Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 7.0.6. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

727067

FortiGate should fix the interface between FortiGate and FortiAnalyzer for the CDR file.

795784

Able to bypass FortiOS AV inspection on email traffic when manipulating a MIME attachment with junk and pad characters in Base64.

800731

Flow AV sends HTML files to the FortiGate Cloud Sandbox every time when HTML is not configured in file list.

805655

A scanunit crash with signal 11 occurs for SMTP and QP encoding.

Endpoint Control

Bug ID

Description

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

775742

Upgrade EMS tags to include classification and severity to guarantee uniqueness.

Firewall

Bug ID

Description

824091

Promethean Screen Share (multicast) is not working on the member interfaces of a software switch.

FortiView

Bug ID

Description

804177

When setting the time period to now filter, the table cannot be filtered by policy type.

811095

Threat type N/A - Static URL Filter is showing on sources that do not have the URL filter enabled.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

749843

Bandwidth widget does not display traffic information for VLAN interfaces when a large number of VLAN interfaces are configured.

755177

When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

777145

Managed FortiSwitches page incorrectly shows a warning about an unregistered FortiSwitch even though it is registered. This only impacts transferred or RMAed FortiSwitches. This is only a display issue with no impact on the FortiSwitch's operation.

Workaround: confirm the FortiSwitch registration status in the FortiCare portal.

798161

System > Certificates page keeps spinning when trying to access it from Safari.

810225

An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.

831885

Unable to access GUI via HA management interface of secondary unit.

HA

Bug ID

Description

750978

Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.

782734

Cluster is out-of-sync due to switch controller managed switch checksum mismatch.

785514

In some situations, the fgfmd daemon is blocked by a query to the HA secondary checksum, which causes the tunnel between the FortiManager and FortiGate to go down.

803354

After HA-AP failover, the FortiExtender WAN interface of the new primary cannot get the LTE IP address from FortiExtender.

810286

FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect.

811535

HA failure occurs on pair of FG-2600s due to packet loss on heartbeat interface.

830463

After shutting down the HA primary unit and then restarting it, the uptime for both nodes is zero, and it fails back to the former primary unit.

Hyperscale

Bug ID

Description

804742

After changing hyperscale firewall policies, it may take longer than expected for the policy changes to be applied to traffic. The delay occurs because the hyperscale firewall policy engine enhancements added to FortiOS 7.0.6 may cause the FortiGate to take extra time to compile firewall policy changes and generate a new policy set that can be applied to traffic by NP7 processors. The delay is affected by hyperscale policy set complexity, the total number of established sessions to be re-evaluated, and the rate of receiving new sessions.

805846

In the FortiOS MIB files, the trap fields fgFwIppStatsGroupName and fgFwIppStatsInusePBAs have the same OID. As a result, the fgFwIppStatsInusePBAs field always returns a value of 0.

807476

After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled.

810025

Using EIF to support hairpinning does not work for NAT64 sessions.

810379

Creating an access control list (ALC) policy on a FortiGate with NP7 processors causes the npd process to crash.

811109

FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG.

812833

FortiGate still holds npu-log-server related configuration after removing hyperscale license.

837270

Disabling Block intra-zone traffic in a zone does not allow TCP/UDP traffic between interfaces of a zone.

IPsec VPN

Bug ID

Description

761754

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

790486

Support IPsec FGSP per tunnel failover.

810988

GUI does not allow IP overlap for a tunnel interface when allow-subnet-overlap is enabled (CLI allows it).

815253

NP7 offloaded egress ESP traffic that was not sent out of the FortiGate.

815969

Cannot apply dialup IPsec VPN settings modifications in the GUI when net-device is disabled.

Log & Report

Bug ID

Description

790893

Logging filters do not work as expected.

814427

FortiGate error in FortiAnalyzer connectivity test on secondary device after upgrade.

821359

FortiGate appears to have a limitation in the syslogd filter configuration.

Proxy

Bug ID

Description

768278

WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out.

793651

An expired certificate can be chosen when creating an SSL/SSH profile for deep inspection.

809346

FTPS helper is not opening pinholes for expected traffic for non-standard ports.

823247

WAD user_info process leaks memory.

Routing

Bug ID

Description

756955

Routing table does not reflect the new changes for the static route until the routing process is restarted when cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.

795213

On the Network > SD-WAN page, adding a named static route to an SD-WAN zone creates a default blackhole route.

796070

Incorrect SD-WAN kernel routes are used on the secondary device.

796409

GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.

808840

After cloning a static route, the URL gets stuck with "clone=true".

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

794703

Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.

803600

Automation stitch for a scheduled backup is not working.

814796

The threat level threshold in the compromised host trigger does not work.

815984

Azure SDN connector has a 403 error when the AZD restarts.

