Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved issues

The following issues have been fixed in version 7.0.6. For inquires about a particular bug, please contact Customer Service & Support.

Application Control

Bug ID

Description

787130

Application control does not block FTP traffic on an explicit proxy.

DNS Filter

Bug ID

Description

692482

DNS filter forwards the DNS status code 1 FormErr as status code 2 ServFail in cases where the redirect server responses have no question section.

744572

In multi-VDOM with default system fortiguard configuration, the DNS filter does not work for the non-management VDOM.

796052

If local-in and transparent requests are hashed into the same local ID list, when the DNS proxy receives a response, it finds the wrong query for requests with the same ID and domain.

Endpoint Control

Bug ID

Description

776447

When a new device first connects to the EMS server with a customized certificate, the wrong slide-in pane appears in the GUI.

777294

Fabric connection failure between EMS and FortiOS.

793162

Sometimes the FortiGate fails to resolve a FortiClient MAC or IP in the firewall dynamic address table.

Explicit Proxy

Bug ID

Description

754191

Websites are not accessible if the certificate-inspection SSL-SSH profile is set in a proxy policy.

765761

Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP.

766127

PAC file download fails with incorrect service error after upgrading to 7.0.2.

767951

Explicit web proxy does not bypass ICAP server inspection when the ICAP server is unreachable.

771152

GUI does not display Source Address field when using a proxy address group in authentication rules.

774442

WAD is NATting to the wrong IP pool address for the interface.

778339

Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking.

780211

diagnose wad stats policy list output displays information for only 20 proxy policies, so not all policies are included.

783946

Explicit proxy policy does not deny request for ClearPass object if it is used as a source.

785342

FortiGate explicit proxy does not work with SOCKS4a.

796364

Renaming a ClearPass dynamic address object that is configured in a proxy policy causes the address not to be matched.

801602

In agentless NTLM authentication, the source IP in user domain-controller is not applied.

Firewall

Bug ID

Description

599638

Get unexpected count for established session count, and diagnose firewall iprope clear does not work as expected.

644638

Policy with a Tor exit node as the source is not blocking traffic coming from Tor.

724145

Expiration timer of expectation session may show a negative number.

744888

FortiGate drops SERVER HELLO when accessing some TLS 1.3 websites using a flow-based policy with SSL deep inspection.

752784

Packet is dropped due to the wrong UDP header length. The NP6XLite driver and kernel drop the packet because of the transport header check.

761494

HTTP persistence not working for HTTP cookie and SSL session ID for round-robin load balancer.

767294

The match-vip option is only useful for deny policies; however, its flag is not cleared after changing the policy action from deny to accept. When a policy uses a mapped FQDN VIP, the destination field of the iprope policy accepts the full IP range.

770541

There is a delay opening firewall, DoS, and traffic shaping policies in the GUI.

770668

The packet dropped counter is not incremented for per-ip-shaper with max-concurrent-session as the only criterion and offload disabled on the firewall policy.

775783

Get httpsd signal 11 crash when inline editing custom service from policy list page with FortiGate support tool running.

777231

Dashboard > FortiView Traffic Shaping page sometimes displays an undefined traffic shaper. This is cosmetic and does not impact functionality.

778513

Forward traffic logs do not show MAC address object name in Device column.

779902

FortiGate policy lookup does not work as expected (in the GUI and CLI) when the destination interface is a loopback interface.

784939

Dashboard > Load Balance Monitor is not loading in 7.0.4 and 7.0.5.

791735

The number of sessions in session_count does not match the output from diagnose sys session full-stat.

797017

The FortiGate does not refresh the iprope group for central SNAT policies after moving a newly created SNAT policy.

797318

NAT64 is not forwarding traffic to the destination IP.

802834

On the Traffic Shaping > Traffic Shapers tab, the Bandwidth Utilization column indicates zero traffic when there is traffic present.

803270

Unexpected value for session_count appears.

806113

The Traffic Shaping Policies edit dialog shows configured reverse shapers as disabled. This is a cosmetic issue and the reverse shaper is configured as defined.

806904

IPv6 source with the same 32-bit prefix always NATs to the same IPv4 address.

