Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 7.0.5. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Endpoint Control

Bug ID

Description

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

776447

When a new device first connects to the EMS server with a customized certificate, the wrong slide-in pane appears in the GUI.

777294

Fabric connection failure between EMS and FortiOS.

793162

Sometimes the FortiGate fails to resolve a FortiClient MAC or IP in the firewall dynamic address table.

Explicit Proxy

Bug ID

Description

771152

GUI does not display Source Address field when using a proxy address group in authentication rules.

774442

WAD is NATting to the wrong IP pool address for the interface.

778339

Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking.

780211

diagnose wad stats policy list output displays information for only 20 proxy policies, so not all policies are included.

Firewall

Bug ID

Description

775783

Get httpsd signal 11 crash when inline editing custom service from policy list page with FortiGate support tool running.

777231

Dashboard > FortiView Traffic Shaping page sometimes displays an undefined traffic shaper. This is cosmetic and does not impact functionality.

778513

Forward traffic logs do not show MAC address object name in Device column.

784939

Dashboard > Load Balance Monitor

802834

On the Traffic Shaping > Traffic Shapers tab, the Bandwidth Utilization column indicates zero traffic when there is traffic present.

Workaround: view the traffic on the shaper in the CLI.

806113

The Traffic Shaping Policies edit dialog shows configured reverse shapers as disabled. This is a cosmetic issue and the reverse shaper is configured as defined.

FortiView

Bug ID

Description

765993

Dashboard > FortiView Sources - WAN monitor does not show data for VLAN interface.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

720192

GUI logs out when accessing FortiView monitor page if the VDOM administrator only has ftviewgrp permission.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

746618

Export port link status is not correct on tenant VDOM FortiSwitch Ports page.

755177

When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

763724

After the current session is disconnected, pressing the Enter key does not restart a new session on the GUI CLI console.

774159

Signature not found in IPS database message when editing the IPS profile from the policy.

776969

Unable to select and copy serial number from System Information dashboard widget.

777145

Managed FortiSwitches page incorrectly shows a warning about an unregistered FortiSwitch even though it is registered. This only impacts transferred or RMAed FortiSwitches. This is only a display issue with no impact on the FortiSwitch's operation.

Workaround: confirm the FortiSwitch registration status in the FortiCare portal.

778258

Unable to set IP address for IPsec tunnel in the GUI.

778542

Local domain name disappears from the GUI after clicking API Preview.

778932

MAC address name is not displayed in the Device column in the Asset Identity Center.

781310

Policy & Objects > DNAT & Virtual IPs page can take more than 30 seconds to load if there are more than 25 thousand virtual IPs.

783152

Filtering by Status in the SD-WAN widget is not working.

787007

httpsd is crashing without any interaction on the GUI at api_cleanup_cache in api_cmdb_v2_handler.

787550

HTTPSD daemon crashes frequently with signal 6 (aborted) at api_v2_page_result.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

Workaround: use the regular Guest Management page.

788935

GUI is slow to load when CDN is enabled and accessed on a closed network.

799160

Modem 1 Health is incorrectly displayed as Disconnected in the Diagnostics and Tools pane of the FortiExtenders page.

800632

Search bar on Addresses page does not complete loading and return a result when format is <IP>-<number>.

HA

Bug ID

Description

744349

Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.

752942

When the secondary is being synchronized, the GARP is sent out from the secondary device with the physical MAC address.

764873

FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner.

771389

SNMP community name with one extra character at the end stills matches when HA is enabled.

771391

HA uptime remains the same after mondev failure.

773901

The dnsproxy daemon is not updating HA management VDOM DNS after it is configured. The secondary also does not update.

775724

Static routes not installed after HA failover.

775837

When upgrading the secondary unit to build 1097 or later, a root.vpn.certificate.local.Fortinet_SSL configuration error appears.

778011

The hasync daemon crashes on FG-80E.

779512

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

779587

When an authentication log on length is longer than the hasync packet length and when there is a large number of logons, hasync is busy.