SSL VPN

Bug ID

Description

626311

SSL VPN users are remaining logged on past the auth-timeout value.

767832

After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.

780765

High CPU usage in SSL VPN using libssh2.

789642

Unable to load Grafana application through SSL VPN web mode.

796768

SSL VPN RDP is unable to connect to load-balanced VMs.

809209

SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time.

809473

When sslvpnd debugs are enabled, the SSL VPN process crashes more often.

810715

Web application is not loading in the SSL VPN web mode.

811007

The auto-generated URL on the VPN > SSL-VPN Settings page shows the management IP of the FortiGate instead of the SSL VPN interface port IP as defined on the VPN > SSL-VPN Realms page when a realm is created.

811492

SSL VPN should not leak information while performing Telnet.

814040

SSL VPN bookmark configuration is added automatically after client logs in to web mode.

814708

The same SAML user failed to establish a tunnel when a stale web session exists with limit-user-logins enabled.

816716

sslvpnd crashed when deleting a VLAN interface.

816881

TX packet loss on ssl.root interface.

817843

Logging out of SSL VPN tunnel mode does not clear the authenticated list.

819296

GUI should not use <server_ip> as a sender to send the SSL VPN configuration (it should use value set in reply-to).

Switch Controller

Bug ID

Description

794026

FortiGates quarantines are stuck at 256.

803307

The Enable STP security control description should be reworded to mention that Edge ports should have STP enabled once the network topology is stable.

805154

Switch controller preconfiguration of FortiSwitch 108F-POE is incorrect.

810550

Send DHCP/ARP packet failed, and get errno = 6 in log when config-sync runs.

System

Bug ID

Description

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected.

751870

User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

764954

FortiAnalyzer serial number automatically learned from miglogd does not send it to FortiManager through the automatic update.

787595

FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.

789153

A profile with higher privileges than the user's own profile can be set.

798091

After upgrading from 6.4.9 to 7.0.5, the FG-110xE's 1000M SFP interface may fail to auto-negotiate and cannot be up due to the missed auto-negotiation.

798303

The threshold for conserve mode is lowered.

800294

Interface migration wizard fails to migrate interfaces when VLANs have dependencies within dependencies.

801053

FG-1800F existing hardware switch configuration fails after upgrading.

807947

Unable to create new interface and VDOM link with names that contain spaces.

813223

Random kernel panic occurs due to calling timer_setup.

815360

NP7 platforms may encounter a kernel panic when deleting more than two hardware switches at the same time.

819640

SSH public key changes after every reboot.

824464

CMDB checksum is not updated when a certificate is renewed over CMP, causing a FortiManager failure to synchronize with the certificate.

Upgrade

Bug ID

Description

803041

Link lights on the FG-1100E fail to come up and are inoperative after upgrading.

User & Authentication

Bug ID

Description

813407

Captive portal authentication with RADIUS user group truncates the token code to eight characters.

VM

Bug ID

Description

786278

Bandwidth usage is not shown when DPDK is enabled.

803219

Azure SDN connector might miss dynamic IP addresses due to only the first page of the network interface being processed.

809963

Get cmdbsvr crash on FG-KVM32 after running concurrent performance test.

WAN Optimization

Bug ID

Description

728861

HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.

Workaround: set wanopt to automatic mode, or set transparent disable in the wanopt profile.

Web Filter

Bug ID

Description

766126

Block replacement page is not pushed automatically to replace the video content when using a video filter.

WiFi Controller

Bug ID

Description

796036

Manual quarantine for wireless client connected to SSID on multi-VDOM with wtp-share does not work.

807713

FortiGate is not sending RADIUS accounting message consistently to RADIUS server for wireless SSO.

809623

CAPWAP traffic is dropped when capwap-offloading is enabled.

811953

Configuration installation from FortiManager breaks the quarantine setting, and the VAP becomes undeletable.

821803

Wireless multicast traffic causes the cw_acd process to have high CPU usage and triggers a hostapd crash.

Known issues

The following issues have been identified in version 7.0.6. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

727067

FortiGate should fix the interface between FortiGate and FortiAnalyzer for the CDR file.

795784

Able to bypass FortiOS AV inspection on email traffic when manipulating a MIME attachment with junk and pad characters in Base64.

800731

Flow AV sends HTML files to the FortiGate Cloud Sandbox every time when HTML is not configured in file list.

805655

A scanunit crash with signal 11 occurs for SMTP and QP encoding.

Endpoint Control

Bug ID

Description

730767

The new HA primary FortiGate cannot get EMS Cloud information when HA switches over.

Workaround: delete the EMS Cloud entry then add it back.

775742

Upgrade EMS tags to include classification and severity to guarantee uniqueness.

Firewall

Bug ID

Description

824091

Promethean Screen Share (multicast) is not working on the member interfaces of a software switch.