FortiView

Bug ID

Description

765993

Dashboard > FortiView Sources - WAN monitor does not show data for VLAN interface.

GUI

Bug ID

Description

630216

A user can browse HA secondary logs in the GUI, but when a user downloads these logs, it is the primary FortiGate logs instead.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

720192

GUI logs out when accessing FortiView monitor page if the VDOM administrator only has ftviewgrp permission.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

746618

Export port link status is not correct on tenant VDOM FortiSwitch Ports page.

763724

After the current session is disconnected, pressing the Enter key does not restart a new session on the GUI CLI console.

774159

Signature not found in IPS database message when editing the IPS profile from the policy.

776969

Unable to select and copy serial number from System Information dashboard widget.

778258

Unable to set IP address for IPsec tunnel in the GUI.

778542

Local domain name disappears from the GUI after clicking API Preview.

778932

MAC address name is not displayed in the Device column in the Asset Identity Center.

781310

Policy & Objects > DNAT & Virtual IPs page can take more than 30 seconds to load if there are more than 25 thousand virtual IPs.

783152

Filtering by Status in the SD-WAN widget is not working.

787007

httpsd is crashing without any interaction on the GUI at api_cleanup_cache in api_cmdb_v2_handler.

787550

HTTPSD daemon crashes frequently with signal 6 (aborted) at api_v2_page_result.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

788935

GUI is slow to load when CDN is enabled and accessed on a closed network.

792045

FortiGate failed to view matched endpoints after viewing it successfully several times.

799160

Modem 1 Health is incorrectly displayed as Disconnected in the Diagnostics and Tools pane of the FortiExtenders page.

800632

Search bar on Addresses page does not complete loading and return a result when format is <IP>-<number>.

HA

Bug ID

Description

664929

The hatalk process crashed when creating a disabled VLAN interface in an A-P cluster.

683584

The hasync process crashed because the write buffer offset is not validated before using it.

683628

The hasync process crashes often with signal 11 in cases when a CMDB mind map file is deleted and some processes still mind map the old file.

714788

Uninterruptible upgrade might be broken in large-scale environments.

744349

Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.

751072

HA secondary is consistently unable to synchronize any sessions from the HA primary when the original HA primary returns.

752942

When the secondary is being synchronized, the GARP is sent out from the secondary device with the physical MAC address.

763214

Firmware upgrade fails when the bandwidth between hbdev is reduced to 26 Mbps and lower (Check image file integrity error!).

764873

FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner.

765619

HA desynchronizes after user from a read-only administrator group logs in.

771389

SNMP community name with one extra character at the end stills matches when HA is enabled.

771391

HA uptime remains the same after mondev failure.

773901

The dnsproxy daemon is not updating HA management VDOM DNS after it is configured. The secondary also does not update.

775724

Static routes not installed after HA failover.

775837

When upgrading the secondary unit to build 1097 or later, a root.vpn.certificate.local.Fortinet_SSL configuration error appears.

778011

The hasync daemon crashes on FG-80E.

779180

FGSP does not synchronize the helper-pmap expectation session.

779512

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

779587

When an authentication log on length is longer than the hasync packet length and when there is a large number of logons, hasync is busy.

781463

FortiGate does not respond to ARP request for management-ip on interface if the interface IP is changed.

782769

Unable to form HA pair when HA encryption is enabled.

783483

On the System > HA page, Sessions are shown as 0 after upgrading from 7.0.3 to 7.0.4.

786592

Failure in self-pinging towards the management IP.

791397

HA secondary address CMDB synchronizes incorrectly for EMS dynamic tags.

794707

Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync.

801872

Unexpected HA failover on AWS A-P cluster when ipsec-soft-dec-async is enabled.

803697

The ha-mgmt-interface stops using the configured gateway6.

807322

AWS HA does not update the prefix list in the route table.

Hyperscale

Bug ID

Description

773698

hw-session-sync-dev does not support hyperscale firewall HA hardware session synchronization interface LAGs.

807523

On NP7 platforms the config system npu option for nat46-force-ipv4-packet-forwarding is missing.

Intrusion Prevention

Bug ID

Description

698247

Flow mode web filter ovrd crashes and socket leaks in IPS daemon.

