Fortinet black logo

Resolved issues

Resolved issues

The following issues have been fixed in version 7.0.2. To inquire about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

743693

Anti spam engine crashes when extracting a malformed IP address from Received: headers.

Anti Virus

Bug ID

Description

665173

Crash logs are sometimes truncated/incomplete.

702646

Re-enable JavaScript heuristic detection and fix detection blocking content despite low rating.

724588

Flow AV quarantines a source IP when an AV scan error occurs.

Application Control

Bug ID

Description

701926

Stress test with application control only results in packet drops.

Data Leak Prevention

Bug ID

Description

745369

PDF corruption over HTTP by DLP.

DNS Filter

Bug ID

Description

722510

Rating requests to anycast SDNS server does not work as expected in SD-WAN.

724657

Anycast SDNS server IP is not added to non-index 0 DNS proxy workers.

Explicit Proxy

Bug ID

Description

674996

WAD encounters segmentation crash at wad_ssl_arm_close; crash occurred on explicit web proxy.

720363

When the client in web proxy mode uses the same session to send the HTTP requests with different host names, the HTTP host load balancing method does not take effect.

721039

Short disconnections of streaming applications (Teams and Whereby) through explicit proxy.

733863

Get 504 gateway timeout error when trying to access proxy.pac from remote users using dialup IPsec VPN.

744564

Expand web proxy header content string size from 256 to 512, then to 1024.

Firewall

Bug ID

Description

644225

Challenge ACK is being dropped.

726040

If a SYN has a different ISN in the SYN_SEND/SYN_RECV state, the FortiGate will let the SYN pass without updating the TCP sequence number, but drops the reply SYN/ACK because it fails the sequence number check.

727790

The diagnose internet-service info command should show multiple matching entries for the same IP, port, or protocol.

727809

Disabled deny firewall policy with virtual server objects is unable to be enabled after firewall reboot.

729245

HTTP/1.0 health check should process the whole response when http-match is set.

730803

Applying a traffic shaping profile and outbound bandwidth above 200000 blocks the traffic.

735031

IPv6 policy is only allowing the first MAC address from the source list.

736452

Unable to configure more than five health checks within virtual servers because of limitation of firewall.vip:monitor.

738584

Firewall is using the wrong NAT IP address to send out traffic after removing the VIP and its associated policy.

741122

If a DCE/RPC packet has more than six string binding addresses, the expectation for the rest of the addresses will not be created, and the traffic will be denied.

743800

SNAT hairpin traffic NATs to the incorrect IP address when central NAT is enabled without a central NAT rule.

745853

FortiGate stops sending logs to Netflow traffic because the Netflow session cleanup routine runs for too long when there are many long live sessions in the cache.

748226

In diagnose netlink interface list wan1, the total bytes for the inbandwidth shaper is always 0.

FortiView

Bug ID

Description

707649

On the Dashboard > FortiView Sources page, when filtering by source and then drilling down to sessions , the GUI API call does not set the source IP filter.

741792

Update FortiAnalyzer license REST API to use the FortiAnalyzer's licenses when in analyzer-collector mode.

GUI

Bug ID

Description

608770

When there is no IP/IPv6 address setting for Zone, the GUI incorrectly displays 0.0.0.0/0.0.0.0 for IP/Netmask and ::/0 for IPv6 Address.

631201

When editing an SSL/SSH inspection profile, the Show in Address List toggle in Edit Wildcard FQDN Address does not work when creating a new wildcard FQDN address.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

677611

On the Network > SD-WAN > SD-WAN Rules tab, an SD-WAN member with link status down is displayed as selected.

681643

On the Network > Packet Capture page, the interface dropdown incorrectly lists interfaces that belong to a virtual wire pair.

686500

Unable to specify a custom hostname during FortiGate setup.

689661

On the Policy & Objects > Firewall Policy page, policies that have enabled internet-service-src-custom and/or have specified an internet-service-src-custom-group are not listed in the policy list.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

714304

Special characters <, >, (, ), #, ', and " are allowed in the name when set from the CLI. When set from the GUI they are flagged as invalid.

714716

IPsec Monitor shows the same usernames and IPSec tunnel names for different users when the peer ID is configured on the FortiGate and/or FortiClient.

716571

FortiSwitch topology view is missing the inter-chassis link (ICL) between FortiSwitches in the same tier of a topology containing two adjacent MC-LAG peer groups with at least two connections between the groups.

720613

The event log sometimes contains duplicated lines when downloaded from the GUI.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

721710

Data fails to load when the Security Fabric is enabled for a downstream FortiGate that has an upstream PPPoE interface to connect to the root.

722133

On the Policy & Objects > Central SNAT page, one-to-one IP pools do not appear in the NAT policy.

722450

The rating rule Disable Username Sensitivity Check incorrectly fails for remote LDAP users with two-factor authentication disabled.

722669

On the Network > Interfaces page, the DHCP range is incorrectly displayed when DHCP Server (status) is disabled.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

723988

On the WiFi & Switch Controller > FortiSwitch Ports page, the PoE option is grayed out so is cannot be configured. The CLI must be used.

727035

Unable to change FortiSwitch port status when native VLAN is empty.

727644

When the first row of sequence group in a policy table is deleted, the sequence group disappears.

728651

When populating the BGP global table from the GUI (Network > BGP), BGPD process memory increases until it exhausts memory and goes into conserve mode.

728742

Unable to reorder Favorites after upgrading to FortiOS 7.0.

729075

Tooltip for FortiView Comprised Host fails with a JavaScript error.

729675

System > Settings page does not load for a FortiGate in carrier mode with an administrator profile that has custom firewall settings.

730069

On the Network > Static Routes page, users are unable to create a static route with Automatic gateway retrieval enabled when a DHCP interface is specified.

730211

Interface widget does not show data when the browser time differs from FortiGate UTC time.

732618

On the Network > Interfaces page, when Dedicated Management Port is enabled on an interface and the Trusted Host 1 IP address is set to 0.0.0.0/0, settings cannot be saved.

733375

On the VPN > SSL-VPN Settings page, after clicking Apply, source-address objects become source-address6 objects if IPv6 is enabled.

733582

The IP/Mac Based Access Control radio button is no longer present in the Firewall Policy dialog from implicit policy projects.

734417

GUI incorrectly displays a warning saying there is not a valid upgrade path when upgrading firmware from 7.0.0 or 7.0.1 to 7.0.1 or 7.0.2.

734773

On the System > HA page, when vCluster is enabled and the management VDOM is not the root VDOM, the GUI incorrectly displays management VDOM as primary VDOM.

735114

In FortiView Sources, on a multi-VDOM FortiGate, if there is no cache for IOC (compromised hosts), a request to filter by IOC is sent to all VDOMs on the FortiGate, not just the current VDOM.

739543

On the Network > Interfaces page, unable to create or edit a VLAN switch as the VLAN ID validation incorrectly fails.

739827

On FG-VM64-AZURE, administrator is logged out every few seconds, and the following message appears in the browser: Some cookies are misusing the recommended "SameSite" attribute.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

744168

On the Security Profiles > SSL/SSH Inspection page, a new SSL/SSH inspection profile cannot be created when the Inspection method is SSL Certificate Inspection.

744860

On the System > Settings page, when the time zone is set to (GMT-6:00) Central America, the current system time is off by one hour during Daylight Saving Time (DST).

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

746012

When a compromised host event is detected by a FortiGate Cloud instance, it cannot trigger the corresponding automation action.

HA

Bug ID

Description

695067

When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.

705237

Remote two-factor authentication is not working for HA secondary management interface.

709963

When cluster members have a different size log disk configurations in the cluster system, failure occurs when users input a size higher than the default value on the primary device.

714788

Uninterruptible upgrade might be broken in large scale environments.

717788

FGSP has problem at failover when NTurbo or offloading is enabled (IPv4) with virtual wire pair traffic.

721929

In an HA A-P scenario during failover, the new passive WCCP router ends up choosing a change number during the regular WCCP configuration initiation that will not trigger an assignment, which causes the WCCP assignment to be lost.

723130

diagnose sys ha reset-uptime on the secondary devices triggers a failover on a cluster with more than two members.

