Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 7.0.2 FortiOS Release Notes
7.0.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Known issues

Known issues

The following issues have been identified in version 7.0.2. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Application Control

Bug ID

Description

752569

Per IP shaper under application list does not work as expected for some applications.

Endpoint Control

Bug ID

Description

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

738027

The Device Inventory widget shows no results when there are two user_info parameters.

Workaround: use the CLI to retrieve the device list.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

755177

When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

756420

On the Security Fabric > Fabric Connectors page, the connection to FortiManager is shown as down even if the connection is up.

Workaround: check the status in the CLI using diagnose fdsm central-mgmt-status.

HA

Bug ID

Description

701367

In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.

IPsec VPN

Bug ID

Description

740624

FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.

Workaround: configure the src-subnet on the client phase 2 interface. Then, static routes will be added by IKE on the server side (add-route enable is required).

config vpn ipsec phase2-interface
    edit <name>
        set src-subnet <x.x.x.x/x>
    next
end

761754

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

767945

In a setup with IPsec VPN IKEv2 tunnel on the FortiGate to a Cisco device, the tunnel randomly disconnects after updating to 7.0.2 when there is a CMDB version change (configuration or interface).

Proxy

Bug ID

Description

727629

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

766158

Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category.

Routing

Bug ID

Description

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

753056

Recommendation information for Failed Login Attempts security rating rule should display Lockout duration should be at least 30 minutes, instead of 1800 minutes.

753358

Unable to trigger automation trigger with FortiDeceptor Fabric event.

755187

The security rating test for Unused Policies is incorrectly evaluated as Pass when there are unused policies with the accept action.

SSL VPN

Bug ID

Description

753515

DTLS does not work for SSL VPN and switches to TLS.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

System

Bug ID

Description

644782

A large number of detected devices causes httpsd to consume resources, and causes entry-level devices to enter conserve mode.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

708228

A DNS proxy crash occurs during ssl_ctx_free.

751715

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

756713

Packet loss on the LAG interface (eight ports) using SFP+/SFP28 ports in both static and active mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

758490

The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

User & Authentication

Bug ID

Description

750551

DST_Root_CA_X3 certificate is expired.

Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information.

754725

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

VM

Bug ID

Description

691337

When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.

WAN Optimization

Bug ID

Description

754378

When an AV profile is enabled in a WANOpt proxy policy on a server side FortiGate, EICAR sent over HTTPS will not get blocked.

Web Filter

Bug ID

Description

766126

Block replacement page is not pushed automatically to replace the video content when using a video filter.
Previous
Next

Known issues

The following issues have been identified in version 7.0.2. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Application Control

Bug ID

Description

752569

Per IP shaper under application list does not work as expected for some applications.

Endpoint Control

Bug ID

Description

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

Workaround: edit the login template to disable HTTP authentication or remove the href link to googleapis.

738027

The Device Inventory widget shows no results when there are two user_info parameters.

Workaround: use the CLI to retrieve the device list.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

Workaround: use the CLI.

755177

When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

756420

On the Security Fabric > Fabric Connectors page, the connection to FortiManager is shown as down even if the connection is up.

Workaround: check the status in the CLI using diagnose fdsm central-mgmt-status.

HA

Bug ID

Description

701367

In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.

IPsec VPN

Bug ID

Description

740624

FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.

Workaround: configure the src-subnet on the client phase 2 interface. Then, static routes will be added by IKE on the server side (add-route enable is required).

config vpn ipsec phase2-interface
    edit <name>
        set src-subnet <x.x.x.x/x>
    next
end

761754

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

767945

In a setup with IPsec VPN IKEv2 tunnel on the FortiGate to a Cisco device, the tunnel randomly disconnects after updating to 7.0.2 when there is a CMDB version change (configuration or interface).

Proxy

Bug ID

Description

727629

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

766158

Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category.

Routing

Bug ID

Description

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

753056

Recommendation information for Failed Login Attempts security rating rule should display Lockout duration should be at least 30 minutes, instead of 1800 minutes.

753358

Unable to trigger automation trigger with FortiDeceptor Fabric event.

755187

The security rating test for Unused Policies is incorrectly evaluated as Pass when there are unused policies with the accept action.

SSL VPN

Bug ID

Description

753515

DTLS does not work for SSL VPN and switches to TLS.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

System

Bug ID

Description

644782

A large number of detected devices causes httpsd to consume resources, and causes entry-level devices to enter conserve mode.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

708228

A DNS proxy crash occurs during ssl_ctx_free.

751715

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

756713

Packet loss on the LAG interface (eight ports) using SFP+/SFP28 ports in both static and active mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

758490

The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

User & Authentication

Bug ID

Description

750551

DST_Root_CA_X3 certificate is expired.

Workaround: see the Fortinet PSIRT blog, https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates, for more information.

754725

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

VM

Bug ID

Description

691337

When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.

WAN Optimization

Bug ID

Description

754378

When an AV profile is enabled in a WANOpt proxy policy on a server side FortiGate, EICAR sent over HTTPS will not get blocked.

Web Filter

Bug ID

Description

766126

Block replacement page is not pushed automatically to replace the video content when using a video filter.
Previous
Next