715360

Each time an AV database update occurs (scheduled or manually triggered), the IPS engine restarts on the SLBC secondary blade.

721916

On SoC4 platforms, when HWDOS enabled and the anomaly action is set to block, the FortiGate does not block sessions that exceed the threshold in the DoS policy.

751027

FortiGate can only collect up to 128 packets when detected by a signature.

755859

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

775696

Each time an AV database update occurs (scheduled or manual), the IPS engine restarts on the SLBC secondary blade. This stops UTM analysis for sessions affected by that blade.

780194

IPS engine 7.00105 has signal 14 (Alarm clock) crash during stress testing.

784976

IPS engine goes to 100% (at 5 Gbps) on FG-4200F when testing CCS with CPS and throughput when UTM is enabled.

IPsec VPN

Bug ID

Description

735412

IKE HA resynchronizes the synchronized connection without an established IKE SA.

749509

IPsec traffic dropped due to anti-replay after HA failover.

767765

Tooltip in Dashboard > Network > IPsecwidget for phase 2 shows a Timeout year of 1970 in Firefox, Chrome, and Edge.

768638

Invalid IP address while creating a VPN IPsec tunnel.

770354

L2TP over IPsec stopped encrypting traffic after upgrading from 6.4 to 7.0.2.

771935

Offloaded transit ESP is dropped in one direction until session is not deleted.

773221

Traffic that goes through IPsec based on a loopback interface cannot be offloaded.

773313

FG-40F-3G4G with WWAN DHCP interface set as L2TP client shows drops in WWAN connections and does not get the WWAN IP.

777476

When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the resync event to synchronize SA data to the FGSP peer.

780850

IPsec hub fails to delete selector routes when NAT IP changed and IKE crashed.

781403

IKE is consuming excessive memory.

781917

Session clash messages appear in event logs for new sessions from VPN towards VIP.

783597

Framed IP is not assigned to IPsec clients configured with set assign-ip-from usrgrp.

786409

Tunnel had one-way traffic after iked crashed.

787567

Inbandwidth and outbandwidth on IPsec is not working properly.

789705

IKE crash disconnected all users at the same time.

793863

File downloads over L2TP IPsec VPN failed when using the VIP mapped to the internal server.

798709

Shortcut fails to be triggered by interested traffic.

803686

Tooltip in Dashboard > Network IPsec widget only displays one address for the local and remote addresses of the phase2 selector.

Log & Report

Bug ID

Description

764478

Logs are missing on FortiGate Cloud from the FortiGate.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

774767

The expected reboot log is missing.

776929

When submitting files for sandbox logging in flow mode, filetype="unknown" is displayed for PDF, DOC, JS, RTF, ZIP, and RAR files.

777008

The syslogd daemon encounters a memory leak.

783145

Cyrillic alphabet is not displayed correctly in file filter and DLP logs.

783725

DoT log is incorrectly categorized as a forward traffic log instead of a local traffic log.

788724

The secondary FortiGate did not send the logs to the syslog server (sendmmsg failed to send data).

Proxy

Bug ID

Description

650348

FortiGate refuses incoming TCP connection to FTP proxy port after explicit proxy related configurations are changed.

678815

WAD crashes with signal 11 if the client sends a client hello containing a key share that does not match the key share that the server prefers.

747915

Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model.

756616

High CPU usage in proxy-based policy with deep inspection and IPS sensor.

766158

Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category.

774859

WAD signal 11 Segmentation fault crash occurs at wad_h2_port_read_sync.

775193

Frequent WAD crashes are causing the FortiGate to go down.

775966

Changes to address group used for full SSL exemptions are not being activated.

776989

In some cases, WAD daemon signal 6 (Aborted) received occurs when adding a VDOM.

781161

WAD has signal 11 crash due to invalid reading after freeing WAD user information daemon.

782426

WAD crash with signal 11 and signal 6 occurs when performing SAML authentication if the URL size is larger than 3 KB.

783112

FortiGate goes into conserve mode due to high memory usage of WAD user-info process. The WAD user-info process will query the user count information from the LDAP server every 24 hours. If any of the LDAP query messages are closed by exceptions, there is a memory leak. If obtain-user-info is enabled under config user ldap, this memory leak will be triggered on daily basis.