725240

HA cluster goes out of sync due to mismatched vpn.certificate.crl checksum.

728670

In FGSP HA mode, the synchronizing mechanism of VWL daemon causes a synchronization message that goes back and forth infinitely, which causes the CPU and memory usage to keep increasing.

729590

DDNS registration fails on vcluster2 VDOMs.

729607

FTP transfers drop in active-active mode in cases where expectation sessions accumulated in the secondary unit reach the maximum number (128).

734138

HA standby management IP does not reply to ping if the link-failed-signal option is enabled and when the monitor interface is down.

738350

In some cases, the hasync process has high memory on HA secondary device.

744826

API key (token) on the secondary device is not synchronized to the primary when standalone-config-sync is enabled.

746008

DNS may not resolve correctly in a virtual cluster environment. It also impacts the FortiGate 6000F and 7000E/F series where DNS may not resolve on the correct blades (FPC/FPM).

Intrusion Prevention

Bug ID

Description

669089

IPS profile dialog in GUI shows misleading All Attributes in the Details field for filter entries with a CVE value.

693800

IPS memory spike on firmware running version: 5.00229.

698725

Custom IPS signature with deprecated options is causing a delay for the unit to boot up.

699775

Fortinet logo is missing on web filter block page in Chrome.

713508

Low download performance occurs when SSL deep Inspection is enabled on aggregate and VLAN interfaces when nTurbo is enabled.

746467

IPS engine crashes when IPS injects packets to vNP and vNP/DPDK fails to restart (crashes and sometimes is out of service).

IPsec VPN

Bug ID

Description

668997

Duplicate entry found error shown when assigning multiple dialup IPsec tunnels with the same secondary IP in the GUI.

685668

Modify IKE to check config firewall security-policy for the user or group entry instead of checking config firewall policy if it is in NGFW mode.

701404

Routes are not added or removed as expected when failover occurs with IPsec FGSP HA.

707547

RADIUS accounting messages (IKEv2 EAP authentication) does not include the Class attribute (group name).

722564

Missing peer ID in IKEv2 and IKEv1 main mode.

725551

IKE idle timeout timers continue running when the HA state switches to secondary.

726362

It is possible to add multiple domains, even though that functionality is currently not supported.

726450

Local out dialup IPsec traffic does not match policy-based routes.

729012

The NAT-T keep alive messages are being logged incorrectly, causing the FortiGate to generate a huge number of logs.

729760

The ADVPN forwarder does not currently track the shortcut query that it forwards. Shortcut queries and replies are forwarded or terminated solely based on the route lookup.

729879

Static IPsec tunnel with signature authentication method cannot be established on FIPS-CC mode FortiGate because the certificate subject verification changes to RDN bitwise comparison based.

730449

SD-WAN service traffic will be interrupted after upgrading to 7.0.1 if all of the following conditions are matched in its 6.4.x configuration:

  • Using set gateway enable in a particular SD-WAN service

  • Having mode-cfg configured

  • Not having ADVPN configured on the hub

735430

TCP SYN-ACKs are silently dropped if the traffic is sourced from a dialup IPsec tunnel and UTM is enabled.

735477

IKEv1 aggressive mode may crash if the initiator received its own message as the first response.

743732

If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.

Log & Report

Bug ID

Description

718140

Logs are missing on FortiGate Cloud from a certain point.

724827

Syslogd is using the wrong source IP when configured with interface-select-method auto.

726690

Forward traffic log from disk is missing for virtual wire pair policy.

726900

No traffic logs are shown after an overnight run.

731154

SSL VPN tunnel down event log (log ID 39948) is missing.

745310

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

Proxy

Bug ID

Description

520176

Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds.

582464

WAD SSL crash due to wrong cipher options chosen.

604373

When proxy-based deep inspection is enabled, a server requests a certificate from the client over TLS 1.2 and the client returns an ECDSA certificate. In a best case scenario, the handshake will fail. In a worst case scenario, WAD will crash.

663088

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

688792

WAD crashes at wad_http_req_exec_video_filter_check with signal 11.

696012

Video filter cannot block embedded video calling by channel or category.

700073, 714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

706786

Multiple SSL connections without policies are being matched with multiple configuration changes for certificate updates, which may trigger a WAD crash.

715280

When the user/interface count reaches the respective maximum, the operation of reducing this count could impact the CPU and cause WAD to crash.

717995

Proxy mode generates untagged traffic in a virtual wire pair.

719681

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

723104

Proxy mode deep inspection is causing website access problems.

724129

WebSocket connection is not successful when IPS and application control are enabled in a proxy inspection policy.

724670

Crash seen in WAD user information daemon when updating user group count upon user log off.

725628

WAD HTTP parser string leak for hostname and scheme with trace-auth-no-rsp enabled.

726270

In deep scan mode when there is no SNI, WAD will use the server certificate CNAME for the URL filter check and ignores the host header.

726999

WAD crash on wad_hash_map_del.

728641

SSL renegotiation fails when Firefox offers TLS 1.3, but the server decides to use TLS 1.2.

729797

CLI should block or warn users if an API gateway with the same service (protocol) and path are declared on the same ZTNA server.

733760

Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app.

737438

ZTNA HTTPS access proxy traffic is denied when a regular VIP and access proxy VIP (AP VIP) have the same external IP address.

737737

WAD crashes when firewall FQDN address is null.

738331

Excluded members in the address group are not excluded when the group is added to a proxy policy.

744746

When a policy has both IPS and AV features enabled, WAD has a memory spike when downloading large files.

744756

Web proxy forward server group could not recover sometimes if the FQDN is not resolved.

744882

When using STARTTLS, proxyd performs deep inspection even when inspect-all is not set to deep-inspection.

748194

Oversize log is not generated for a large EXE file when the uncompressed-oversize-limit option is set to 0.

REST API

Bug ID

Description

731136

The following API has a change in response format, which may break backward compatibility for existing integration:

POST /api/v2/monitor/system/config/restore

New format results: {'config_restored': True}

Old format results: {'restore_started': True, 'session_id': 'nTuRkV'}

Note that only the response format is changed. The actual configuration restoration operation still works as before. The integration application should handle this new response format so it can return correct response message back to the user.

743743

httpsd crashes due to GET /api/v2/log/.../virus/archive request when the mkey is not provided.

745926

Using multiple logical AND symbols (&) on monitor API filtering causes a 502 Bad Gateway error.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

724541

One IPv6 BGP neighbor is allowed to be configured with one IPv6 address format and shows a different IPv6 address format.

724574, 731248

BFD neighborship is lost between hub and spoke. One side shows BFD as down, and other side does not show the neighbor in the list.

725322

Improve the distance help text to indicate that 255 means unreachable.

729002

PIM/PIM6 does not send out unicast packet with the correct source IP if interface is not specified.

729621

High CPU on hub BGPD due to hub FortiGate being unable to maintain BGP connections with more than 1K branches when route-reflector is enabled.

730194

When syncing a large number of service qualities, there is a chance of accessing out-of-boundary memory, which causes the VWL daemon to crash.

730208

Traffic is not going through when the returning interface is changed.

731683

SD-WAN did not check and properly handle cases of address groups with exclusion.

733187

FortiGate to FortiManager connection issue when using a loopback interface with a non-default VRF as the source for central management.

734628

SDNS traffic to the anycast IP servers does not follow the SD-WAN mode set in config system fortiguard.

736705

ZEBOS launcher is unable to start and crashes constantly if aspath has more than 80 characters in the config router router-map > set-aspath setting.

737298

IPv6 fragmentation does not work as expected for VNE tunnel.

737898

OSPFv3 cannot install IPv6 ECMP routes when both ABR next hops are in the same subnet.

738366

VNE tunnel IPv6 reassembly does not work as expected when the IPv4 packet length is more than 1497 bytes.

740377

HTTP probe response sends reset packets when the number of probes increases.

741844

IPsec VPN does not come up due to incorrectly routed IKE packets.

741947

SD-WAN routes are not installed in the kernel or FIB.

742648

Health check over shortcut tunnel is dead after auto-discovery-receiver is disabled/enabled and VWL crash occurs.

743138

OSPF does not use the correct netmask length after upgrading to 7.0.1 when sending a hello packet on an IPsec interface.