781463

FortiGate does not respond to ARP request for management-ip on interface if the interface IP is changed.

782769

Unable to form HA pair when HA encryption is enabled.

783483

On the System > HA page, Sessions are shown as 0 after upgrading from 7.0.3 to 7.0.4.

786592

Failure in self-pinging towards the management IP.

794707

Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync.

807322

AWS HA does not update the prefix list in the route table.

Hyperscale

Bug ID

Description

773698

hw-session-sync-dev does not support hyperscale firewall HA hardware session synchronization interface LAGs.

Intrusion Prevention

Bug ID

Description

780194

IPS engine 7.00105 has signal 14 (Alarm clock) crash during stress testing.

784976

IPS engine goes to 100% (at 5 Gbps) on FG-4200F when testing CCS with CPS and throughput when UTM is enabled.

IPsec VPN

Bug ID

Description

735412

IKE HA resynchronizes the synchronized connection without an established IKE SA.

767765

Tooltip in Dashboard > Network > IPsecwidget for phase 2 shows a Timeout year of 1970 in Firefox, Chrome, and Edge.

768638

Invalid IP address while creating a VPN IPsec tunnel.

773221

Traffic that goes through IPsec based on a loopback interface cannot be offloaded.

780850

IPsec hub fails to delete selector routes when NAT IP changed and IKE crashed.

781403

IKE is consuming excessive memory.

803686

Tooltip in Dashboard > Network IPsec widget only displays one address for the local and remote addresses of the phase2 selector.

Log & Report

Bug ID

Description

774767

The expected reboot log is missing.

776929

When submitting files for sandbox logging in flow mode, filetype="unknown" is displayed for PDF, DOC, JS, RTF, ZIP, and RAR files.

777008

The syslogd daemon encounters a memory leak.

788724

The secondary FortiGate did not send the logs to the syslog server (sendmmsg failed to send data).

Proxy

Bug ID

Description

747915

Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model.

774859

WAD signal 11 Segmentation fault crash occurs at wad_h2_port_read_sync.

776989

In some cases, WAD daemon signal 6 (Aborted) received occurs when adding a VDOM.

782426

WAD crash with signal 11 and signal 6 occurs when performing SAML authentication if the URL size is larger than 3 KB.

783112

FortiGate goes into conserve mode due to high memory usage of WAD user-info process. The WAD user-info process will query the user count information from the LDAP server every 24 hours. If any of the LDAP query messages are closed by exceptions, there is a memory leak. If obtain-user-info is enabled under config user ldap, this memory leak will be triggered on daily basis.

Workaround: create an automation stitch to restart the WAD daemon every day to avoid conserve mode.

803136

thumbnailPhoto files are saved in the memory disk with the incorrect hash name.

Routing

Bug ID

Description

717086

External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the interface-select-method configuration in system external-resource is changed.

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

771423

BGP route map community attribute cannot be changed from the GUI when there are two 16-byte concatenated versions.

783168

IPv6 secondary network is removed from the routing table after reboot.

788793

Unable to receive BGP routes on redundant tunnel interfaces.

807635

BGP routes hit the wrong route map.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

764825

When the Security Fabric is enabled, logging is not enabled on deny policies.

778511

PPPoE interface is unable to accept Fabric connections.

779181

Security rating Optimization card shows failure for system uptime due to low uptime for FortiAP (less than 24 hours).

788543

Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer.

791794

Unable to send alert emails using SMTP TLS in Office 365.

793234

Fabric Management page incorrectly shows some FortiAPs with an unregistered FortiCare status even though the FortiAP is already registered. This is just a display issue and does not impact FortiAP operation.

794703

Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.

795687

On the Fabric Management page, some managed FortiSwitches are not shown.

799832

GCP bearer token is too long for the header in a google-cloud-function automation action.

SSL VPN

Bug ID

Description

486837

SSL VPN with external DHCP servers is not working.

