Fortinet black logo

Resolved issues

Resolved issues

The following issues have been fixed in version 7.0.4. To inquire about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

665173

Crash logs are sometimes truncated/incomplete.

723686

The partial fetch handling in the IMAP proxy only detects and scans the first fetched section, which allows threats in subsequent fetched sections to go through the firewall undetected.

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

762193

Scanunitd crash on signal 6 occurs for some file downloads.

Application Control

Bug ID

Description

752569

Per IP shaper under application list does not work as expected for some applications.

Data Leak Prevention

Bug ID

Description

763687

If a filter configured with set archive enable matches a HTTP post, the file is not submitted for archiving (unless full-archive proto is enabled).

DNS Filter

Bug ID

Description

748227

DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.

751759

DNS filter breaks DNS zone transfer because the client socket might close prematurely (in which there is still some data in the user space) if the server side closed the connection.

Endpoint Control

Bug ID

Description

744613

EMS endpoint IP and MAC addresses are not synchronized to the ZTNA tags on the FortiGate.

747303

Some tagged endpoints' registration is lost on the FortiGate.

Explicit Proxy

Bug ID

Description

664380

When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error.

747840

When configuring authentication schemes to negotiate and NTLM (mix), Firefox may not show the authentication pop-up with an explicit proxy.

754259

When an explicit proxy policy has a category address as destination address, the FortiGate needs to check if the address is a Google Translate URL for extra rating. This will trigger a keyword match. However, if a web filter profile is not set yet, WAD will crash. The fix will delay the keyword match until a web filter profile is present.

755298

SNI ssl-exempt result conflicts with CN ssl-exempt result when SNI is an IP.

763796

FTP proxy refuses a connection on a freshly configured FortiGate.

Firewall

Bug ID

Description

732604

TCP zero window advertisements not occurring in proxy mode and causing premature server disconnects.

739949

In HA vcluster scenario, the Bytes counter on the Firewall Policy page always shows 0 B for the secondary while the Edit Policy page shows the correct Total bytes in the statistics.

746891

Auto-update script sent from FortiOS GUI has a policy ID of zero, which causes FortiManager to be out of synchronization.

747190

When auto-asic-offload is enabled in policy, IP-in-IP sessions show as expired while tunnel traffic goes through the FortiGate.

752411

Kernel panic occurs and device reboots due to pba_map_index overflow.

752899

Multicast packet is forwarded from non-VWP port to a VWP port.

754240

After a session updates its shaping policy, if the new shaping policy does not configure a per-IP shaper, the session will still use the old per-IP shaper from the previous shaping policy.

767226

When a policy denies traffic for a VIP and send-deny-packet is enabled, the mappedip is used for the RST packet's source IP instead of the external IP.

FortiView

Bug ID

Description

546312

Application filter does not work when the source is ISDB or unscanned.

GUI

Bug ID

Description

473841

Newly created deny policy incorrectly has logging disabled and can not be enabled when the Security Fabric is enabled.

535794

Policy page should show new name/content for firewall objects after editing them from the tooltip.

663558

Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console.

698435

The Edit Virtual IP page should not display Conflicts with the External IP of another VIP when changing the source filter setting.

714455

CLI shows EMS tag object in the address select list, but it is not available in the GUI omni select list.

729324

Managed FortiAPs and Managed FortiSwitches pages keep loading when VDOM administrator has netgrp and wifi read/write permissions.

730466

The search does not work on the Policy & Objects > Addresses page if there is a non-EMS address group with an EMS tag (invalid configuration).

730533

On the Policy & Objects > Firewall Policy page, an unclear error message appears when a user creates a new SSL VPN policy with a web mode portal and a VIP or VIP group is used as the destination address.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

738027

The Device Inventory widget shows no results when there are two user_info parameters.

742626

The VDOM dropdown list in the banner should be scrollable.

746239

On the Policy & Objects > Virtual IP page the GUI does not allow the user to configure two virtual IPs with different service for the same external/mapped IP and external interface.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

748530

A gateway of 0.0.0.0 is not accepted in a policy route.

749451

On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of diagnose sys sdwan intf-sla-log exceed 232-1.

750490

Firewall policy changes made in the GUI remove the replacement message group in that policy.

751219

Last Login in SSL-VPN widget is shown as NaN on macOS Safari.

751482

cmbdsvr signal 11 crash occurs when a wildcard FQDN is created with a duplicate ID.

752530

Sandbox status is shown as disabled on FortiGate Cloud widget when it is connected.

753000

Guest group that expires after first logon displays the duration variable as the Expires value. The value is correct if the administrator logs in and goes to Guest User Management.

753354

Interface migration wizard does not migrate all references.

753398

httpsd crashes after NGFW policy is deleted.

754539

On the Policy & Objects > Addresses page, filters applied on the Details column do not work.

755239

VIP with External IP configured to 0.0.0.0 is not showing in the GUI.

755625

Application control profile cannot be renamed from the GUI.

755893

Dashboard menus are not translated for non-English languages.

756420

On the Security Fabric > Fabric Connectors page, the connection to FortiManager is shown as down even if the connection is up.

Workaround: check the status in the CLI using diagnose fdsm central-mgmt-status.

757130

After upgrading, the new ACME certificates configured in the GUI are using the staging environment.

757570

Path already in use error appears when adding new HTTPS ZTNA API gateway entry (the CLI allows this configuration).

757606

Dashboard > Users & Devices > Firewall Users widget cannot load if there is a client authenticated by the WiFi captive portal.

758820

The GUI cannot restore a CLI-encrypted configuration file saved on a TFTP server. There is no issue for unencrypted configuration files or if the file is encrypted in the GUI.

760863

PPPoE interface is not selectable if interface type is SSL-VPN Tunnel.

761615

Unable to see details of Apache.Struts.MPV.Input.Validation.Bypass log.

761658

Failed to retrieve information warning appears on secondary node faceplate.

761933

FSSO user login is not sorted correctly by duration on Firewall Users widget.

762683

The feature to send an email under User & Authentication > Guest Management is grayed out.

764744

On the Network > Explicit Proxy page, the GUI does not support configuring multiple outgoing IP addresses.

Workaround: use the CLI.

770948

When using NGFW policy-based mode, the VPN > Overlay Controller VPN option is removed.

772311

On the LDAP server page, when clicking Browse beside Distinguished Name and then clicking OK after viewing the query results, the LDAP server page is missing fields containing the server settings.

HA

Bug ID

Description

701367

In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.