743675

RIPv2 multiple routing entries are not reflected when receiving RIP updates via 802.3ad aggregate interface.

746000

Multicast streams sourced on SSL VPN client are not registered in PIM-SM.

Security Fabric

Bug ID

Description

635183

ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector.

670451

ACI SDN connector (connected by aci-direct) shows curl error 7 when updating from second VDOM.

695424

SDN connector for GCP ignores project settings.

717080

csfd shows high memory usage due to the JSON object not being used properly and the reference not being released properly.

724071

Log disk usage from user information history daemon is high and can restrict the use for general logging purposes.

726831

Security rating for Local Log Disk Not Full reporting as failed for FortiGate models without log disks.

731292

Dashboard Security Fabric widget takes a long time to load in the GUI.

731314

Security rating fails and displays Duplicate Firewall Objects message for FTP, FTP_GET, and FTP_PUT service objects.

732268

Dynamic address configured with SDN connector for VMware is collecting less IP addresses than expected.

733511

Automation stitch trigger count does not update when target device is a downstream device.

735717

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

738344

When CSF root synchronizes a large automation setting (over 16000) to the downstream FortiGate, csfd crashes while trying to process the relay message.

740673

OCI Fabric connector has DNS failure in UK government region.

741346

The variable %%date%% resolves into 1900-01-00 instead of actual date when the schedule trigger type is used.

742603

Security rating fails due to duplicate address objects, even when no duplicate address objects exist.

742743

Security rating Issue with unused deny policies.

745263

AV & IPS DB Update automation trigger is not working when clicking Update Licenses & Definitions Now in the GUI.

746950

When an Azure network interface ID contains upper case letters, the Azure SDN connector may not retrieve that network interface.

SSL VPN

Bug ID

Description

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

640169

When the FortiGate is set as the DUT monitored by another FortiGate , the SSL VPN has a memory leak because it continues to receive HTTP requests and creates an HTTP state and tasks to process the request.

664276

SSL VPN host check validation not working for SAML user.

677031

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

706646

SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode.

710657

The dstaddr/dstaddr6 of an SSL VPN policy can be set to all when split tunnel mode is enabled and only the default portal is set.

711503

SSL VPN web mode access to internal web server http://10.2.1.78 is broken after upgrading to 7.0.0.

711974

SSL VPN bookmarks are not working correctly with multiple SD-WAN zones.

714155

SSL VPN bookmarks are not working correctly with customer internal website, https://it***.nt***.lo***.

716289

Navigation menu of the internal web server, https://lm***.lm***.au***.vw***, is having issues in the SSL VPN web portal.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

718142

The map integrated in the public site is not visible when using SSL VPN web mode.

718165

SSL VPN web mode redirection issue with http://10.3.24.14.

718817

Customer internal website, http://192.168.*.28/mo***/index.php, cannot be shown SSL VPN web mode due to proxy error.

722329

After SSL VPN proxy rewrite, some Nuage JS files have problems running.

725986

SSL VPN web mode does not work as expected when accessing http://ot***.de***.sp***.go***.

726338

The wildcard matching method does not always work as expected because the kernel sometimes does not have the address yet.

726624

Jira web application (to***.cs***.tc***.co**) via SSL VPN web mode does not display website correctly.

727286

Unable to browse directories hosted on Nextcloud server through SSL VPN.

727551

When there are multiple user groups configured in a SSL VPN firewall policy, only the first user group is subjected for authentication verification. As a result, connection requests from other user groups may be terminated unexpectedly. A workaround is to use only one user group per SSL VPN policy.

729426

The wildcard FQDN does not always work reliably in cases where the kernel does not have the address yet.

729700

An internal website (https://cm***.va***.it***/cm***) does not load properly when connecting via SSL VPN web mode.

729889

NexGEN server could not be displayed in SS LVPN web mode.

730416

Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

731278

Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode.

731606

Internal server (sa***.be***.com) is not loading after logging in with SSL VPN web mode.

732943

If the client certificate is only set in a specific authentication rule of the SSL VPN, the peer user may not log in successfully.

736436

Internal website (https://gg****.gl***.com/) shows a blank page in SSL VPN web mode.

736822

Non-US keyboard layout in RDP session with SSL VPN web mode does not work correctly.

737150

Internal website (oh***.com) could not be displayed in SSL VPN web mode.

737154

Slow RDP response when using SSL VPN web mode access.

737341

Some links and buttons are not working properly when accessing them through SSL VPN web mode.

737751

HTML5 page is not fully loading for SSL VPN web mode users.

738711

FortiClient error message is not pertinent when the client does not meet host checking requirements.

738715

Contents of Jira application (in***.ds***.com) in SSL VPN web mode are not displayed correctly.

738723

Video streaming does not work in SSL VPN web mode on https://te***.fortiddns.com:10443.

739711

SSL VPN bookmark button for Jira (sa***.con***.com) malfunctions.

740335

Internal website, https://te***.ko***.com, is not accessible in SSL VPN web mode.

740378

Windows FortiClient 7.0.1 cannot work with FortiOS 7.0.1 over SSL VPN when the tunnel IP is in the same subnet as one of the outgoing interfaces and NAT is not enabled.

741453

Unable to log in to VMware vSphere vCenter 7.0 through SSL VPN web portal.

742332

SSL VPN web portal redirect fails in http://qu***.jj***.bu***.

744494

Memory occupied by the SSL VPN daemon increases significantly while the process is busy.

744899

SSL VPN RDP bookmark is not working when using Chrome 93 32-bit. Firefox 64-bit and Chrome 64-bit are still not supported on Windows 32-bit.

745499

In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak.

745554

Logging in with SSO to FortiAnalyzer with SSL VPN web mode fails.

746938

Unable to authenticate to outlook.com/owa/vw***.com website in SSL VPN web mode.

746990

RADIUS accounting messages after SSL VPN do not include the Class attribute (Group name).

747352

Internal web server page, https://te***.ss***.es:10443, is not loading properly in SSL VPN web mode.

747851

SSL VPN bookmark works on one URI (cu***.co***.cr***) and is not working on different URIs to the same destination server.

749918

Keyboard keys do not work with RDP bookmarks when PT-BR and PT-BR-ABNT2 layouts are chosen.

Switch Controller

Bug ID

Description

723501

When STP is enabled on a hardware switch interface, FortiLink loses its connection to FortiSwitch.

System

Bug ID

Description

488400

NPU offload is disabled for IPsec over pure EMAC VLANs (EMAC interfaces without VLAN IDs).

607565

Interface emac-vlan feature does not work on SoC4 platform.

619839

In FIPS-CC mode, keep getting fcron_set_mgmt_vdom()-122: Invalid mgmt- vfid=-1 message on console.

644616

NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface.

645848

FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection.

666438

The iotd daemon has problems connecting to an anycast server when fortiguard-anycast is disabled.

671824

On FG-40F, get NP6XLITE: failed to read lif accounting message on console.

681791

Install preview does not show all changes performed on the FortiGate.

684563

Uploading a wrong script in the GUI can cause a continuous error.

696852

Failure to synchronize with FortiGate NTP server, even if the FortiGate NTP server is not properly synchronized with its higher tier NTP server.

698003

When creating a new administrator, the administrator profile's reference is visible in other administrator accounts from different VDOMs.

698590

The dhcp6-client-options" is missing on internal interfaces for IPv6.

700664

When the SD-WAN interface select method is configured in system dns, the rules are not applied to AXFR DNS database local out traffic.

702966

There was a memory leak in the administrator login debug that caused the getty daemon to be killed.

706686

LAG interface between FortiGate and Cisco switch flaps when adding/removing member interface.

710635

GUI should hide the FortiGate Setup dialog if all setup steps are complete.

712156

FortiCloud central management does not work if the FortiGate has trusted host enabled for the admin account.

713835

The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in.

715647

In VWP with set wildcard-vlan enable, for some special cases the SKB headlen is not long enough for handling. It may cause a protective crash when doing skb_pull.

715978

NTurbo does not work with EMAC VLAN interface.

720858

DDNS update interval is abnormal on FG-140E-POE.

721487

FortiGate often enters conserve mode due to high memory usage by httpsd process.

