vpn ipsec phase2-interface
    edit <name>
        set src-subnet <x.x.x.x/x>
    next
end

767945

In a setup with IPsec VPN IKEv2 tunnel on the FortiGate to a Cisco device, the tunnel randomly disconnects after updating to 7.0.2 when there is a CMDB version change (configuration or interface).

Proxy

Bug ID

Description

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

753056

Recommendation information for Failed Login Attempts security rating rule should display Lockout duration should be at least 30 minutes, instead of 1800 minutes.

753358

Unable to trigger automation trigger with FortiDeceptor Fabric event.

755187

The security rating test for Unused Policies is incorrectly evaluated as Pass when there are unused policies with the accept action.

SSL VPN

Bug ID

Description

753515

DTLS does not work for SSL VPN and switches to TLS.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

System

Bug ID

Description

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

VM

Bug ID

Description

691337

When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.

WAN Optimization

Bug ID

Description

728861

HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.

Workaround: set wanopt to automatic mode, or set transparent disable in the wanopt profile.

754378

When an AV profile is enabled in a WANOpt proxy policy on a server side FortiGate, EICAR sent over HTTPS will not get blocked.

Known issues

The following issues have been identified in version 7.0.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Application Control

Bug ID

Description

752569

Per IP shaper under application list does not work as expected for some applications.

Endpoint Control

Bug ID

Description

708545

The WAD daemon is triggered to fetch the FortiClient information based on a ZTNA EMS tag enabled for checking in a proxy policy. It is then possible to get a ZTNA EMS tag in the firewall dynamic address and get the expected traffic control.

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page, when VDOM mode is enabled, the Global view shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

713529

When FortiAnalyzer is configured, the HTTPS daemon may crash while processing some FortiAnalyzer log requests. There is no apparent impact on the GUI operation.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

738027

The Device Inventory widget shows no results when there are two user_info parameters.

Workaround: use the CLI to retrieve the device list.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

748010

When creating or editing a ZTNA rule from the GUI, users cannot select the any option interface for Incoming Interface. Users can still configure this option in the CLI.

755177

When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

756420

On the Security Fabric > Fabric Connectors page, the connection to FortiManager is shown as down even if the connection is up.

Workaround: check the status in the CLI using diagnose fdsm central-mgmt-status.

HA

Bug ID

Description

701367

In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.

IPsec VPN

Bug ID

Description

740624

FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.

Workaround: configure the src-subnet on the client phase 2 interface. Then, static routes will be added by IKE on the server side (add-route enable is required).

config vpn ipsec phase2-interface
    edit <name>
        set src-subnet <x.x.x.x/x>
    next
end

767945

In a setup with IPsec VPN IKEv2 tunnel on the FortiGate to a Cisco device, the tunnel randomly disconnects after updating to 7.0.2 when there is a CMDB version change (configuration or interface).

Proxy

Bug ID

Description

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

753056

Recommendation information for Failed Login Attempts security rating rule should display Lockout duration should be at least 30 minutes, instead of 1800 minutes.

753358

Unable to trigger automation trigger with FortiDeceptor Fabric event.

755187

The security rating test for Unused Policies is incorrectly evaluated as Pass when there are unused policies with the accept action.

SSL VPN

Bug ID

Description

753515

DTLS does not work for SSL VPN and switches to TLS.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

System

Bug ID

Description

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

VM

Bug ID

Description

691337

When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.

WAN Optimization

Bug ID

Description

728861

HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.

Workaround: set wanopt to automatic mode, or set transparent disable in the wanopt profile.

754378

When an AV profile is enabled in a WANOpt proxy policy on a server side FortiGate, EICAR sent over HTTPS will not get blocked.