711521

When HA failover happens, there is a time difference between the old secondary becoming the new primary and the new primary's HA ID getting updated. If a session is created in between, the session gets a wrong HA ID, which indicates incorrectly that the session's traffic needs to be handled by the new secondary.

729719

When enabling ha-direct, some invalid configurations should be reset and hidden.

730770

After a hasync crash, the FGFM process stops sending keepalives.

731570

VDOMs added and deleted on the FGCP secondary device with the REST API are not synchronized between the FGCP cluster.

732201

VDOM restore on an already configured VDOM causes high CPU sometimes on the primary.

738934

No GARP is being sent out on the VWP interface upon HA failover, causing a long failover time.

740933

HA goes out of synchronization when uploading a local certificate.

747270

When the HA secondary device relays logs to the primary device, it may encounter high CPU usage.

750004

The secondary FortiGate shows a DHCP IP was removed due to conflict, but it is not removed on the primary FortiGate.

752892

PPPoE connection gets disconnected during HA failover.

752928

fnbamd uses ha-mgmt-interface for certificate related DNS queries when ha-direct is enabled.

753295

Configuration pushed from FortiManager does not respect standalone-config-sync and is pushed to all cluster members.

754599

SCTP sessions are not fully synchronized between nodes in FGSP.

757494

Unable to add a member to an aggregate interface that is down in a HA cluster.

760562

hasync crashes when the size of hasync statistics packets is invalid.

761581

Tunnel to Fortimanager is down log message is generated on the secondary FortiGate unit (without HA management interface).

766842

Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled.

Intrusion Prevention

Bug ID

Description

739272

Users cannot visit websites with an explicit web proxy when the FortiGate enters conserve mode with fail-open disabled. Block pages appear with the replacement message, IPS Sensor Triggered!.

751027

FortiGate can only collect up to 128 packets when detected by a signature.

IPsec VPN

Bug ID

Description

715671

Traffic is failing on dialup VPN IKEv2 with EAP authentication.

726326, 745331

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

740475

Traffic cannot be sent out through IPsec VPN tunnel because SA is pushed to the wrong NP6 for platforms where NP6 is standalone. Affected models: FG-2000E and FG-2500E.

740624

FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.

743732

If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.

744598

Tunnel interface MTU settings do not work when net-device is enabled in phase 1.

748746

OCVPN is unable to retain set save-password enable option.

752947

The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.

760428

iked crashes due to responder child_sa creation failing in some cases.

762953

When the primary unit synchronizes the dialup mode-cfg assigned IP to the secondary unit, the mode-cfg IP is not marked as used in the IP pool. After a HA failover to the secondary unit, the new primary will assign the used IP to a new client. This caused a route clash, and the connection keeps getting flushed and re-established.

767945

In a setup with IPsec VPN IKEv2 tunnel on the FortiGate to a Cisco device, the tunnel randomly disconnects after updating to 7.0.2 when there is a CMDB version change (configuration or interface).

771302

Spoke cannot register to OCVPN when FortiGate is in policy-based NGFW mode.

Log & Report

Bug ID

Description

621329

Mixed traffic and UTM logs are in the event log file because the current category in the log packet header is not big enough.

745689

Unknown interface is shown in flow-based UTM logs.

747854

PDF report generation fails due to an HPDF API error when it is drawing a circle and there is only one entry in the SQL result.

749440

IPS malicious URL database (idsurldb, MUDB) update entry in FortiGate update succeeded log is delayed from the actual update timing.

749842

The miglogd process uses high CPU when handling a web rating error log that is reported with an invalid VDOM ID.

751358

Unable to set source IP for FortiCloud unless FortiCloud is already activated.

753904

The reportd process consumes a high amount of CPU.

754143

Add srcreputation and dstreputation fields in the forward traffic logs to provide the reputation level of the source and destination when the traffic matches an entry in the internet service database.

757703

Report suddenly cannot be generated due to no response from reportd.

Proxy

Bug ID

Description

568905

WAD crashes due to RCX having a null value.

712584

WAD memory leak causes device to go into conserve mode.

729797

CLI should block or warn users if an API gateway with the same service (protocol) and path are declared on the same ZTNA server.

733135, 734840

Web filter is blocking websites in proxy mode due to SSL certificate validation failure, which is caused by an unreachable OCSP server.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

738151

Browser has ERR_SSL_KEY_USAGE_INCOMPATIBLE error when both ZTNA and web proxy are enabled.

739627

diagnose wad stats policy list does not show statistics correctly when enabling certificate inspection and HTTP policy redirect.

743746

WAD encounters signal 11 crash when adding user information.

746796

Stream-based scanning has high CPU cost and a long wait time on GZIP and BZIP2 files.

747250

When a timeout happens while forticron is downloading a file, the original downloaded file is not be deleted, so the next successful download has extra data in front.

751674

Load balancer based on HTTP host is DNATing traffic to the wrong real server when the correct real server is disabled.

752744

Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.

754298

WAD crashes when adding user information.

754969

Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.

755294

Firefox gives SEC_ERROR_REUSED_ISSUER_AND_SERIAL error when ECDSA CA is configured for deep inspection.

755685

Trend Micro client results in FortiGate illegal parameter SSL alert response because the Trend Micro client sent a ClientHello that includes extra data, which is declined by the FortiGate according to RFC 5246 7.4.1.2.

756603

WAD memory spike when downloading files larger than 4 GB.

756887

WAD crashes if the certificate authentication request context is not closed in the following scenarios: when fnbamd returns a failure certificate authentication result or no response; and when the CA certificate is updated and the certificate cache is flushed.

757873

WAD crash in half-mode virtual server case and HTTP real server ZTNA case.

758122

WAD memory usage may spike and cause the FortiGate to enter conserve mode when downloading a large file fails.

758496

WAD crash for LDAP group looping.

758532

WAD memory usage may spike and cause the FortiGate to enter conserve mode.

764193

The three-way handshake packet that was marked as TCP port number reused cannot pass through the FortiGate, and the FortiGate replies with a FIN, ACK to the client.

765349

Once AV is enabled in proxy mode, traffic will be blocked in proxy mode.

768358

Failure to access certain AWS pages with proxy SSL deep inspection.

REST API

Bug ID

Description

743169

Update various REST API endpoints to prevent information in other VDOMs from being leaked.

768056

HTTPS daemon is not responsive when successive API calls are made to create an interface.

Routing

Bug ID

Description

720320

OSPF issues with spokes randomly showing Process is not up and losing some routes.