722248

When lag-out-port-select is enabled, FortiCarrier ESP packets drops in NPU link.

722273

SA is freed while its timer is still pending, which leads to a kernel crash.

722547

Fragmented SKB size occurs if the tail room is too small to carry the NTurbo vtag, which causes packets to be dropped.

724065

Power supply 2 DC is lost log only appears when unplugging the power cable from power supply 2.

724446

High CPU for cmdbsvr when editing an address group.

724779

HPE setting of NTurbo host queue is missing and causes IPS traffic to stop when HPE is enabled.

725264

FG-600E copper speed LED does not work.

726634

NTP daemon is not responding when using the manual setting.

727343

Quarantined IP is not synchronized in FortiController mode.

727829

DNS FQDN was not synchronized amongst all the working blade, so each blade might have different IP from the same FQDN. If policy a uses the FQDN as the address, it will cause the IP address of FQDN to not be in the list for the current blade, so the traffic will not match this FQDN policy.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

729636

FTLC1122RDNL transceiver is showing as not certified by Fortinet on FG-3800D.

729939

Multiple processes crashing at the same time causes the device's management functionality to be unavailable when the packet size is smaller than FSAE_HEADER_SIZE(6).

731708

The FG-traffic VDOM is lost after restoring the configuration if split-VDOM mode is set in the configuration file.

731789

Unable to set VDOM ID as filter in CLI for diagnose debug flow.

731821

MAP-E DDNS update request is not sent after booting up the device.

732760

SNMP trap packets are sometimes not sent from the primary ha-direct interface to all SNMP managers after upgrading.

734120

IPv6 Ready Phase 2 test failed on destination options (local link).

734565

Link monitor shows incorrect number of out-of-sequence packets.

734631

SSH UMAC cipher was not configured for umac-128, which causes message authentication code incorrect SSH error.

735492

Many processes are in a "D" state due to unregister_netdevice.

737711

When snmpd updates a huge table (~ 100K+) that might need more time than the SNMP client's timeout, the SNMP client meets a timeout error.

738332

Connectivity issue with FortiGuard after upgrading from 7.0.0 to 7.0.1 when ha-direct is enabled.

738640

Add support for FS-TRAN-FX 100 Mbps SFP optical transceivers on the FGR-60F and FGR-60F-3G4G models. Previously, there was no I2C reading/writing handler in drivers for FGR-60F and FGR-60F-3G4G.

740649

FortiGate sends CSR configuration without double quote (") to FortiManager.

742416

DNS does not resolve on FIM01, but resolves on other blades.

742471

Parsing FFDB may cause a crash when loading at reboot if the versions of FFDB_APP and FFDB_GEO_ID_FILE are different.

743431

DDNS hostname is not correct when two VDOMs are configured.

743735

Potential DHCP memory leak when lease is mocked from reserved address.

745017

get system checksum status should only display checksums for VDOMs the current user has permissions for.

748628

Modem init-string failed on 7.0.0 and 7.0.1 because it was unable to find the endpoint address.

748987

L2TP tunnel is not working properly for Android; only ping traffic passes.

User & Authentication

Bug ID

Description

556724

LLDP neighbors cannot be seen on virtual switch ports.

691838

Memory leaks and crashes observed during stress long duration performance test when using FortiToken Cloud.

707057

TACACS server traffic will not go through the specific interface from the GUI irrespective of the interface set under the TAC.

709964

Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.

711263

diagnose fortitoken-cloud sync fails when user email address is longer than 35 characters.

713503

When IdP uses optional SAML parameters, the firewall stops processing the login request.

721747

Client certificate authentication fails with Windows Hello for Business certificates.

725056

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

725327

FSSO user fails to log in with principal user name.

725988

CRLs with the same name in different non-management VDOMs cannot be updated automatically.

732413

Device IP is in the firewall user list , but it has no user name and group name, so the portal page cannot load.

733065

When deauthorizing from the GUI, the notification is sent to fsae rather than fssod, even the if the authentication type is FSSO.

739350

RADIUS response is sent even when the rsso-radius-response attribute is set to disable.

739702

There are unknown user logins on the FortiGate and the logs do not have any information for the unknown user.

741403

Unknown user log in to FortiGate does not provide any information for the unknown user.

742047

RADIUS Request Account-Status-Type Interim-Update Message does not have the Class attribute.

744014

LLDP neighbors cannot be seen on virtual switch ports.

VM

Bug ID

Description

582123

EIP does not fail over if the primary FortiGate is rebooted or stopped from the Alibaba Cloud console.

656701

FortiGate VMX Service Manager enters conserve mode (cmdbsvr has high memory utilization).

721439

Problems occur when switching between HA broadcast heartbeat to unicast heartbeat and vice versa.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

729811

ASG synchronization is lost between secondary and primary instances if the secondary instance reboots. Affected platforms: all public cloud VMs and KVMs.

732556

AliCloud SDN connector will not fetch information from the secondary ENI, so filtering IP addresses by Vswitch ID and security group might be incorrect.

734148

The vmtoolsd and openvmtools processes are using a high amount of memory.

736067

NSX connector sometimes stops updating addresses.

739376

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

747194

EIP failed to update on Azure FG-VM.

WAN Optimization

Bug ID

Description

735049

The HEAD request fails when webcache is enabled.

Web Filter

Bug ID

Description

677234

Unable to block webpages present in the external list when accessing them through the Google Translate URL.

739349

Web filter local rating configuration check might strip the URL, and the URL filter daemon does not start when utm-status is disabled.

744303

Websites are blocked when FortiGuard Category Based Filter is disabled in web filter profile while doing an SSL-exempt check.

747591

Default web filter policy allows many of the potentially liable categories by default instead of blocking them.

WiFi Controller

Bug ID

Description

700356

CAPWAP daemon crashing due to IoT detection.

719217

Interface Bandwidth widget should exclude bridge VAP interface (and mesh VAP interface).

720674

cw_acd is crashing on FG-40F.

733608

FG-5001D unable to display managed FortiAPs after upgrading.

741946

FortiGate is not recognizing attribute 49, Acct-Terminate-Cause Value (6) Admin Reset, from RFC 2866.

748154

802.1X clients are disconnected following FortiGuard update.

751298

Cannot read properties of undefined (reading 'spectrum_analysis') error appears when viewing downstream FortiGate from upstream FortiGate in WiFi dashboard.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

722821

FortiOS 7.0.2 is no longer vulnerable to the following CVE References:

  • CVE-2020-24586
  • CVE-2020-24587

  • CVE-2020-24588

726300

FortiOS 7.0.2 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-36169

744267

FortiOS 7.0.2 is no longer vulnerable to the following CVE References:

  • CVE-2021-3711
  • CVE-2021-3712

Resolved issues

The following issues have been fixed in version 7.0.2. To inquire about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

743693

Anti spam engine crashes when extracting a malformed IP address from Received: headers.

Anti Virus

Bug ID

Description

665173

Crash logs are sometimes truncated/incomplete.

702646

Re-enable JavaScript heuristic detection and fix detection blocking content despite low rating.

724588

Flow AV quarantines a source IP when an AV scan error occurs.

Application Control

Bug ID

Description

701926

Stress test with application control only results in packet drops.

Data Leak Prevention

Bug ID

Description

745369

PDF corruption over HTTP by DLP.

DNS Filter

Bug ID

Description

722510

Rating requests to anycast SDNS server does not work as expected in SD-WAN.

724657

Anycast SDNS server IP is not added to non-index 0 DNS proxy workers.

Explicit Proxy

Bug ID

Description

674996

WAD encounters segmentation crash at wad_ssl_arm_close; crash occurred on explicit web proxy.

720363

When the client in web proxy mode uses the same session to send the HTTP requests with different host names, the HTTP host load balancing method does not take effect.

721039

Short disconnections of streaming applications (Teams and Whereby) through explicit proxy.

733863

Get 504 gateway timeout error when trying to access proxy.pac from remote users using dialup IPsec VPN.

744564

Expand web proxy header content string size from 256 to 512, then to 1024.

Firewall

Bug ID

Description

644225

Challenge ACK is being dropped.