FortiView

Bug ID

Description

804177

When setting the time period to now filter, the table cannot be filtered by policy type.

811095

Threat type N/A - Static URL Filter is showing on sources that do not have the URL filter enabled.

GUI

Bug ID

Description

440197

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

685431

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

Workaround: use the CLI to configure policies.

707589

System > Certificates list sometimes shows an incorrect reference count for a certificate, and incorrectly allows a user to delete a referenced certificate. The deletion will fail even though a success message is shown. Users should be able to delete the certificate after all references are removed.

708005

When using the SSL VPN web portal in the Firefox, users cannot paste text into the SSH terminal emulator.

Workaround: use Chrome, Edge, or Safari as the browser.

749843

Bandwidth widget does not display traffic information for VLAN interfaces when a large number of VLAN interfaces are configured.

755177

When upgrade firmware from 7.0.1 to 7.0.2, the GUI incorrectly displays a warning saying this is not a valid upgrade path.

777145

Managed FortiSwitches page incorrectly shows a warning about an unregistered FortiSwitch even though it is registered. This only impacts transferred or RMAed FortiSwitches. This is only a display issue with no impact on the FortiSwitch's operation.

Workaround: confirm the FortiSwitch registration status in the FortiCare portal.

798161

System > Certificates page keeps spinning when trying to access it from Safari.

810225

An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.

831885

Unable to access GUI via HA management interface of secondary unit.

HA

Bug ID

Description

750978

Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.

782734

Cluster is out-of-sync due to switch controller managed switch checksum mismatch.

785514

In some situations, the fgfmd daemon is blocked by a query to the HA secondary checksum, which causes the tunnel between the FortiManager and FortiGate to go down.

803354

After HA-AP failover, the FortiExtender WAN interface of the new primary cannot get the LTE IP address from FortiExtender.

810286

FGSP local sessions exist after rebooting an HA pair with A-P mode, and the HW SSE/session count is incorrect.

811535

HA failure occurs on pair of FG-2600s due to packet loss on heartbeat interface.

830463

After shutting down the HA primary unit and then restarting it, the uptime for both nodes is zero, and it fails back to the former primary unit.

Hyperscale

Bug ID

Description

804742

After changing hyperscale firewall policies, it may take longer than expected for the policy changes to be applied to traffic. The delay occurs because the hyperscale firewall policy engine enhancements added to FortiOS 7.0.6 may cause the FortiGate to take extra time to compile firewall policy changes and generate a new policy set that can be applied to traffic by NP7 processors. The delay is affected by hyperscale policy set complexity, the total number of established sessions to be re-evaluated, and the rate of receiving new sessions.

805846

In the FortiOS MIB files, the trap fields fgFwIppStatsGroupName and fgFwIppStatsInusePBAs have the same OID. As a result, the fgFwIppStatsInusePBAs field always returns a value of 0.

807476

After packets go through host interface TX/RX queues, some packet buffers can still hold references to a VDOM when the host queues are idle. This causes a VDOM delete error with unregister_vf. If more packets go through the same host queues for other VDOMs, the issue should resolve by itself because those buffers holding the VDOM reference can be pushed and get freed and recycled.

810025

Using EIF to support hairpinning does not work for NAT64 sessions.

810379

Creating an access control list (ALC) policy on a FortiGate with NP7 processors causes the npd process to crash.

811109

FortiGate 4200F, 4201F, 4400F, and 4401F HA1, HA2, AUX1, and AUX2 interfaces cannot be added to an LAG.

812833

FortiGate still holds npu-log-server related configuration after removing hyperscale license.

837270

Disabling Block intra-zone traffic in a zone does not allow TCP/UDP traffic between interfaces of a zone.

IPsec VPN

Bug ID

Description

761754

IPsec aggregate static route is not marked inactive if the IPsec aggregate is down.

790486

Support IPsec FGSP per tunnel failover.

810988

GUI does not allow IP overlap for a tunnel interface when allow-subnet-overlap is enabled (CLI allows it).

815253

NP7 offloaded egress ESP traffic that was not sent out of the FortiGate.

815969

Cannot apply dialup IPsec VPN settings modifications in the GUI when net-device is disabled.

Log & Report

Bug ID

Description

790893

Logging filters do not work as expected.

814427

FortiGate error in FortiAnalyzer connectivity test on secondary device after upgrade.

821359

FortiGate appears to have a limitation in the syslogd filter configuration.

Proxy

Bug ID

Description

768278

WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out.

793651

An expired certificate can be chosen when creating an SSL/SSH profile for deep inspection.

809346

FTPS helper is not opening pinholes for expected traffic for non-standard ports.

823247

WAD user_info process leaks memory.

Routing

Bug ID

Description

756955

Routing table does not reflect the new changes for the static route until the routing process is restarted when cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.