616896

Link in SSL VPN portal to FortiClient iOS redirects to legacy FortiClient 6.0 rather than the latest 6.2.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

760875

SSL VPN PKI users fail to log in when a special character is included in the CN or subject matching field.

763611

If dual-stack is enabled, the user connects to the tunnel with IPv6 and the tunnel is established successfully. When the user tries to access the IPv4 server to upload or download files, the network speed is very slow.

768362

Default resolution for RDP/VNC in SSL VPN web mode cannot be configured.

771162

Unable to access SSL VPN bookmark in web mode.

778031

SSL VPN web mode HTTP throughputs drop over 50%.

782732

Webpages of back-end server behind https://vpn-***.sys***.pl/remote/ could not be displayed in SSL VPN web mode.

786179

Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode.

801308

FortiGuard should only provide an installer for FortiClient VPN, instead of the full FortiClient version.

802379

SSL VPN has memory leaks and crashes.

Switch Controller

Bug ID

Description

774848

Bulk MAC addresses deletions on FortiSwitch is randomly causing all wired clients to disconnect at the same time and reconnect.

System

Bug ID

Description

540389

Remote administrator password renewal shows remote token instead of new password (CLI and GUI).

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

679059

The ipmc_sensord process is killed multiple times when the CPU or memory usage is high.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

699152

QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E.

706543

FortiGuard DDNS does not update the IP address when the PPPoE reconnects.

708228

A DNS proxy crash occurs during ssl_ctx_free.

716250

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

722781

MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If the auto-asic-offload option is disabled in the firewall policy, traffic flows as expected.

738423

Unable to create a hardware switch with no member.

750533

The cmdbsvr crashes when accessing an invalid firewall vip mapped IP that causes traffic to stop traversing the FortiGate.

751044

There is no sensor trap function and related logs on SoC4 platforms.

756139

When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.

758490

The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

767778

Kernel panic occurs while adding and deleting LAG members on FG-1101E.

768979

On a FortiGate with many FortiSwitches and FortiAPs, the Device Inventory widget and user-device-store list are empty.

771267

Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries.

771442

Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.

773067

CLI help text for link monitor failtime and recoverytime range should be (1 - 3600, default = 5).

773702

FortiGate running startup configuration is not saved on flash drive.

774443

SCP restore TCP session does not gracefully close with FIN packet.

777044

On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.

779523

Negative tunnel_count in diagnose firewall gtp profile list for FGSP peer.

783545

Backing up to SFTP does not work when the username contains a period (.).

786255

Cached topology reports causes the FortiGate to run out of flash storage on low-end models.

792544

A request is made to the remote authentication server before checking trusthost.

793401

The fcnacd process keeps using 99% CPU.

798091

After upgrading from 6.4.9 to 7.0.5, the FG-110xE's 1000M SFP interface may fail to auto-negotiate and cannot be up due to the missed auto-negotiation.

799255

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

800333

DoS offload does not work and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite.

801477

Disabling forward error correction is not working on FG-3500F.

802917

PPPoE virtual tunnel drops traffic after logon credentials are changed.

Upgrade

Bug ID

Description

754180

MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.

User & Authentication

Bug ID

Description

667150

Add GUI support for FortiToken Mobile push notification and FortiToken Cloud based on two-factor authentication, which is already supported by authd.

749488

On an HA standby device, certain certificates (such as Fortinet_CA_SSL) regenerate by themselves when trying to edit them in CLI. This also causes issues when backing up configurations on the standby device.

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

781992

fssod crashes with signal 11 on logon_dns_callback.

790941

When logged in with an administrator profile using a wildcard RADIUS user, creating a new dashboard widgets fails.

808884

Device information is not fully detected on NP7.

VM

Bug ID

Description

774599

FG-VM64 with specific configuration halted while upgrading from 7.0.2.

782073

IBM HA is unable to fail over route properly when route table has a delegate VPC route.

789223

Azure China uses the wrong API endpoint to get meta data after secondary becomes the new primary.