726040

If a SYN has a different ISN in the SYN_SEND/SYN_RECV state, the FortiGate will let the SYN pass without updating the TCP sequence number, but drops the reply SYN/ACK because it fails the sequence number check.

727790

The diagnose internet-service info command should show multiple matching entries for the same IP, port, or protocol.

727809

Disabled deny firewall policy with virtual server objects is unable to be enabled after firewall reboot.

729245

HTTP/1.0 health check should process the whole response when http-match is set.

730803

Applying a traffic shaping profile and outbound bandwidth above 200000 blocks the traffic.

735031

IPv6 policy is only allowing the first MAC address from the source list.

736452

Unable to configure more than five health checks within virtual servers because of limitation of firewall.vip:monitor.

738584

Firewall is using the wrong NAT IP address to send out traffic after removing the VIP and its associated policy.

741122

If a DCE/RPC packet has more than six string binding addresses, the expectation for the rest of the addresses will not be created, and the traffic will be denied.

743800

SNAT hairpin traffic NATs to the incorrect IP address when central NAT is enabled without a central NAT rule.

745853

FortiGate stops sending logs to Netflow traffic because the Netflow session cleanup routine runs for too long when there are many long live sessions in the cache.

748226

In diagnose netlink interface list wan1, the total bytes for the inbandwidth shaper is always 0.

FortiView

Bug ID

Description

707649

On the Dashboard > FortiView Sources page, when filtering by source and then drilling down to sessions , the GUI API call does not set the source IP filter.

741792

Update FortiAnalyzer license REST API to use the FortiAnalyzer's licenses when in analyzer-collector mode.

GUI

Bug ID

Description

608770

When there is no IP/IPv6 address setting for Zone, the GUI incorrectly displays 0.0.0.0/0.0.0.0 for IP/Netmask and ::/0 for IPv6 Address.

631201

When editing an SSL/SSH inspection profile, the Show in Address List toggle in Edit Wildcard FQDN Address does not work when creating a new wildcard FQDN address.

653952

The web page cannot be found is displayed when a dashboard ID no longer exists.

677611

On the Network > SD-WAN > SD-WAN Rules tab, an SD-WAN member with link status down is displayed as selected.

681643

On the Network > Packet Capture page, the interface dropdown incorrectly lists interfaces that belong to a virtual wire pair.

686500

Unable to specify a custom hostname during FortiGate setup.

689661

On the Policy & Objects > Firewall Policy page, policies that have enabled internet-service-src-custom and/or have specified an internet-service-src-custom-group are not listed in the policy list.

699508

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

714304

Special characters <, >, (, ), #, ', and " are allowed in the name when set from the CLI. When set from the GUI they are flagged as invalid.

714716

IPsec Monitor shows the same usernames and IPSec tunnel names for different users when the peer ID is configured on the FortiGate and/or FortiClient.

716571

FortiSwitch topology view is missing the inter-chassis link (ICL) between FortiSwitches in the same tier of a topology containing two adjacent MC-LAG peer groups with at least two connections between the groups.

720613

The event log sometimes contains duplicated lines when downloaded from the GUI.

720657

Unable to reuse link local or multicast IPv6 addresses for multiple interfaces from the GUI.

721710

Data fails to load when the Security Fabric is enabled for a downstream FortiGate that has an upstream PPPoE interface to connect to the root.

722133

On the Policy & Objects > Central SNAT page, one-to-one IP pools do not appear in the NAT policy.

722450

The rating rule Disable Username Sensitivity Check incorrectly fails for remote LDAP users with two-factor authentication disabled.

722669

On the Network > Interfaces page, the DHCP range is incorrectly displayed when DHCP Server (status) is disabled.

722832

When LDAP server settings involve FQDN, LDAPS, and an enabled server identity check, the following LDAP related GUI items do not work: LDAP setting dialog, LDAP credentials test, and LDAP browser.

723988

On the WiFi & Switch Controller > FortiSwitch Ports page, the PoE option is grayed out so is cannot be configured. The CLI must be used.

727035

Unable to change FortiSwitch port status when native VLAN is empty.

727644

When the first row of sequence group in a policy table is deleted, the sequence group disappears.

728651

When populating the BGP global table from the GUI (Network > BGP), BGPD process memory increases until it exhausts memory and goes into conserve mode.

728742

Unable to reorder Favorites after upgrading to FortiOS 7.0.

729075

Tooltip for FortiView Comprised Host fails with a JavaScript error.

729675

System > Settings page does not load for a FortiGate in carrier mode with an administrator profile that has custom firewall settings.

730069

On the Network > Static Routes page, users are unable to create a static route with Automatic gateway retrieval enabled when a DHCP interface is specified.

730211

Interface widget does not show data when the browser time differs from FortiGate UTC time.

732618

On the Network > Interfaces page, when Dedicated Management Port is enabled on an interface and the Trusted Host 1 IP address is set to 0.0.0.0/0, settings cannot be saved.

733375

On the VPN > SSL-VPN Settings page, after clicking Apply, source-address objects become source-address6 objects if IPv6 is enabled.

733582

The IP/Mac Based Access Control radio button is no longer present in the Firewall Policy dialog from implicit policy projects.

734417

GUI incorrectly displays a warning saying there is not a valid upgrade path when upgrading firmware from 7.0.0 or 7.0.1 to 7.0.1 or 7.0.2.

734773

On the System > HA page, when vCluster is enabled and the management VDOM is not the root VDOM, the GUI incorrectly displays management VDOM as primary VDOM.

735114

In FortiView Sources, on a multi-VDOM FortiGate, if there is no cache for IOC (compromised hosts), a request to filter by IOC is sent to all VDOMs on the FortiGate, not just the current VDOM.

739543

On the Network > Interfaces page, unable to create or edit a VLAN switch as the VLAN ID validation incorrectly fails.

739827

On FG-VM64-AZURE, administrator is logged out every few seconds, and the following message appears in the browser: Some cookies are misusing the recommended "SameSite" attribute.

743477

On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

744168

On the Security Profiles > SSL/SSH Inspection page, a new SSL/SSH inspection profile cannot be created when the Inspection method is SSL Certificate Inspection.

744860

On the System > Settings page, when the time zone is set to (GMT-6:00) Central America, the current system time is off by one hour during Daylight Saving Time (DST).

745325

When creating a new (public or private) SDN connector, users are unable to specify an Update interval that contains 60, as it will automatically switch to Use Default.

745998

An IPsec phase 1 interface with a name that contains a / cannot be deleted from the GUI. The CLI must be used.

746012

When a compromised host event is detected by a FortiGate Cloud instance, it cannot trigger the corresponding automation action.

HA

Bug ID

Description

695067

When there are more than two members in a HA cluster and the HA interface is used for the heartbeat interface, some RX packet drops are observed on the HA interface. However, no apparent impact is observed on the cluster operation.

705237

Remote two-factor authentication is not working for HA secondary management interface.

709963

When cluster members have a different size log disk configurations in the cluster system, failure occurs when users input a size higher than the default value on the primary device.

714788

Uninterruptible upgrade might be broken in large scale environments.

717788

FGSP has problem at failover when NTurbo or offloading is enabled (IPv4) with virtual wire pair traffic.

721929

In an HA A-P scenario during failover, the new passive WCCP router ends up choosing a change number during the regular WCCP configuration initiation that will not trigger an assignment, which causes the WCCP assignment to be lost.

723130

diagnose sys ha reset-uptime on the secondary devices triggers a failover on a cluster with more than two members.

725240

HA cluster goes out of sync due to mismatched vpn.certificate.crl checksum.

728670

In FGSP HA mode, the synchronizing mechanism of VWL daemon causes a synchronization message that goes back and forth infinitely, which causes the CPU and memory usage to keep increasing.

729590

DDNS registration fails on vcluster2 VDOMs.

729607

FTP transfers drop in active-active mode in cases where expectation sessions accumulated in the secondary unit reach the maximum number (128).

734138

HA standby management IP does not reply to ping if the link-failed-signal option is enabled and when the monitor interface is down.

738350

In some cases, the hasync process has high memory on HA secondary device.

744826

API key (token) on the secondary device is not synchronized to the primary when standalone-config-sync is enabled.