731941

Disconnected from FortiAnalyzer events reported when the interface-select-method is set to specify, and the interface port_<x> is set to an interface that does not have the highest priority in the SD-WAN interface selection.

745999

Routing issue occurs when one of the SD-WAN interfaces goes down.

748733

Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.

762258

When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down.

754636

Traffic sometimes does not match SD-WAN rules on some IPsec interfaces.

759711

OSPF E2 routes learned by Cisco routers are randomly removed from the routing table when the OSPF/OSPFv3 neighbor flaps.

759752

FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet.

769100

Policy routes order is changed after updating the source/destination of SD-WAN rules.

Security Fabric

Bug ID

Description

748389

Security Fabric automation email action trigger shows multiple emails as one email with no separation between the addresses.

753056

Recommendation information for Failed Login Attempts security rating rule should display Lockout duration should be at least 30 minutes, instead of 1800 minutes.

755187

The security rating test for Unused Policies is incorrectly evaluated as Pass when there are unused policies with the accept action.

758493

SDN connector on FG-Azure stays stuck if it is alphabetically the first subscription that is not in the permission scope.

765525

The deleted auto-scripts are not sent to FortiManager through the auto-update and cause devices go out of sync.

767976

Downstream FortiGate csfd process crashed randomly with signal 11.

SSL VPN

Bug ID

Description

673320

Pop-up window does not load correctly when accessing internal application at https://re***.wo***.nl using SSL VPN web mode.

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

684010

Internal page, https://vpn.ea***.***.**.us:10443, is not working in SSL VPN web mode.

695457

JS error thrown when accessing HTTPS bookmark (mk***.ag***.cp***.vw***) using SSL VPN web portal.

722329

After SSL VPN proxy rewrite, some Nuage JS files have problems running.

737894

If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.

746938

Unable to authenticate to outlook.com/owa/vw***.com website in SSL VPN web mode.

748085

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

748660

Unable to access Apache Guacamole web application using SSL VPN web mode.

749452

SSL VPN login authentication times out if primary RADIUS server becomes unavailable.

749815

Unable to access webmail server (https://9**.1**.9**.2**/) using SSL VPN web mode.

751028

SSL VPN proxy error in web mode for https://et***.ga***.gov.***/ due to requests to the loopback IP.

751366

JS error in SSL VPN web mode when trying to retrieve a PDF from https://vpn.ca***.com/.

751643

Jira server (cb***.com.au) cannot be displayed correctly using SSL VPN web mode.

751697

SSO login for SSL VPN bookmarks (https://za***.jo.za***.com) is not working.

751717

SAML user configured in groups in the IdP server might match to the wrong group in SSL VPN user authentication if an external browser is used.

752055

VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.

753515

DTLS does not work for SSL VPN and switches to TLS.

753590

Brickstream web interface is not loading properly when accessed using SSL VPN web mode.

755296

SSL VPN web mode has issues accessing https://e***.or***.kr.

756753

FQDN in firewall policy is treated case sensitive, which causes SSL VPN failure when redirecting or accessing a URL that contains capitalized characters.

758525

Users can modify the URL in SSL VPN portal to show connection launcher even when the Show Connection Launcher option is disabled.

759664

Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected.

760340

WebSocket using Pronto Xi could not be established through SSL VPN web mode.

760928

SSL VPN with RADIUS authentication does not work with an interface subnet address object.

761668

Empty webpage loads when accessing internal website, https://ba***.ba**.com:2222, in SSL VPN web mode.

762491

Unable to authenticate outlook.office.com using corporate domain email account.

763619

SAP Fiori webpage using JSON is not loading in SSL VPN web mode.

767869

SCADA portal will not fully load with SSL VPN web bookmark.

768994

SSL VPN crashed when closing web mode RDP after upgrading.

771145

SSL VPN web mode access problem occurs for web service security camera.

773254

SSL VPN web mode access is causing issues with MiniCAU.

Switch Controller

Bug ID

Description

740661

FortiGate loses FortiSwitch management access due to excessive configuration pushes.

766583

A bin/cu_acd crash is generated when cfg-revert is enabled and involves FortiSwitch.

System

Bug ID

Description

572847

The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series.

596942

SoC3 platforms may encounter kernel panic in cases when a PKCE IOCTL wait event is interrupted by WAD diagnose CLI commands.

602141

The extender daemon crashes on Low Encryption (LENC) FortiGates.

639861

Support FEC (forward error correction) implementations in 10G, 25G, 40G, and 100G interfaces for FG-3400E and FG-3600E.

643558

System halts after running execute update-now in FIPS-CC mode.

651626

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

671116

Lack of null pointer check in NP6XLite driver may lead to kernel panic. Affected models: FG-40F, FG-60F, and FG-101F.

679035

NP6 drops, and bandwidth is limited to under 10 Gbps in npu-vlink case.

683299

Port group members have different speeds after the port speed is changed using a CLI script.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

703219

Kernel panic on FG-101F due to lack of null pointer check on NP6XLite driver.

712156

FortiCloud central management does not work if the FortiGate has trusted host enabled for the admin account.

712258

SFP28 ports on FG-340xE/FG-360xE cannot receive or transmit packets when the speed is set to 1000full. This issue is triggered by warm rebooting the FortiGate/Cisco switch or disconnecting the fiber cable.

716341

SFP28 port flapping when the speed is set to 10G.

718307, 729078

Verizon LTE connection is not stable, and the connection may drop after a few hours.

720687

On FG-20xF, the RJ45 ports connected to Dell N1548 switch do not automatically have an up link for energy detect mode.

726705

After upgrading to 7.0.0, FG-60E hangs due to various CLI configuration errors starting with cli 102 die in an exception in line 4318: KV?.

738640

Add support for FS-TRAN-FX 100 Mbps SFP optical transceivers on the FGR-60F and FGR-60F-3G4G models. Previously, there was no I2C reading/writing handler in drivers for FGR-60F and FGR-60F-3G4G.

741359

As per IEEE 802.3, NP frames under 64 octets should be discarded on the RX.

741944

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

744892

DNS query responses can be bumped when dealing with a high volume of visibility hostname log requests.

749250

Firewall does not use its ARP cache and is ARPing for client MAC addresses every 20 to 30 seconds.

749613

Unable to save configuration changes and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

749835

Traffic logs report ICMP destination as unreachable for received traffic.

750123

FG-100F/101F sensor list shows the following deficiencies: missing PSU reading, degree sign is not readable in some CLI windows, and spelling mistakes.