795213

On the Network > SD-WAN page, adding a named static route to an SD-WAN zone creates a default blackhole route.

796070

Incorrect SD-WAN kernel routes are used on the secondary device.

796409

GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.

808840

After cloning a static route, the URL gets stuck with "clone=true".

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

794703

Security Rating report for Rogue AP Detection and FortiCare Support checks show incorrect results.

803600

Automation stitch for a scheduled backup is not working.

814796

The threat level threshold in the compromised host trigger does not work.

815984

Azure SDN connector has a 403 error when the AZD restarts.

SSL VPN

Bug ID

Description

626311

SSL VPN users are remaining logged on past the auth-timeout value.

767832

After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.

780765

High CPU usage in SSL VPN using libssh2.

789642

Unable to load Grafana application through SSL VPN web mode.

796768

SSL VPN RDP is unable to connect to load-balanced VMs.

809209

SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time.

809473

When sslvpnd debugs are enabled, the SSL VPN process crashes more often.

810715

Web application is not loading in the SSL VPN web mode.

811007

The auto-generated URL on the VPN > SSL-VPN Settings page shows the management IP of the FortiGate instead of the SSL VPN interface port IP as defined on the VPN > SSL-VPN Realms page when a realm is created.

811492

SSL VPN should not leak information while performing Telnet.

814040

SSL VPN bookmark configuration is added automatically after client logs in to web mode.

814708

The same SAML user failed to establish a tunnel when a stale web session exists with limit-user-logins enabled.

816716

sslvpnd crashed when deleting a VLAN interface.

816881

TX packet loss on ssl.root interface.

817843

Logging out of SSL VPN tunnel mode does not clear the authenticated list.

819296

GUI should not use <server_ip> as a sender to send the SSL VPN configuration (it should use value set in reply-to).

Switch Controller

Bug ID

Description

794026

FortiGates quarantines are stuck at 256.

803307

The Enable STP security control description should be reworded to mention that Edge ports should have STP enabled once the network topology is stable.

805154

Switch controller preconfiguration of FortiSwitch 108F-POE is incorrect.

810550

Send DHCP/ARP packet failed, and get errno = 6 in log when config-sync runs.

System

Bug ID

Description

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If auto-asic-offload is disabled in the firewall policy, then the traffic flows as expected.

751870

User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.

764252

On FG-100F, no event is raised for PSU failure and the diagnostic command is not available.

764954

FortiAnalyzer serial number automatically learned from miglogd does not send it to FortiManager through the automatic update.

787595

FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.

789153

A profile with higher privileges than the user's own profile can be set.

798091

After upgrading from 6.4.9 to 7.0.5, the FG-110xE's 1000M SFP interface may fail to auto-negotiate and cannot be up due to the missed auto-negotiation.

798303

The threshold for conserve mode is lowered.

800294

Interface migration wizard fails to migrate interfaces when VLANs have dependencies within dependencies.

801053

FG-1800F existing hardware switch configuration fails after upgrading.

807947

Unable to create new interface and VDOM link with names that contain spaces.

813223

Random kernel panic occurs due to calling timer_setup.

815360

NP7 platforms may encounter a kernel panic when deleting more than two hardware switches at the same time.

819640

SSH public key changes after every reboot.

824464

CMDB checksum is not updated when a certificate is renewed over CMP, causing a FortiManager failure to synchronize with the certificate.

Upgrade

Bug ID

Description

803041

Link lights on the FG-1100E fail to come up and are inoperative after upgrading.

User & Authentication

Bug ID

Description

813407

Captive portal authentication with RADIUS user group truncates the token code to eight characters.

VM

Bug ID

Description

786278

Bandwidth usage is not shown when DPDK is enabled.

803219

Azure SDN connector might miss dynamic IP addresses due to only the first page of the network interface being processed.

809963

Get cmdbsvr crash on FG-KVM32 after running concurrent performance test.

WAN Optimization

Bug ID

Description

728861

HTTP/HTTPS traffic cannot go through when wanopt is set to manual mode and an external proxy is used.

Workaround: set wanopt to automatic mode, or set transparent disable in the wanopt profile.

Web Filter

Bug ID

Description

766126

Block replacement page is not pushed automatically to replace the video content when using a video filter.

WiFi Controller

Bug ID

Description

796036

Manual quarantine for wireless client connected to SSID on multi-VDOM with wtp-share does not work.

807713

FortiGate is not sending RADIUS accounting message consistently to RADIUS server for wireless SSO.

809623

CAPWAP traffic is dropped when capwap-offloading is enabled.

811953

Configuration installation from FortiManager breaks the quarantine setting, and the VAP becomes undeletable.

821803

Wireless multicast traffic causes the cw_acd process to have high CPU usage and triggers a hostapd crash.