746008

DNS may not resolve correctly in a virtual cluster environment. It also impacts the FortiGate 6000F and 7000E/F series where DNS may not resolve on the correct blades (FPC/FPM).

Intrusion Prevention

Bug ID

Description

669089

IPS profile dialog in GUI shows misleading All Attributes in the Details field for filter entries with a CVE value.

693800

IPS memory spike on firmware running version: 5.00229.

698725

Custom IPS signature with deprecated options is causing a delay for the unit to boot up.

699775

Fortinet logo is missing on web filter block page in Chrome.

713508

Low download performance occurs when SSL deep Inspection is enabled on aggregate and VLAN interfaces when nTurbo is enabled.

746467

IPS engine crashes when IPS injects packets to vNP and vNP/DPDK fails to restart (crashes and sometimes is out of service).

IPsec VPN

Bug ID

Description

668997

Duplicate entry found error shown when assigning multiple dialup IPsec tunnels with the same secondary IP in the GUI.

685668

Modify IKE to check config firewall security-policy for the user or group entry instead of checking config firewall policy if it is in NGFW mode.

701404

Routes are not added or removed as expected when failover occurs with IPsec FGSP HA.

707547

RADIUS accounting messages (IKEv2 EAP authentication) does not include the Class attribute (group name).

722564

Missing peer ID in IKEv2 and IKEv1 main mode.

725551

IKE idle timeout timers continue running when the HA state switches to secondary.

726362

It is possible to add multiple domains, even though that functionality is currently not supported.

726450

Local out dialup IPsec traffic does not match policy-based routes.

729012

The NAT-T keep alive messages are being logged incorrectly, causing the FortiGate to generate a huge number of logs.

729760

The ADVPN forwarder does not currently track the shortcut query that it forwards. Shortcut queries and replies are forwarded or terminated solely based on the route lookup.

729879

Static IPsec tunnel with signature authentication method cannot be established on FIPS-CC mode FortiGate because the certificate subject verification changes to RDN bitwise comparison based.

730449

SD-WAN service traffic will be interrupted after upgrading to 7.0.1 if all of the following conditions are matched in its 6.4.x configuration:

  • Using set gateway enable in a particular SD-WAN service

  • Having mode-cfg configured

  • Not having ADVPN configured on the hub

735430

TCP SYN-ACKs are silently dropped if the traffic is sourced from a dialup IPsec tunnel and UTM is enabled.

735477

IKEv1 aggressive mode may crash if the initiator received its own message as the first response.

743732

If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.

Log & Report

Bug ID

Description

718140

Logs are missing on FortiGate Cloud from a certain point.

724827

Syslogd is using the wrong source IP when configured with interface-select-method auto.

726690

Forward traffic log from disk is missing for virtual wire pair policy.

726900

No traffic logs are shown after an overnight run.

731154

SSL VPN tunnel down event log (log ID 39948) is missing.

745310

Need to add the MIGSOCK send handler to flush the queue when the first item is added to the syslog queue to avoid logs getting stuck.

Proxy

Bug ID

Description

520176

Multiple WAD crashes observed with signal 6. The issue could be reproduced with a slow server that will not respond the connection in 10 seconds, and if the configuration changes during the 10 seconds.

582464

WAD SSL crash due to wrong cipher options chosen.

604373

When proxy-based deep inspection is enabled, a server requests a certificate from the client over TLS 1.2 and the client returns an ECDSA certificate. In a best case scenario, the handshake will fail. In a worst case scenario, WAD will crash.

663088

Application control in Azure fails to detect and block SSH traffic with proxy inspection.

688792

WAD crashes at wad_http_req_exec_video_filter_check with signal 11.

696012

Video filter cannot block embedded video calling by channel or category.

700073, 714109

YouTube server added new URLs (youtubei/v1/player, youtubei/v1/navigator) that caused proxy option to restrict YouTube access to not work.

706786

Multiple SSL connections without policies are being matched with multiple configuration changes for certificate updates, which may trigger a WAD crash.

715280

When the user/interface count reaches the respective maximum, the operation of reducing this count could impact the CPU and cause WAD to crash.

717995

Proxy mode generates untagged traffic in a virtual wire pair.

719681

Flow control failure occurred while transferring large files when stream-scan was running, which sometimes resulted in WAD memory spike.

723104

Proxy mode deep inspection is causing website access problems.

724129

WebSocket connection is not successful when IPS and application control are enabled in a proxy inspection policy.

724670

Crash seen in WAD user information daemon when updating user group count upon user log off.

725628

WAD HTTP parser string leak for hostname and scheme with trace-auth-no-rsp enabled.

726270

In deep scan mode when there is no SNI, WAD will use the server certificate CNAME for the URL filter check and ignores the host header.

726999

WAD crash on wad_hash_map_del.

728641

SSL renegotiation fails when Firefox offers TLS 1.3, but the server decides to use TLS 1.2.

729797

CLI should block or warn users if an API gateway with the same service (protocol) and path are declared on the same ZTNA server.

733760

Proxy inspection firewall policy with proxy AV blocks POP3 traffic of the Windows 10 built-in Mail app.

737438

ZTNA HTTPS access proxy traffic is denied when a regular VIP and access proxy VIP (AP VIP) have the same external IP address.

737737

WAD crashes when firewall FQDN address is null.

738331

Excluded members in the address group are not excluded when the group is added to a proxy policy.

744746

When a policy has both IPS and AV features enabled, WAD has a memory spike when downloading large files.

744756

Web proxy forward server group could not recover sometimes if the FQDN is not resolved.

744882

When using STARTTLS, proxyd performs deep inspection even when inspect-all is not set to deep-inspection.

748194

Oversize log is not generated for a large EXE file when the uncompressed-oversize-limit option is set to 0.

REST API

Bug ID

Description

731136

The following API has a change in response format, which may break backward compatibility for existing integration:

POST /api/v2/monitor/system/config/restore

New format results: {'config_restored': True}

Old format results: {'restore_started': True, 'session_id': 'nTuRkV'}

Note that only the response format is changed. The actual configuration restoration operation still works as before. The integration application should handle this new response format so it can return correct response message back to the user.

743743

httpsd crashes due to GET /api/v2/log/.../virus/archive request when the mkey is not provided.

745926

Using multiple logical AND symbols (&) on monitor API filtering causes a 502 Bad Gateway error.

Routing

Bug ID

Description

537354

BFD/BGP dropping when outbandwidth is set on interface.

724541

One IPv6 BGP neighbor is allowed to be configured with one IPv6 address format and shows a different IPv6 address format.

724574, 731248

BFD neighborship is lost between hub and spoke. One side shows BFD as down, and other side does not show the neighbor in the list.

725322

Improve the distance help text to indicate that 255 means unreachable.

729002

PIM/PIM6 does not send out unicast packet with the correct source IP if interface is not specified.

729621

High CPU on hub BGPD due to hub FortiGate being unable to maintain BGP connections with more than 1K branches when route-reflector is enabled.

730194

When syncing a large number of service qualities, there is a chance of accessing out-of-boundary memory, which causes the VWL daemon to crash.

730208

Traffic is not going through when the returning interface is changed.

731683

SD-WAN did not check and properly handle cases of address groups with exclusion.

733187

FortiGate to FortiManager connection issue when using a loopback interface with a non-default VRF as the source for central management.

734628

SDNS traffic to the anycast IP servers does not follow the SD-WAN mode set in config system fortiguard.

736705

ZEBOS launcher is unable to start and crashes constantly if aspath has more than 80 characters in the config router router-map > set-aspath setting.

737298

IPv6 fragmentation does not work as expected for VNE tunnel.

737898

OSPFv3 cannot install IPv6 ECMP routes when both ABR next hops are in the same subnet.

738366

VNE tunnel IPv6 reassembly does not work as expected when the IPv4 packet length is more than 1497 bytes.

740377

HTTP probe response sends reset packets when the number of probes increases.

741844

IPsec VPN does not come up due to incorrectly routed IKE packets.

741947

SD-WAN routes are not installed in the kernel or FIB.

742648

Health check over shortcut tunnel is dead after auto-discovery-receiver is disabled/enabled and VWL crash occurs.