WAN Optimization

Bug ID

Description

728861

HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.

Workaround: set wanopt to automatic mode, or set transparent disable in the wanopt profile.

Web Filter

Bug ID

Description

798557

When a new URL filter entry is created and the list is re-ordered, the list position is not maintained.

Workaround: save changes after creating the new URL filter entry, re-order the list, and save the changes again.

WiFi Controller

Bug ID

Description

745642

Consider not generating rogue AP logs once a certain AP has been marked as accepted.

750425

In RADIUS MAC authentication, the FortiGate NAS-IP-Address will revert to 0.0.0.0 after using the FortiGate address.

757189

A batch of APs in cluster are exhibiting control messages that the maximal retransmission limit reached, and the APs disconnect from the FortiGate.

775157

A packet with the wrong IP header could not be processed by the CAPWAP driver, which randomly causes the FortiGate to reboot.

776576

FortiAP upgrade panel still prompts to upgrade to latest firmware, even when FortiAP is operating latest firmware.

780732

Unable to import MPSK keys in the GUI (CSV file into an SSID). An Invalid file content error appears.

748479

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

783209

The arrp-profile table cannot be purged if no entry is in use.

790367

FWF-60F has kernel panic and reboots by itself every few hours.

791761

CAPWAP tunnel traffic over WPA2-Enterprise SSID is dropped when offloading is enabled on FG-1800F.

792738

The cw_acd process uses high CPU, which causes issues for FortiAP connecting with CAPWAP.

ZTNA

Bug ID

Description

770877

Traffic was blocked by mismatched ZTNA EMS tags in a forwarding firewall policy.

777669

The secondary IP address in the EMS dynamic address table does not match the expected policy.

799530

Found wad crash at wad_sched.c upon device tag matching.

802715

ZTNA failed to match the policy when a tag is found for an endpoint in the EMS response.

Known issues

The following issues have been identified in version 7.0.5. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Endpoint Control

Bug ID

Description

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

776447

When a new device first connects to the EMS server with a customized certificate, the wrong slide-in pane appears in the GUI.

777294

Fabric connection failure between EMS and FortiOS.

793162

Sometimes the FortiGate fails to resolve a FortiClient MAC or IP in the firewall dynamic address table.

Explicit Proxy

Bug ID

Description

771152

GUI does not display Source Address field when using a proxy address group in authentication rules.

774442

WAD is NATting to the wrong IP pool address for the interface.

778339

Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking.

780211

diagnose wad stats policy list output displays information for only 20 proxy policies, so not all policies are included.

Firewall

Bug ID

Description

775783

Get httpsd signal 11 crash when inline editing custom service from policy list page with FortiGate support tool running.

777231

Dashboard > FortiView Traffic Shaping page sometimes displays an undefined traffic shaper. This is cosmetic and does not impact functionality.

778513

Forward traffic logs do not show MAC address object name in Device column.

784939

Dashboard > Load Balance Monitor

802834

On the Traffic Shaping > Traffic Shapers tab, the Bandwidth Utilization column indicates zero traffic when there is traffic present.

Workaround: view the traffic on the shaper in the CLI.

806113

The Traffic Shaping Policies edit dialog shows configured reverse shapers as disabled. This is a cosmetic issue and the reverse shaper is configured as defined.

FortiView

Bug ID

Description

765993

Dashboard > FortiView Sources - WAN monitor does not show data for VLAN interface.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

720192

GUI logs out when accessing FortiView monitor page if the VDOM administrator only has ftviewgrp permission.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

746618

Export port link status is not correct on tenant VDOM FortiSwitch Ports page.

755177

When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

763724

After the current session is disconnected, pressing the Enter key does not restart a new session on the GUI CLI console.

774159

Signature not found in IPS database message when editing the IPS profile from the policy.

776969

Unable to select and copy serial number from System Information dashboard widget.

777145

Managed FortiSwitches page incorrectly shows a warning about an unregistered FortiSwitch even though it is registered. This only impacts transferred or RMAed FortiSwitches. This is only a display issue with no impact on the FortiSwitch's operation.