750171

Legitimate traffic is unable to go through with NP6 synproxy enabled.

750202

USB unmounts after configuration backup.

751227

The GA image becomes uncertified after backing it up on a flash disk.

751346

DNS server obtained via DHCPv6 prefix delegation is not used by DNS proxy.

751523

When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.

753421

Slow SNMP query performance of fgVpn2Tables OIDs when a large number of IPsec dialup tunnels are connected.

753602

FG-40F has a newcli signal 11 crash.

753862

DHCPc seconds not incrementing in DHCP DISCOVER, REQUEST, and INFORM packets.

754567

FortiGate receives Firmware image without valid RSA signature loaded error when loading the image from FortiCloud.

754681

The auto-script is not restarted when it is changed from HA synchronization.

754951

Static ARP entry was removed while using DHCP relay.

755475

When a software switch has an intra-switch-policy set to implicit (the default setting), layer 2 traffic, such as LLDP or STP, is being forwarded when it should be denied by default.

755953

Direct CLI script from FortiManager fails due to additional end at the end of diagnose debug crashlog read.

756160

Unable to configure firewall access control lists on FG-20xF.

756445

Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if asic-offload is enabled.

756713

Packet loss on the LAG interface (eight ports) using SFP+/SFP28 ports in both static and active mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

757689

When creating a new interface with MTU override enabled, PPPoE mode, and a set MTU value, the MTU value is overridden by the default value.

757733

CP9 or SoC3/SoC4 kernel driver may crash while doing AES-GCM decryption.

757748

WAD memory leak could cause system to halt and print fork() failed on the console.

758545

Memory leak cause by leaked JSON object.

758815

Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.

759689

When updated related configurations change, the updated configurations may crash.

760259

On SoC4-based FortiGates (FG-40F, FG-60F, FG-80F, FG-100F) the outbound bandwidth in the bandwidth widget does not adhere to the outbandwidth setting.

764989

Include an entry in SNMP OID that lists the number of octets for the IP type.

Upgrade

Bug ID

Description

743389

The dnsfilter-profile setting was purged from all DNS server entries upon upgrading from below 6.4.4.

744454

IPv6 delegated configuration is lost after upgrading from 7.0.1.

757660

ISDB objects are obsolete after upgrading, which blocked FortiGuard access using the root VDOM.

User & Authentication

Bug ID

Description

709964

Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.

719658

SCEP client does not work with virtual service.

739350

RADIUS response is sent even when the rsso-radius-response attribute is set to disable.

742244

Unable to receive token via email on configured local email server with authentication when the incoming SMTP response is incomplete.

747651

There is no LDAP-based authentication possible during the time WAD updates/reads group information from the AD LDAP server.

750551

DST_Root_CA_X3 certificate is expired.

753449

SCEP using execute vpn certificate local generate does not conform to HTTP 1.1 RFC 2616.

755302

The fnbamd process spikes to 99% or crashes during RADIUS authentication.

756763

In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement.

757883

FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.

765136

Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

VM

Bug ID

Description

691337

When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.

747221

Tags under VNET are not detected by SDN connector under Azure. The following issues have been fixed:

  • IP of Azure network interface without an associated VM is not collected.
  • Address prefix of Azure subnet is not collected.
  • Tags on Azure virtual network scope cannot filter the IP address.

750889

DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID.

755016

In AWS, if the HA connection between active and passive nodes breaks for a few seconds and reconnects, sometimes the EIP will remain in the passive node.

759300

gcpd has signal 11 crash at gcpd_mime_part_end.

764184

Inconsistent TXQ selection degrades mlx5 vfNIC. Azure FortiGate interface has high latency when the IPsec tunnel is up.

769352

Azure SDN connector is unable to pull service tag from China and Germany regions.

VoIP

Bug ID

Description

757477

PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

WAN Optimization

Bug ID

Description

754378

When an AV profile is enabled in a WANOpt proxy policy on a server side FortiGate, EICAR sent over HTTPS will not get blocked.

Web Filter

Bug ID

Description

751693

WAD crashed with signal 6 when using WIPS for web filtering with Websense.

WiFi Controller

Bug ID

Description

578440

Wireless controller sends ARP request packets that are destined to the FortiGate back to all tunnel interfaces.

600257

FG-1000D and FG-1500D go in to conserve mode when wpad and cw_acd have a memory spike, which affects wireless user tunnel traffic.

675164

FWF-60F local radio shows WPA3 is not supported.

720497

MAC authentication bypass is not working for some clients.

734801

Some Apple devices cannot handle 303/307 messages, and may loop to load the external portal page and fail to pass authentication. Some android devices cannot process JavaScript redirect messages after users submit their username and password.

744687

Client should match the new NAC policy if it is reordered to the top one.

745044

Optimize memory usage of wpad daemon in WiFi controller for large-scale 802.11r fast BSS transition deployment.

751509

On FAP-U432F, the Radio 3 spectrum analysis should be disabled in the FortiGate GUI.

761836

FWF-8xF platforms should allow the DHCP server configuration of an aggregate interface (aplink) to be edited in the GUI.

761996

If concurrent-client-limit-type is set to unlimited it is limited by the max-clients value in the VAP profile.

766652

FortiAP firmware status is inconsistent on System > Fabric Management page and upgrade slide.

ZTNA

Bug ID

Description

765813

ZTNA access is systematically denied for ZTNA rule using SD-WAN zone as an incoming interface.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

707951

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-41032

749471

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-42755

752134

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-42757

763982

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43081

764221

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43206

765177

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-22299

Resolved issues

The following issues have been fixed in version 7.0.4. To inquire about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

665173

Crash logs are sometimes truncated/incomplete.

723686

The partial fetch handling in the IMAP proxy only detects and scans the first fetched section, which allows threats in subsequent fetched sections to go through the firewall undetected.

752420

If a .TAR.BZ2 or .TAR.GZ archive contains an archive bomb inside its compressed stream, the AV engine will time out.

762193

Scanunitd crash on signal 6 occurs for some file downloads.

Application Control

Bug ID

Description

752569

Per IP shaper under application list does not work as expected for some applications.

Data Leak Prevention

Bug ID

Description

763687

If a filter configured with set archive enable matches a HTTP post, the file is not submitted for archiving (unless full-archive proto is enabled).

DNS Filter

Bug ID

Description

748227

DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.

751759

DNS filter breaks DNS zone transfer because the client socket might close prematurely (in which there is still some data in the user space) if the server side closed the connection.