743138

OSPF does not use the correct netmask length after upgrading to 7.0.1 when sending a hello packet on an IPsec interface.

743675

RIPv2 multiple routing entries are not reflected when receiving RIP updates via 802.3ad aggregate interface.

746000

Multicast streams sourced on SSL VPN client are not registered in PIM-SM.

Security Fabric

Bug ID

Description

635183

ACI dynamic address cannot be retrieved in HA vcluster2 from SDN connector.

670451

ACI SDN connector (connected by aci-direct) shows curl error 7 when updating from second VDOM.

695424

SDN connector for GCP ignores project settings.

717080

csfd shows high memory usage due to the JSON object not being used properly and the reference not being released properly.

724071

Log disk usage from user information history daemon is high and can restrict the use for general logging purposes.

726831

Security rating for Local Log Disk Not Full reporting as failed for FortiGate models without log disks.

731292

Dashboard Security Fabric widget takes a long time to load in the GUI.

731314

Security rating fails and displays Duplicate Firewall Objects message for FTP, FTP_GET, and FTP_PUT service objects.

732268

Dynamic address configured with SDN connector for VMware is collecting less IP addresses than expected.

733511

Automation stitch trigger count does not update when target device is a downstream device.

735717

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

738344

When CSF root synchronizes a large automation setting (over 16000) to the downstream FortiGate, csfd crashes while trying to process the relay message.

740673

OCI Fabric connector has DNS failure in UK government region.

741346

The variable %%date%% resolves into 1900-01-00 instead of actual date when the schedule trigger type is used.

742603

Security rating fails due to duplicate address objects, even when no duplicate address objects exist.

742743

Security rating Issue with unused deny policies.

745263

AV & IPS DB Update automation trigger is not working when clicking Update Licenses & Definitions Now in the GUI.

746950

When an Azure network interface ID contains upper case letters, the Azure SDN connector may not retrieve that network interface.

SSL VPN

Bug ID

Description

586035

The policy script-src 'self' will block the SSL VPN proxy URL.

640169

When the FortiGate is set as the DUT monitored by another FortiGate , the SSL VPN has a memory leak because it continues to receive HTTP requests and creates an HTTP state and tasks to process the request.

664276

SSL VPN host check validation not working for SAML user.

677031

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

706646

SolarWinds Orion NPM platform's web application has issues in SSL VPN web mode.

710657

The dstaddr/dstaddr6 of an SSL VPN policy can be set to all when split tunnel mode is enabled and only the default portal is set.

711503

SSL VPN web mode access to internal web server http://10.2.1.78 is broken after upgrading to 7.0.0.

711974

SSL VPN bookmarks are not working correctly with multiple SD-WAN zones.

714155

SSL VPN bookmarks are not working correctly with customer internal website, https://it***.nt***.lo***.

716289

Navigation menu of the internal web server, https://lm***.lm***.au***.vw***, is having issues in the SSL VPN web portal.

718133

In some conditions, the web mode JavaScript parser will encounter an infinite loop that will cause SSL VPN crashes.

718142

The map integrated in the public site is not visible when using SSL VPN web mode.

718165

SSL VPN web mode redirection issue with http://10.3.24.14.

718817

Customer internal website, http://192.168.*.28/mo***/index.php, cannot be shown SSL VPN web mode due to proxy error.

722329

After SSL VPN proxy rewrite, some Nuage JS files have problems running.

725986

SSL VPN web mode does not work as expected when accessing http://ot***.de***.sp***.go***.

726338

The wildcard matching method does not always work as expected because the kernel sometimes does not have the address yet.

726624

Jira web application (to***.cs***.tc***.co**) via SSL VPN web mode does not display website correctly.

727286

Unable to browse directories hosted on Nextcloud server through SSL VPN.

727551

When there are multiple user groups configured in a SSL VPN firewall policy, only the first user group is subjected for authentication verification. As a result, connection requests from other user groups may be terminated unexpectedly. A workaround is to use only one user group per SSL VPN policy.

729426

The wildcard FQDN does not always work reliably in cases where the kernel does not have the address yet.

729700

An internal website (https://cm***.va***.it***/cm***) does not load properly when connecting via SSL VPN web mode.

729889

NexGEN server could not be displayed in SS LVPN web mode.

730416

Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

731278

Customer internal website (ac***.sa***.com) does not load properly when connecting via SSL VPN web mode.

731606

Internal server (sa***.be***.com) is not loading after logging in with SSL VPN web mode.

732943

If the client certificate is only set in a specific authentication rule of the SSL VPN, the peer user may not log in successfully.

736436

Internal website (https://gg****.gl***.com/) shows a blank page in SSL VPN web mode.

736822

Non-US keyboard layout in RDP session with SSL VPN web mode does not work correctly.

737150

Internal website (oh***.com) could not be displayed in SSL VPN web mode.

737154

Slow RDP response when using SSL VPN web mode access.

737341

Some links and buttons are not working properly when accessing them through SSL VPN web mode.

737751

HTML5 page is not fully loading for SSL VPN web mode users.

738711

FortiClient error message is not pertinent when the client does not meet host checking requirements.

738715

Contents of Jira application (in***.ds***.com) in SSL VPN web mode are not displayed correctly.

738723

Video streaming does not work in SSL VPN web mode on https://te***.fortiddns.com:10443.

739711

SSL VPN bookmark button for Jira (sa***.con***.com) malfunctions.

740335

Internal website, https://te***.ko***.com, is not accessible in SSL VPN web mode.

740378

Windows FortiClient 7.0.1 cannot work with FortiOS 7.0.1 over SSL VPN when the tunnel IP is in the same subnet as one of the outgoing interfaces and NAT is not enabled.

741453

Unable to log in to VMware vSphere vCenter 7.0 through SSL VPN web portal.

742332

SSL VPN web portal redirect fails in http://qu***.jj***.bu***.

744494

Memory occupied by the SSL VPN daemon increases significantly while the process is busy.

744899

SSL VPN RDP bookmark is not working when using Chrome 93 32-bit. Firefox 64-bit and Chrome 64-bit are still not supported on Windows 32-bit.

745499

In cases where a user is establishing two tunnel connections, there is a chance that the second session knocks out the first session before it is updated, which causes a session leak.

745554

Logging in with SSO to FortiAnalyzer with SSL VPN web mode fails.

746938

Unable to authenticate to outlook.com/owa/vw***.com website in SSL VPN web mode.

746990

RADIUS accounting messages after SSL VPN do not include the Class attribute (Group name).

747352

Internal web server page, https://te***.ss***.es:10443, is not loading properly in SSL VPN web mode.

747851

SSL VPN bookmark works on one URI (cu***.co***.cr***) and is not working on different URIs to the same destination server.

749918

Keyboard keys do not work with RDP bookmarks when PT-BR and PT-BR-ABNT2 layouts are chosen.

Switch Controller

Bug ID

Description

723501

When STP is enabled on a hardware switch interface, FortiLink loses its connection to FortiSwitch.

System

Bug ID

Description

488400

NPU offload is disabled for IPsec over pure EMAC VLANs (EMAC interfaces without VLAN IDs).

607565

Interface emac-vlan feature does not work on SoC4 platform.

619839

In FIPS-CC mode, keep getting fcron_set_mgmt_vdom()-122: Invalid mgmt- vfid=-1 message on console.

644616

NP6 does not update session timers for traffic IPsec tunnel if established over one pure EMAC VLAN interface.

645848

FortiOS is providing self-signed CA certificate intermittently with flow-based SSL certificate inspection.

666438

The iotd daemon has problems connecting to an anycast server when fortiguard-anycast is disabled.

671824

On FG-40F, get NP6XLITE: failed to read lif accounting message on console.

681791

Install preview does not show all changes performed on the FortiGate.

684563

Uploading a wrong script in the GUI can cause a continuous error.

696852

Failure to synchronize with FortiGate NTP server, even if the FortiGate NTP server is not properly synchronized with its higher tier NTP server.

698003

When creating a new administrator, the administrator profile's reference is visible in other administrator accounts from different VDOMs.

698590

The dhcp6-client-options" is missing on internal interfaces for IPv6.

700664

When the SD-WAN interface select method is configured in system dns, the rules are not applied to AXFR DNS database local out traffic.