Workaround: confirm the FortiSwitch registration status in the FortiCare portal.

778258

Unable to set IP address for IPsec tunnel in the GUI.

778542

Local domain name disappears from the GUI after clicking API Preview.

778932

MAC address name is not displayed in the Device column in the Asset Identity Center.

781310

Policy & Objects > DNAT & Virtual IPs page can take more than 30 seconds to load if there are more than 25 thousand virtual IPs.

783152

Filtering by Status in the SD-WAN widget is not working.

787007

httpsd is crashing without any interaction on the GUI at api_cleanup_cache in api_cmdb_v2_handler.

787550

HTTPSD daemon crashes frequently with signal 6 (aborted) at api_v2_page_result.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

Workaround: use the regular Guest Management page.

788935

GUI is slow to load when CDN is enabled and accessed on a closed network.

799160

Modem 1 Health is incorrectly displayed as Disconnected in the Diagnostics and Tools pane of the FortiExtenders page.

800632

Search bar on Addresses page does not complete loading and return a result when format is <IP>-<number>.

HA

Bug ID

Description

744349

Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.

752942

When the secondary is being synchronized, the GARP is sent out from the secondary device with the physical MAC address.

764873

FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner.

771389

SNMP community name with one extra character at the end stills matches when HA is enabled.

771391

HA uptime remains the same after mondev failure.

773901

The dnsproxy daemon is not updating HA management VDOM DNS after it is configured. The secondary also does not update.

775724

Static routes not installed after HA failover.

775837

When upgrading the secondary unit to build 1097 or later, a root.vpn.certificate.local.Fortinet_SSL configuration error appears.

778011

The hasync daemon crashes on FG-80E.

779512

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

779587

When an authentication log on length is longer than the hasync packet length and when there is a large number of logons, hasync is busy.

781463

FortiGate does not respond to ARP request for management-ip on interface if the interface IP is changed.

782769

Unable to form HA pair when HA encryption is enabled.

783483

On the System > HA page, Sessions are shown as 0 after upgrading from 7.0.3 to 7.0.4.

786592

Failure in self-pinging towards the management IP.

794707

Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync.

807322

AWS HA does not update the prefix list in the route table.

Hyperscale

Bug ID

Description

773698

hw-session-sync-dev does not support hyperscale firewall HA hardware session synchronization interface LAGs.

Intrusion Prevention

Bug ID

Description

780194

IPS engine 7.00105 has signal 14 (Alarm clock) crash during stress testing.

784976

IPS engine goes to 100% (at 5 Gbps) on FG-4200F when testing CCS with CPS and throughput when UTM is enabled.

IPsec VPN

Bug ID

Description

735412

IKE HA resynchronizes the synchronized connection without an established IKE SA.

767765

Tooltip in Dashboard > Network > IPsecwidget for phase 2 shows a Timeout year of 1970 in Firefox, Chrome, and Edge.

768638

Invalid IP address while creating a VPN IPsec tunnel.

773221

Traffic that goes through IPsec based on a loopback interface cannot be offloaded.

780850

IPsec hub fails to delete selector routes when NAT IP changed and IKE crashed.

781403

IKE is consuming excessive memory.

803686

Tooltip in Dashboard > Network IPsec widget only displays one address for the local and remote addresses of the phase2 selector.

Log & Report

Bug ID

Description

774767

The expected reboot log is missing.

776929

When submitting files for sandbox logging in flow mode, filetype="unknown" is displayed for PDF, DOC, JS, RTF, ZIP, and RAR files.

777008

The syslogd daemon encounters a memory leak.

788724

The secondary FortiGate did not send the logs to the syslog server (sendmmsg failed to send data).

Proxy

Bug ID

Description

747915

Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model.

774859

WAD signal 11 Segmentation fault crash occurs at wad_h2_port_read_sync.