Endpoint Control

Bug ID

Description

744613

EMS endpoint IP and MAC addresses are not synchronized to the ZTNA tags on the FortiGate.

747303

Some tagged endpoints' registration is lost on the FortiGate.

Explicit Proxy

Bug ID

Description

664380

When configuring explicit proxy with forward server, if ssl-ssh-profile is enabled in proxy-policy, WAD is unable to correctly learn the destination type correctly, so the destination port is set to 0, but the squid proxy server does not accept the request and returns an error.

747840

When configuring authentication schemes to negotiate and NTLM (mix), Firefox may not show the authentication pop-up with an explicit proxy.

754259

When an explicit proxy policy has a category address as destination address, the FortiGate needs to check if the address is a Google Translate URL for extra rating. This will trigger a keyword match. However, if a web filter profile is not set yet, WAD will crash. The fix will delay the keyword match until a web filter profile is present.

755298

SNI ssl-exempt result conflicts with CN ssl-exempt result when SNI is an IP.

763796

FTP proxy refuses a connection on a freshly configured FortiGate.

Firewall

Bug ID

Description

732604

TCP zero window advertisements not occurring in proxy mode and causing premature server disconnects.

739949

In HA vcluster scenario, the Bytes counter on the Firewall Policy page always shows 0 B for the secondary while the Edit Policy page shows the correct Total bytes in the statistics.

746891

Auto-update script sent from FortiOS GUI has a policy ID of zero, which causes FortiManager to be out of synchronization.

747190

When auto-asic-offload is enabled in policy, IP-in-IP sessions show as expired while tunnel traffic goes through the FortiGate.

752411

Kernel panic occurs and device reboots due to pba_map_index overflow.

752899

Multicast packet is forwarded from non-VWP port to a VWP port.

754240

After a session updates its shaping policy, if the new shaping policy does not configure a per-IP shaper, the session will still use the old per-IP shaper from the previous shaping policy.

767226

When a policy denies traffic for a VIP and send-deny-packet is enabled, the mappedip is used for the RST packet's source IP instead of the external IP.

FortiView

Bug ID

Description

546312

Application filter does not work when the source is ISDB or unscanned.

GUI

Bug ID

Description

473841

Newly created deny policy incorrectly has logging disabled and can not be enabled when the Security Fabric is enabled.

535794

Policy page should show new name/content for firewall objects after editing them from the tooltip.

663558

Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console.

698435

The Edit Virtual IP page should not display Conflicts with the External IP of another VIP when changing the source filter setting.

714455

CLI shows EMS tag object in the address select list, but it is not available in the GUI omni select list.

729324

Managed FortiAPs and Managed FortiSwitches pages keep loading when VDOM administrator has netgrp and wifi read/write permissions.

730466

The search does not work on the Policy & Objects > Addresses page if there is a non-EMS address group with an EMS tag (invalid configuration).

730533

On the Policy & Objects > Firewall Policy page, an unclear error message appears when a user creates a new SSL VPN policy with a web mode portal and a VIP or VIP group is used as the destination address.

735248

On a mobile phone, the WiFi captive portal may take longer to load when the default firewall authentication login template is used and the user authentication type is set to HTTP.

738027

The Device Inventory widget shows no results when there are two user_info parameters.

742626

The VDOM dropdown list in the banner should be scrollable.

746239

On the Policy & Objects > Virtual IP page the GUI does not allow the user to configure two virtual IPs with different service for the same external/mapped IP and external interface.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

748530

A gateway of 0.0.0.0 is not accepted in a policy route.

749451

On the Network > SD-WAN page, the volume sent/received displayed in the charts does not match the values provided from the REST API when the RX and TX values of diagnose sys sdwan intf-sla-log exceed 232-1.

750490

Firewall policy changes made in the GUI remove the replacement message group in that policy.

751219

Last Login in SSL-VPN widget is shown as NaN on macOS Safari.

751482

cmbdsvr signal 11 crash occurs when a wildcard FQDN is created with a duplicate ID.

752530

Sandbox status is shown as disabled on FortiGate Cloud widget when it is connected.

753000

Guest group that expires after first logon displays the duration variable as the Expires value. The value is correct if the administrator logs in and goes to Guest User Management.

753354

Interface migration wizard does not migrate all references.

753398

httpsd crashes after NGFW policy is deleted.

754539

On the Policy & Objects > Addresses page, filters applied on the Details column do not work.

755239

VIP with External IP configured to 0.0.0.0 is not showing in the GUI.

755625

Application control profile cannot be renamed from the GUI.

755893

Dashboard menus are not translated for non-English languages.

756420

On the Security Fabric > Fabric Connectors page, the connection to FortiManager is shown as down even if the connection is up.

Workaround: check the status in the CLI using diagnose fdsm central-mgmt-status.

757130

After upgrading, the new ACME certificates configured in the GUI are using the staging environment.

757570

Path already in use error appears when adding new HTTPS ZTNA API gateway entry (the CLI allows this configuration).

757606

Dashboard > Users & Devices > Firewall Users widget cannot load if there is a client authenticated by the WiFi captive portal.

758820

The GUI cannot restore a CLI-encrypted configuration file saved on a TFTP server. There is no issue for unencrypted configuration files or if the file is encrypted in the GUI.

760863

PPPoE interface is not selectable if interface type is SSL-VPN Tunnel.

761615

Unable to see details of Apache.Struts.MPV.Input.Validation.Bypass log.

761658

Failed to retrieve information warning appears on secondary node faceplate.

761933

FSSO user login is not sorted correctly by duration on Firewall Users widget.

762683

The feature to send an email under User & Authentication > Guest Management is grayed out.

764744

On the Network > Explicit Proxy page, the GUI does not support configuring multiple outgoing IP addresses.

Workaround: use the CLI.

770948

When using NGFW policy-based mode, the VPN > Overlay Controller VPN option is removed.

772311

On the LDAP server page, when clicking Browse beside Distinguished Name and then clicking OK after viewing the query results, the LDAP server page is missing fields containing the server settings.

HA

Bug ID

Description

701367

In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.

711521

When HA failover happens, there is a time difference between the old secondary becoming the new primary and the new primary's HA ID getting updated. If a session is created in between, the session gets a wrong HA ID, which indicates incorrectly that the session's traffic needs to be handled by the new secondary.

729719

When enabling ha-direct, some invalid configurations should be reset and hidden.

730770

After a hasync crash, the FGFM process stops sending keepalives.

731570

VDOMs added and deleted on the FGCP secondary device with the REST API are not synchronized between the FGCP cluster.