702966

There was a memory leak in the administrator login debug that caused the getty daemon to be killed.

706686

LAG interface between FortiGate and Cisco switch flaps when adding/removing member interface.

710635

GUI should hide the FortiGate Setup dialog if all setup steps are complete.

712156

FortiCloud central management does not work if the FortiGate has trusted host enabled for the admin account.

713835

The BLE pin hole behavior should not be applied on FG-100F generation 1 that has no BLE built in.

715647

In VWP with set wildcard-vlan enable, for some special cases the SKB headlen is not long enough for handling. It may cause a protective crash when doing skb_pull.

715978

NTurbo does not work with EMAC VLAN interface.

720858

DDNS update interval is abnormal on FG-140E-POE.

721487

FortiGate often enters conserve mode due to high memory usage by httpsd process.

722248

When lag-out-port-select is enabled, FortiCarrier ESP packets drops in NPU link.

722273

SA is freed while its timer is still pending, which leads to a kernel crash.

722547

Fragmented SKB size occurs if the tail room is too small to carry the NTurbo vtag, which causes packets to be dropped.

724065

Power supply 2 DC is lost log only appears when unplugging the power cable from power supply 2.

724446

High CPU for cmdbsvr when editing an address group.

724779

HPE setting of NTurbo host queue is missing and causes IPS traffic to stop when HPE is enabled.

725264

FG-600E copper speed LED does not work.

726634

NTP daemon is not responding when using the manual setting.

727343

Quarantined IP is not synchronized in FortiController mode.

727829

DNS FQDN was not synchronized amongst all the working blade, so each blade might have different IP from the same FQDN. If policy a uses the FQDN as the address, it will cause the IP address of FQDN to not be in the list for the current blade, so the traffic will not match this FQDN policy.

728647

DHCP discovery dropped on virtual wire pair when UTM is enabled.

729636

FTLC1122RDNL transceiver is showing as not certified by Fortinet on FG-3800D.

729939

Multiple processes crashing at the same time causes the device's management functionality to be unavailable when the packet size is smaller than FSAE_HEADER_SIZE(6).

731708

The FG-traffic VDOM is lost after restoring the configuration if split-VDOM mode is set in the configuration file.

731789

Unable to set VDOM ID as filter in CLI for diagnose debug flow.

731821

MAP-E DDNS update request is not sent after booting up the device.

732760

SNMP trap packets are sometimes not sent from the primary ha-direct interface to all SNMP managers after upgrading.

734120

IPv6 Ready Phase 2 test failed on destination options (local link).

734565

Link monitor shows incorrect number of out-of-sequence packets.

734631

SSH UMAC cipher was not configured for umac-128, which causes message authentication code incorrect SSH error.

735492

Many processes are in a "D" state due to unregister_netdevice.

737711

When snmpd updates a huge table (~ 100K+) that might need more time than the SNMP client's timeout, the SNMP client meets a timeout error.

738332

Connectivity issue with FortiGuard after upgrading from 7.0.0 to 7.0.1 when ha-direct is enabled.

738640

Add support for FS-TRAN-FX 100 Mbps SFP optical transceivers on the FGR-60F and FGR-60F-3G4G models. Previously, there was no I2C reading/writing handler in drivers for FGR-60F and FGR-60F-3G4G.

740649

FortiGate sends CSR configuration without double quote (") to FortiManager.

742416

DNS does not resolve on FIM01, but resolves on other blades.

742471

Parsing FFDB may cause a crash when loading at reboot if the versions of FFDB_APP and FFDB_GEO_ID_FILE are different.

743431

DDNS hostname is not correct when two VDOMs are configured.

743735

Potential DHCP memory leak when lease is mocked from reserved address.

745017

get system checksum status should only display checksums for VDOMs the current user has permissions for.

748628

Modem init-string failed on 7.0.0 and 7.0.1 because it was unable to find the endpoint address.

748987

L2TP tunnel is not working properly for Android; only ping traffic passes.

User & Authentication

Bug ID

Description

556724

LLDP neighbors cannot be seen on virtual switch ports.

691838

Memory leaks and crashes observed during stress long duration performance test when using FortiToken Cloud.

707057

TACACS server traffic will not go through the specific interface from the GUI irrespective of the interface set under the TAC.

709964

Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.

711263

diagnose fortitoken-cloud sync fails when user email address is longer than 35 characters.

713503

When IdP uses optional SAML parameters, the firewall stops processing the login request.

721747

Client certificate authentication fails with Windows Hello for Business certificates.

725056

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

725327

FSSO user fails to log in with principal user name.

725988

CRLs with the same name in different non-management VDOMs cannot be updated automatically.

732413

Device IP is in the firewall user list , but it has no user name and group name, so the portal page cannot load.

733065

When deauthorizing from the GUI, the notification is sent to fsae rather than fssod, even the if the authentication type is FSSO.

739350

RADIUS response is sent even when the rsso-radius-response attribute is set to disable.

739702

There are unknown user logins on the FortiGate and the logs do not have any information for the unknown user.

741403

Unknown user log in to FortiGate does not provide any information for the unknown user.

742047

RADIUS Request Account-Status-Type Interim-Update Message does not have the Class attribute.

744014

LLDP neighbors cannot be seen on virtual switch ports.

VM

Bug ID

Description

582123

EIP does not fail over if the primary FortiGate is rebooted or stopped from the Alibaba Cloud console.

656701

FortiGate VMX Service Manager enters conserve mode (cmdbsvr has high memory utilization).

721439

Problems occur when switching between HA broadcast heartbeat to unicast heartbeat and vice versa.

722290

Azure slow path NetVSC SoftNIC has stuck RX.

If using an IPsec tunnel, use UDP/4500 for ESP protocol (instead of IP/50 ) when SR-IOV is enabled. On the phase 1 interface, use set nattraversal forced. UDP/4500 is the fast path for Azure SDN, and IP/50 is the slow path that stresses guest VMs and hypervisors to the extreme.

If using cross-site IPsec data backup, use Azure VNet peering technology to build raw connectivity across the site, rather than using the default IP routing based on the assigned global IP address.

729811

ASG synchronization is lost between secondary and primary instances if the secondary instance reboots. Affected platforms: all public cloud VMs and KVMs.

732556

AliCloud SDN connector will not fetch information from the secondary ENI, so filtering IP addresses by Vswitch ID and security group might be incorrect.

734148

The vmtoolsd and openvmtools processes are using a high amount of memory.

736067

NSX connector sometimes stops updating addresses.

739376

vmwd gives an error when folders are created in the vSphere web interface, and vmwd ignores the IP addresses from vApp.

747194

EIP failed to update on Azure FG-VM.

WAN Optimization

Bug ID

Description

735049

The HEAD request fails when webcache is enabled.

Web Filter

Bug ID

Description

677234

Unable to block webpages present in the external list when accessing them through the Google Translate URL.

739349

Web filter local rating configuration check might strip the URL, and the URL filter daemon does not start when utm-status is disabled.

744303

Websites are blocked when FortiGuard Category Based Filter is disabled in web filter profile while doing an SSL-exempt check.

747591

Default web filter policy allows many of the potentially liable categories by default instead of blocking them.

WiFi Controller

Bug ID

Description

700356

CAPWAP daemon crashing due to IoT detection.

719217

Interface Bandwidth widget should exclude bridge VAP interface (and mesh VAP interface).

720674

cw_acd is crashing on FG-40F.

733608

FG-5001D unable to display managed FortiAPs after upgrading.

741946

FortiGate is not recognizing attribute 49, Acct-Terminate-Cause Value (6) Admin Reset, from RFC 2866.

748154

802.1X clients are disconnected following FortiGuard update.

751298

Cannot read properties of undefined (reading 'spectrum_analysis') error appears when viewing downstream FortiGate from upstream FortiGate in WiFi dashboard.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

722821

FortiOS 7.0.2 is no longer vulnerable to the following CVE References:

  • CVE-2020-24586
  • CVE-2020-24587

  • CVE-2020-24588

726300

FortiOS 7.0.2 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-36169

744267

FortiOS 7.0.2 is no longer vulnerable to the following CVE References:

  • CVE-2021-3711
  • CVE-2021-3712