783438

When diagnosing WAD memory with a significant number of open HTTP sessions, the function pointer may still be called and will cause a segmentation fault.

786939

The scan-botnet-connections block setting does not work for TCP:443 with proxy-based inspection.

789703

WAD continually crashing at signal 11.

791662

FortiGate is silently dropping server hello in TLS negotiation.

792505

Memory leak identified for WAD worker dnsproxy_conn causing conserve mode.

795321

WAD crash signal 11 and unit goes into conserve mode.

796910

Application wad crash (Segmentation fault) , which is the first crash in a series.

802935

FortiGate cannot block a virus file when using the HTTP PATCH upload method.

803136

thumbnailPhoto files are saved in the memory disk with the incorrect hash name.

803260

Memory increase suddenly and is not released until rebooting.

808072

When accessing a specific website using UTF8 content encoding (which is unexpected according to the RFC) the FortiGate blocks the traffic as an HTTP evasion when applying an AV profile with deep inspection.

Routing

Bug ID

Description

710606

Some static routes disappear from RIB/FIB after modifying/installing static routes from the GUI script.

717086

External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the interface-select-method configuration in system external-resource is changed.

745856

The default SD-WAN route for the LTE wwan interface is not created.

767225

Unable to set tls-active-probe.

769321

After ADVPN HA failover, BGP is not established, and tunnels are up but not passing traffic between the hub and spokes.

770420

FortiGate assigns an incorrect IP address for SNAT on ipunnumbered interface.

771052

The set next-hop-self-rr6 enable parameter not effective.

771423

BGP route map community attribute cannot be changed from the GUI when there are two 16-byte concatenated versions.

772400

IPv6 route is not created for SIT tunnel interface in SD-WAN.

774136

VPN traffic is not being metered by DoS policy when using SD-WAN.

777047

PING over IPv6 is not working from a loopback interface to any interface if the VRF on the loopback moves to vrf1.

778392

Kernel panic crash occurs after receiving new IPv6 prefix via BGP.

779113

A new route check to make sure the route is removed when the link monitor object fails on non-ARM based platforms.

780210

Changing the interface weight under SD-WAN takes longer to be applied from the GUI than the CLI.

780421

SD-WAN services use a different way to handle IPv6 packets than IPv4, which causes packets loss.

781493

After restarting IKE, ADVPN shortcuts stuck in the SD-WAN service and health check.

783168

IPv6 secondary network is removed from the routing table after reboot.

784950

The ecmp-max-paths are not behaving as expected.

788793

Unable to receive BGP routes on redundant tunnel interfaces.

797530

SD-WAN health check event log shows the incorrect protocol.

797590

GRE tunnel configured using a loopback interface is not working after changing the interface back and forth.

807635

BGP routes hit the wrong route map.

Security Fabric

Bug ID

Description

764825

When the Security Fabric is enabled, logging is not enabled on deny policies.

778511

PPPoE interface is unable to accept Fabric connections.

779181

Security rating report for System Uptime incorrectly fails the check for FortiAP, even though the FortiAP is up for more than 24 hours.

788543

Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer.

791794

Unable to send alert emails using SMTP TLS in Office 365.

793234

Fabric Management page incorrectly shows some FortiAPs with an unregistered FortiCare status even though the FortiAP is already registered. This is just a display issue and does not impact FortiAP operation.

793474

FortiManager card has red color on Security Fabric > Fabric Connectors page.

795687

On the Fabric Management page, some managed FortiSwitches are not shown.

799832

GCP bearer token is too long for the header in a google-cloud-function automation action.

SSL VPN

Bug ID

Description

486837

SSL VPN with external DHCP servers is not working.

616896

Link in SSL VPN portal to FortiClient iOS redirects to legacy FortiClient 6.0 rather than the latest 6.2.

741674

Customer internal website (https://cm***.msc****.com/x***) cannot be rendered in SSL VPN web mode.

749857

Web mode and tunnel mode could not reflect the VRF setting, which causes the traffic to not pass through as expected.

755296

SSL VPN web mode has issues accessing https://e***.or***.kr.

756561

Outdated OS support for host check should be removed.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

757726

SSL VPN web portal does not serve updated certificate.