732201

VDOM restore on an already configured VDOM causes high CPU sometimes on the primary.

738934

No GARP is being sent out on the VWP interface upon HA failover, causing a long failover time.

740933

HA goes out of synchronization when uploading a local certificate.

747270

When the HA secondary device relays logs to the primary device, it may encounter high CPU usage.

750004

The secondary FortiGate shows a DHCP IP was removed due to conflict, but it is not removed on the primary FortiGate.

752892

PPPoE connection gets disconnected during HA failover.

752928

fnbamd uses ha-mgmt-interface for certificate related DNS queries when ha-direct is enabled.

753295

Configuration pushed from FortiManager does not respect standalone-config-sync and is pushed to all cluster members.

754599

SCTP sessions are not fully synchronized between nodes in FGSP.

757494

Unable to add a member to an aggregate interface that is down in a HA cluster.

760562

hasync crashes when the size of hasync statistics packets is invalid.

761581

Tunnel to Fortimanager is down log message is generated on the secondary FortiGate unit (without HA management interface).

766842

Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled.

Intrusion Prevention

Bug ID

Description

739272

Users cannot visit websites with an explicit web proxy when the FortiGate enters conserve mode with fail-open disabled. Block pages appear with the replacement message, IPS Sensor Triggered!.

751027

FortiGate can only collect up to 128 packets when detected by a signature.

IPsec VPN

Bug ID

Description

715671

Traffic is failing on dialup VPN IKEv2 with EAP authentication.

726326, 745331

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

740475

Traffic cannot be sent out through IPsec VPN tunnel because SA is pushed to the wrong NP6 for platforms where NP6 is standalone. Affected models: FG-2000E and FG-2500E.

740624

FortiOS 7.0 has new design for dialup VPN (no more route tree in the IPsec tunnel), so traffic might not traverse over the dialup IPsec VPN after upgrading from FortiOS 6.4.6 to 7.0.1, 7.0.2, or 7.0.3 if the server replies on the static route over the dynamic tunnel interface to route the traffic back to the client.

743732

If a failure happens during negotiating a shortcut IPsec tunnel, the original tunnel NAT-T setting is reset by mistake.

744598

Tunnel interface MTU settings do not work when net-device is enabled in phase 1.

748746

OCVPN is unable to retain set save-password enable option.

752947

The hub sometimes allows the IKEv2 IPsec tunnel with a spoke to be established that uses an expired or revoked certificate.

760428

iked crashes due to responder child_sa creation failing in some cases.

762953

When the primary unit synchronizes the dialup mode-cfg assigned IP to the secondary unit, the mode-cfg IP is not marked as used in the IP pool. After a HA failover to the secondary unit, the new primary will assign the used IP to a new client. This caused a route clash, and the connection keeps getting flushed and re-established.

767945

In a setup with IPsec VPN IKEv2 tunnel on the FortiGate to a Cisco device, the tunnel randomly disconnects after updating to 7.0.2 when there is a CMDB version change (configuration or interface).

771302

Spoke cannot register to OCVPN when FortiGate is in policy-based NGFW mode.

Log & Report

Bug ID

Description

621329

Mixed traffic and UTM logs are in the event log file because the current category in the log packet header is not big enough.

745689

Unknown interface is shown in flow-based UTM logs.

747854

PDF report generation fails due to an HPDF API error when it is drawing a circle and there is only one entry in the SQL result.

749440

IPS malicious URL database (idsurldb, MUDB) update entry in FortiGate update succeeded log is delayed from the actual update timing.

749842

The miglogd process uses high CPU when handling a web rating error log that is reported with an invalid VDOM ID.

751358

Unable to set source IP for FortiCloud unless FortiCloud is already activated.

753904

The reportd process consumes a high amount of CPU.

754143

Add srcreputation and dstreputation fields in the forward traffic logs to provide the reputation level of the source and destination when the traffic matches an entry in the internet service database.

757703

Report suddenly cannot be generated due to no response from reportd.

Proxy

Bug ID

Description

568905

WAD crashes due to RCX having a null value.

712584

WAD memory leak causes device to go into conserve mode.

729797

CLI should block or warn users if an API gateway with the same service (protocol) and path are declared on the same ZTNA server.

733135, 734840

Web filter is blocking websites in proxy mode due to SSL certificate validation failure, which is caused by an unreachable OCSP server.

735893

After the Chrome 92 update, in FOS 6.2, 6.4, or 7.0 running an IPS engine older than version 5.00246, 6.00099, or 7.00034, users are unable to reach specific websites in proxy mode with UTM applied. In flow mode everything works as expected.

738151

Browser has ERR_SSL_KEY_USAGE_INCOMPATIBLE error when both ZTNA and web proxy are enabled.

739627

diagnose wad stats policy list does not show statistics correctly when enabling certificate inspection and HTTP policy redirect.

743746

WAD encounters signal 11 crash when adding user information.

746796

Stream-based scanning has high CPU cost and a long wait time on GZIP and BZIP2 files.

747250

When a timeout happens while forticron is downloading a file, the original downloaded file is not be deleted, so the next successful download has extra data in front.

751674

Load balancer based on HTTP host is DNATing traffic to the wrong real server when the correct real server is disabled.

752744

Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.

754298

WAD crashes when adding user information.

754969

Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.

755294

Firefox gives SEC_ERROR_REUSED_ISSUER_AND_SERIAL error when ECDSA CA is configured for deep inspection.

755685

Trend Micro client results in FortiGate illegal parameter SSL alert response because the Trend Micro client sent a ClientHello that includes extra data, which is declined by the FortiGate according to RFC 5246 7.4.1.2.

756603

WAD memory spike when downloading files larger than 4 GB.

756887

WAD crashes if the certificate authentication request context is not closed in the following scenarios: when fnbamd returns a failure certificate authentication result or no response; and when the CA certificate is updated and the certificate cache is flushed.

757873

WAD crash in half-mode virtual server case and HTTP real server ZTNA case.

758122

WAD memory usage may spike and cause the FortiGate to enter conserve mode when downloading a large file fails.

758496

WAD crash for LDAP group looping.

758532

WAD memory usage may spike and cause the FortiGate to enter conserve mode.

764193

The three-way handshake packet that was marked as TCP port number reused cannot pass through the FortiGate, and the FortiGate replies with a FIN, ACK to the client.

765349

Once AV is enabled in proxy mode, traffic will be blocked in proxy mode.

768358

Failure to access certain AWS pages with proxy SSL deep inspection.