776989

In some cases, WAD daemon signal 6 (Aborted) received occurs when adding a VDOM.

782426

WAD crash with signal 11 and signal 6 occurs when performing SAML authentication if the URL size is larger than 3 KB.

783112

FortiGate goes into conserve mode due to high memory usage of WAD user-info process. The WAD user-info process will query the user count information from the LDAP server every 24 hours. If any of the LDAP query messages are closed by exceptions, there is a memory leak. If obtain-user-info is enabled under config user ldap, this memory leak will be triggered on daily basis.

Workaround: create an automation stitch to restart the WAD daemon every day to avoid conserve mode.

803136

thumbnailPhoto files are saved in the memory disk with the incorrect hash name.

Routing

Bug ID

Description

717086

External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the interface-select-method configuration in system external-resource is changed.

745856

The default SD-WAN route for the LTE wwan interface is not created.

Workaround: add a random gateway to the wwan member.

config system sdwan
    config members
        edit 2
            set interface "wwan"
            set gateway 10.198.58.58
            set priority 100
        next
    end
end

771423

BGP route map community attribute cannot be changed from the GUI when there are two 16-byte concatenated versions.

783168

IPv6 secondary network is removed from the routing table after reboot.

788793

Unable to receive BGP routes on redundant tunnel interfaces.

807635

BGP routes hit the wrong route map.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

764825

When the Security Fabric is enabled, logging is not enabled on deny policies.

778511

PPPoE interface is unable to accept Fabric connections.

779181

Security rating Optimization card shows failure for system uptime due to low uptime for FortiAP (less than 24 hours).

788543

Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer.

791794

Unable to send alert emails using SMTP TLS in Office 365.

793234

Fabric Management page incorrectly shows some FortiAPs with an unregistered FortiCare status even though the FortiAP is already registered. This is just a display issue and does not impact FortiAP operation.

794703

Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.

795687

On the Fabric Management page, some managed FortiSwitches are not shown.

799832

GCP bearer token is too long for the header in a google-cloud-function automation action.

SSL VPN

Bug ID

Description

486837

SSL VPN with external DHCP servers is not working.

616896

Link in SSL VPN portal to FortiClient iOS redirects to legacy FortiClient 6.0 rather than the latest 6.2.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

760875

SSL VPN PKI users fail to log in when a special character is included in the CN or subject matching field.

763611

If dual-stack is enabled, the user connects to the tunnel with IPv6 and the tunnel is established successfully. When the user tries to access the IPv4 server to upload or download files, the network speed is very slow.

768362

Default resolution for RDP/VNC in SSL VPN web mode cannot be configured.

771162

Unable to access SSL VPN bookmark in web mode.

778031

SSL VPN web mode HTTP throughputs drop over 50%.

782732

Webpages of back-end server behind https://vpn-***.sys***.pl/remote/ could not be displayed in SSL VPN web mode.

786179

Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode.

801308

FortiGuard should only provide an installer for FortiClient VPN, instead of the full FortiClient version.

802379

SSL VPN has memory leaks and crashes.

Switch Controller

Bug ID

Description

774848

Bulk MAC addresses deletions on FortiSwitch is randomly causing all wired clients to disconnect at the same time and reconnect.

System

Bug ID

Description

540389

Remote administrator password renewal shows remote token instead of new password (CLI and GUI).

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

679059

The ipmc_sensord process is killed multiple times when the CPU or memory usage is high.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

699152

QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E.

706543

FortiGuard DDNS does not update the IP address when the PPPoE reconnects.

708228

A DNS proxy crash occurs during ssl_ctx_free.

716250

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

722781

MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If the auto-asic-offload option is disabled in the firewall policy, traffic flows as expected.

738423

Unable to create a hardware switch with no member.

750533

The cmdbsvr crashes when accessing an invalid firewall vip mapped IP that causes traffic to stop traversing the FortiGate.

751044

There is no sensor trap function and related logs on SoC4 platforms.

756139

When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.