REST API

Bug ID

Description

743169

Update various REST API endpoints to prevent information in other VDOMs from being leaked.

768056

HTTPS daemon is not responsive when successive API calls are made to create an interface.

Routing

Bug ID

Description

720320

OSPF issues with spokes randomly showing Process is not up and losing some routes.

731941

Disconnected from FortiAnalyzer events reported when the interface-select-method is set to specify, and the interface port_<x> is set to an interface that does not have the highest priority in the SD-WAN interface selection.

745999

Routing issue occurs when one of the SD-WAN interfaces goes down.

748733

Remote IP route shows incomplete inactive in the routing table, which causes issues with BGP routes where the peer is the next hop.

762258

When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down.

754636

Traffic sometimes does not match SD-WAN rules on some IPsec interfaces.

759711

OSPF E2 routes learned by Cisco routers are randomly removed from the routing table when the OSPF/OSPFv3 neighbor flaps.

759752

FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet.

769100

Policy routes order is changed after updating the source/destination of SD-WAN rules.

Security Fabric

Bug ID

Description

748389

Security Fabric automation email action trigger shows multiple emails as one email with no separation between the addresses.

753056

Recommendation information for Failed Login Attempts security rating rule should display Lockout duration should be at least 30 minutes, instead of 1800 minutes.

755187

The security rating test for Unused Policies is incorrectly evaluated as Pass when there are unused policies with the accept action.

758493

SDN connector on FG-Azure stays stuck if it is alphabetically the first subscription that is not in the permission scope.

765525

The deleted auto-scripts are not sent to FortiManager through the auto-update and cause devices go out of sync.

767976

Downstream FortiGate csfd process crashed randomly with signal 11.

SSL VPN

Bug ID

Description

673320

Pop-up window does not load correctly when accessing internal application at https://re***.wo***.nl using SSL VPN web mode.

677057

SSL VPN firewall policy creation via CLI does not require setting user identity.

684010

Internal page, https://vpn.ea***.***.**.us:10443, is not working in SSL VPN web mode.

695457

JS error thrown when accessing HTTPS bookmark (mk***.ag***.cp***.vw***) using SSL VPN web portal.

722329

After SSL VPN proxy rewrite, some Nuage JS files have problems running.

737894

If there are no users or groups in an SSL VPN policy, the SSL VPN daemon may crash when an FQDN is a destination address in the firewall policy.

746938

Unable to authenticate to outlook.com/owa/vw***.com website in SSL VPN web mode.

748085

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

748660

Unable to access Apache Guacamole web application using SSL VPN web mode.

749452

SSL VPN login authentication times out if primary RADIUS server becomes unavailable.

749815

Unable to access webmail server (https://9**.1**.9**.2**/) using SSL VPN web mode.

751028

SSL VPN proxy error in web mode for https://et***.ga***.gov.***/ due to requests to the loopback IP.

751366

JS error in SSL VPN web mode when trying to retrieve a PDF from https://vpn.ca***.com/.

751643

Jira server (cb***.com.au) cannot be displayed correctly using SSL VPN web mode.

751697

SSO login for SSL VPN bookmarks (https://za***.jo.za***.com) is not working.

751717

SAML user configured in groups in the IdP server might match to the wrong group in SSL VPN user authentication if an external browser is used.

752055

VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.

753515

DTLS does not work for SSL VPN and switches to TLS.

753590

Brickstream web interface is not loading properly when accessed using SSL VPN web mode.

755296

SSL VPN web mode has issues accessing https://e***.or***.kr.

756753

FQDN in firewall policy is treated case sensitive, which causes SSL VPN failure when redirecting or accessing a URL that contains capitalized characters.

758525

Users can modify the URL in SSL VPN portal to show connection launcher even when the Show Connection Launcher option is disabled.

759664

Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected.

760340

WebSocket using Pronto Xi could not be established through SSL VPN web mode.

760928

SSL VPN with RADIUS authentication does not work with an interface subnet address object.

761668

Empty webpage loads when accessing internal website, https://ba***.ba**.com:2222, in SSL VPN web mode.

762491

Unable to authenticate outlook.office.com using corporate domain email account.

763619

SAP Fiori webpage using JSON is not loading in SSL VPN web mode.

767869

SCADA portal will not fully load with SSL VPN web bookmark.

768994

SSL VPN crashed when closing web mode RDP after upgrading.

771145

SSL VPN web mode access problem occurs for web service security camera.

773254

SSL VPN web mode access is causing issues with MiniCAU.

Switch Controller

Bug ID

Description

740661

FortiGate loses FortiSwitch management access due to excessive configuration pushes.

766583

A bin/cu_acd crash is generated when cfg-revert is enabled and involves FortiSwitch.

System

Bug ID

Description

572847

The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series.

596942

SoC3 platforms may encounter kernel panic in cases when a PKCE IOCTL wait event is interrupted by WAD diagnose CLI commands.

602141

The extender daemon crashes on Low Encryption (LENC) FortiGates.

639861

Support FEC (forward error correction) implementations in 10G, 25G, 40G, and 100G interfaces for FG-3400E and FG-3600E.

643558

System halts after running execute update-now in FIPS-CC mode.

651626

A session clash is caused by the same NAT port. It happens when many sessions are created at the same time and they get the same NAT port due to the wrong port seed value.

671116

Lack of null pointer check in NP6XLite driver may lead to kernel panic. Affected models: FG-40F, FG-60F, and FG-101F.

679035

NP6 drops, and bandwidth is limited to under 10 Gbps in npu-vlink case.

683299

Port group members have different speeds after the port speed is changed using a CLI script.

687398

Multiple SFPs and FTLX8574D3BCL in multiple FG-1100E units have been flapping intermittently with various devices.

703219

Kernel panic on FG-101F due to lack of null pointer check on NP6XLite driver.

712156

FortiCloud central management does not work if the FortiGate has trusted host enabled for the admin account.

712258

SFP28 ports on FG-340xE/FG-360xE cannot receive or transmit packets when the speed is set to 1000full. This issue is triggered by warm rebooting the FortiGate/Cisco switch or disconnecting the fiber cable.

716341

SFP28 port flapping when the speed is set to 10G.

718307, 729078

Verizon LTE connection is not stable, and the connection may drop after a few hours.

720687

On FG-20xF, the RJ45 ports connected to Dell N1548 switch do not automatically have an up link for energy detect mode.

726705

After upgrading to 7.0.0, FG-60E hangs due to various CLI configuration errors starting with cli 102 die in an exception in line 4318: KV?.