758490

The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

767778

Kernel panic occurs while adding and deleting LAG members on FG-1101E.

768979

On a FortiGate with many FortiSwitches and FortiAPs, the Device Inventory widget and user-device-store list are empty.

771267

Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries.

771442

Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.

773067

CLI help text for link monitor failtime and recoverytime range should be (1 - 3600, default = 5).

773702

FortiGate running startup configuration is not saved on flash drive.

774443

SCP restore TCP session does not gracefully close with FIN packet.

777044

On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.

779523

Negative tunnel_count in diagnose firewall gtp profile list for FGSP peer.

783545

Backing up to SFTP does not work when the username contains a period (.).

786255

Cached topology reports causes the FortiGate to run out of flash storage on low-end models.

792544

A request is made to the remote authentication server before checking trusthost.

793401

The fcnacd process keeps using 99% CPU.

798091

After upgrading from 6.4.9 to 7.0.5, the FG-110xE's 1000M SFP interface may fail to auto-negotiate and cannot be up due to the missed auto-negotiation.

799255

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

800333

DoS offload does not work and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite.

801477

Disabling forward error correction is not working on FG-3500F.

802917

PPPoE virtual tunnel drops traffic after logon credentials are changed.

Upgrade

Bug ID

Description

754180

MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.

User & Authentication

Bug ID

Description

667150

Add GUI support for FortiToken Mobile push notification and FortiToken Cloud based on two-factor authentication, which is already supported by authd.

749488

On an HA standby device, certain certificates (such as Fortinet_CA_SSL) regenerate by themselves when trying to edit them in CLI. This also causes issues when backing up configurations on the standby device.

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

781992

fssod crashes with signal 11 on logon_dns_callback.

790941

When logged in with an administrator profile using a wildcard RADIUS user, creating a new dashboard widgets fails.

808884

Device information is not fully detected on NP7.

VM

Bug ID

Description

774599

FG-VM64 with specific configuration halted while upgrading from 7.0.2.

782073

IBM HA is unable to fail over route properly when route table has a delegate VPC route.

789223

Azure China uses the wrong API endpoint to get meta data after secondary becomes the new primary.

WAN Optimization

Bug ID

Description

728861

HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.

Workaround: set wanopt to automatic mode, or set transparent disable in the wanopt profile.

Web Filter

Bug ID

Description

798557

When a new URL filter entry is created and the list is re-ordered, the list position is not maintained.

Workaround: save changes after creating the new URL filter entry, re-order the list, and save the changes again.

WiFi Controller

Bug ID

Description

745642

Consider not generating rogue AP logs once a certain AP has been marked as accepted.

750425

In RADIUS MAC authentication, the FortiGate NAS-IP-Address will revert to 0.0.0.0 after using the FortiGate address.

757189

A batch of APs in cluster are exhibiting control messages that the maximal retransmission limit reached, and the APs disconnect from the FortiGate.

775157

A packet with the wrong IP header could not be processed by the CAPWAP driver, which randomly causes the FortiGate to reboot.

776576

FortiAP upgrade panel still prompts to upgrade to latest firmware, even when FortiAP is operating latest firmware.

780732

Unable to import MPSK keys in the GUI (CSV file into an SSID). An Invalid file content error appears.

748479

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

783209

The arrp-profile table cannot be purged if no entry is in use.

790367

FWF-60F has kernel panic and reboots by itself every few hours.

791761

CAPWAP tunnel traffic over WPA2-Enterprise SSID is dropped when offloading is enabled on FG-1800F.

792738

The cw_acd process uses high CPU, which causes issues for FortiAP connecting with CAPWAP.

ZTNA

Bug ID

Description

770877

Traffic was blocked by mismatched ZTNA EMS tags in a forwarding firewall policy.

777669

The secondary IP address in the EMS dynamic address table does not match the expected policy.

799530

Found wad crash at wad_sched.c upon device tag matching.

802715

ZTNA failed to match the policy when a tag is found for an endpoint in the EMS response.