738640

Add support for FS-TRAN-FX 100 Mbps SFP optical transceivers on the FGR-60F and FGR-60F-3G4G models. Previously, there was no I2C reading/writing handler in drivers for FGR-60F and FGR-60F-3G4G.

741359

As per IEEE 802.3, NP frames under 64 octets should be discarded on the RX.

741944

The forticron process has a memory leak if there are duplicated entries in the external IP range file.

744892

DNS query responses can be bumped when dealing with a high volume of visibility hostname log requests.

749250

Firewall does not use its ARP cache and is ARPing for client MAC addresses every 20 to 30 seconds.

749613

Unable to save configuration changes and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

749835

Traffic logs report ICMP destination as unreachable for received traffic.

750123

FG-100F/101F sensor list shows the following deficiencies: missing PSU reading, degree sign is not readable in some CLI windows, and spelling mistakes.

750171

Legitimate traffic is unable to go through with NP6 synproxy enabled.

750202

USB unmounts after configuration backup.

751227

The GA image becomes uncertified after backing it up on a flash disk.

751346

DNS server obtained via DHCPv6 prefix delegation is not used by DNS proxy.

751523

When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.

753421

Slow SNMP query performance of fgVpn2Tables OIDs when a large number of IPsec dialup tunnels are connected.

753602

FG-40F has a newcli signal 11 crash.

753862

DHCPc seconds not incrementing in DHCP DISCOVER, REQUEST, and INFORM packets.

754567

FortiGate receives Firmware image without valid RSA signature loaded error when loading the image from FortiCloud.

754681

The auto-script is not restarted when it is changed from HA synchronization.

754951

Static ARP entry was removed while using DHCP relay.

755475

When a software switch has an intra-switch-policy set to implicit (the default setting), layer 2 traffic, such as LLDP or STP, is being forwarded when it should be denied by default.

755953

Direct CLI script from FortiManager fails due to additional end at the end of diagnose debug crashlog read.

756160

Unable to configure firewall access control lists on FG-20xF.

756445

Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if asic-offload is enabled.

756713

Packet loss on the LAG interface (eight ports) using SFP+/SFP28 ports in both static and active mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

757689

When creating a new interface with MTU override enabled, PPPoE mode, and a set MTU value, the MTU value is overridden by the default value.

757733

CP9 or SoC3/SoC4 kernel driver may crash while doing AES-GCM decryption.

757748

WAD memory leak could cause system to halt and print fork() failed on the console.

758545

Memory leak cause by leaked JSON object.

758815

Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.

759689

When updated related configurations change, the updated configurations may crash.

760259

On SoC4-based FortiGates (FG-40F, FG-60F, FG-80F, FG-100F) the outbound bandwidth in the bandwidth widget does not adhere to the outbandwidth setting.

764989

Include an entry in SNMP OID that lists the number of octets for the IP type.

Upgrade

Bug ID

Description

743389

The dnsfilter-profile setting was purged from all DNS server entries upon upgrading from below 6.4.4.

744454

IPv6 delegated configuration is lost after upgrading from 7.0.1.

757660

ISDB objects are obsolete after upgrading, which blocked FortiGuard access using the root VDOM.

User & Authentication

Bug ID

Description

709964

Apple devices cannot load the FortiAuthenticator captive portal via the system pop-up only.

719658

SCEP client does not work with virtual service.

739350

RADIUS response is sent even when the rsso-radius-response attribute is set to disable.

742244

Unable to receive token via email on configured local email server with authentication when the incoming SMTP response is incomplete.

747651

There is no LDAP-based authentication possible during the time WAD updates/reads group information from the AD LDAP server.

750551

DST_Root_CA_X3 certificate is expired.

753449

SCEP using execute vpn certificate local generate does not conform to HTTP 1.1 RFC 2616.

755302

The fnbamd process spikes to 99% or crashes during RADIUS authentication.

756763

In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement.

757883

FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.

765136

Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

VM

Bug ID

Description

691337

When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.

747221

Tags under VNET are not detected by SDN connector under Azure. The following issues have been fixed:

  • IP of Azure network interface without an associated VM is not collected.
  • Address prefix of Azure subnet is not collected.
  • Tags on Azure virtual network scope cannot filter the IP address.

750889

DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID.

755016

In AWS, if the HA connection between active and passive nodes breaks for a few seconds and reconnects, sometimes the EIP will remain in the passive node.

759300

gcpd has signal 11 crash at gcpd_mime_part_end.

764184

Inconsistent TXQ selection degrades mlx5 vfNIC. Azure FortiGate interface has high latency when the IPsec tunnel is up.

769352

Azure SDN connector is unable to pull service tag from China and Germany regions.

VoIP

Bug ID

Description

757477

PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

WAN Optimization

Bug ID

Description

754378

When an AV profile is enabled in a WANOpt proxy policy on a server side FortiGate, EICAR sent over HTTPS will not get blocked.

Web Filter

Bug ID

Description

751693

WAD crashed with signal 6 when using WIPS for web filtering with Websense.

WiFi Controller

Bug ID

Description

578440

Wireless controller sends ARP request packets that are destined to the FortiGate back to all tunnel interfaces.

600257

FG-1000D and FG-1500D go in to conserve mode when wpad and cw_acd have a memory spike, which affects wireless user tunnel traffic.

675164

FWF-60F local radio shows WPA3 is not supported.

720497

MAC authentication bypass is not working for some clients.

734801

Some Apple devices cannot handle 303/307 messages, and may loop to load the external portal page and fail to pass authentication. Some android devices cannot process JavaScript redirect messages after users submit their username and password.

744687

Client should match the new NAC policy if it is reordered to the top one.

745044

Optimize memory usage of wpad daemon in WiFi controller for large-scale 802.11r fast BSS transition deployment.

751509

On FAP-U432F, the Radio 3 spectrum analysis should be disabled in the FortiGate GUI.

761836

FWF-8xF platforms should allow the DHCP server configuration of an aggregate interface (aplink) to be edited in the GUI.

761996

If concurrent-client-limit-type is set to unlimited it is limited by the max-clients value in the VAP profile.

766652

FortiAP firmware status is inconsistent on System > Fabric Management page and upgrade slide.

ZTNA

Bug ID

Description

765813

ZTNA access is systematically denied for ZTNA rule using SD-WAN zone as an incoming interface.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

707951

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-41032

749471

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-42755

752134

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-42757

763982

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43081

764221

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43206

765177

FortiOS 7.0.4 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-22299