760407

Unable to add domain entry in split-dns if set domains contains an underscore character (_).

760875

SSL VPN PKI users fail to log in when a special character is included in the CN or subject matching field.

762479

Telnet connection gets disconnected after three to four minutes in SSL VPN web mode while the connection is idle.

762685

Punycode is not supported in SSL VPN DNS split tunneling.

763611

If dual-stack is enabled, the user connects to the tunnel with IPv6 and the tunnel is established successfully. When the user tries to access the IPv4 server to upload or download files, the network speed is very slow.

764853

SSL VPN bookmark of VNC is not using ZRLE compression and consumes more bandwidth to end clients.

765216

Extend skip-check-for-unsupported-os to support the same OS type but different OS versions.

765258

Endpoint event is not reported when FortiClient 7.0 connects to SSL VPN.

767230

Issues with user log out request with Okta as an identity provider for SAML authentication.

767818

SSL VPN bookmark issues with internal website.

767869

SCADA portal will not fully load with SSL VPN web bookmark.

768323

Certain websites do not load properly in SSL VPN web mode.

768362

Default resolution for RDP/VNC in SSL VPN web mode cannot be configured.

768983

SSL VPN web mode access to the FortiGate GUI is slow after upgrading to 7.0.3.

768994

SSL VPN crashed when closing web mode RDP after upgrading.

770452

Clicking an SSL VPN web portal bookmark web link displays blank page.

770919

Internal website (*.blt.local) is not loading in SSL VPN web mode.

771162

Unable to access SSL VPN bookmark in web mode.

772191

Website is not loading in SSL VPN web mode.

774661

Unable to load SSL VPN web portal internal webpage.

774831

Comma character (,) is acting as delimiter in authentication session decoding when CN format is Surname, Name.

776069

The sslvpn daemon crashes due to memory access after it has been freed.

778031

SSL VPN web mode HTTP throughputs drop over 50%.

778034

FortiGate GUI in SSL VPN web mode is very slow.

780305

SSL VPN web mode is unable to redirect from port 62843 to port 8443.

781542

Unable to access internal SSL VPN bookmark in web mode.

781550

HTTPS link is not working in SSL VPN web mode.

782732

Webpages of back-end server behind https://vpn-***.sys***.pl/remote/ could not be displayed in SSL VPN web mode.

783508

After upgrading to 6.4.8, NLA security mode for SSL VPN web portal bookmark does not work.

784335

Unable to load internal website in SSL VPN web mode.

784426

SSL VPN web mode has problems accessing ComCenter websites.

784522

When trying to create a support ticket in Jira with SSL VPN proxy web mode, the dropdown field does not contain any values.

784887

A blank page appears after logging in to an SSL VPN bookmark.

786179

Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode.

787978

Unable to load NFMT routing display through SSL VPN web mode.

788641

Internal site not loading in SSL VPN web mode.

789267

SSO SSL VPN web mode user cannot connect to RDP intermittently.

789644

Internal site not loading completely using SSL VPN web mode bookmark.

791700

SSL VPN crashes and disconnects users at the same time.

794800

SSL VPN /remote/logoutok screen loads in basic text.

794820

Slow performance to manage FortiGate trough the bookmark configured in SSL VPN web mode.

795730

Non-Google CAPTCHA cannot be displayed in SSL VPN web mode.

801308

FortiGuard should only provide an installer for FortiClient VPN, instead of the full FortiClient version.

801588

After Kronos (third-party) update from 8.1.3 to 8.1.13, SSL VPN web portal users get a blank page after logging in successfully.

802379

SSL VPN has memory leaks and crashes.

803622

High CPU in SSL VPN once SAML is used with FortiAuthenticator and an LDAP server.

Switch Controller

Bug ID

Description

774441

FortiLink topology only displays partially.

774848

Bulk MAC addresses deletions on FortiSwitch is randomly causing all wired clients to disconnect at the same time and reconnect.

776442

FortiSwitch VLANs cannot be created in the FortiGate GUI for a second FortiLink.

System

Bug ID

Description

540389

Remote administrator password renewal shows remote token instead of new password (CLI and GUI).

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

679059

The ipmc_sensord process is killed multiple times when the CPU or memory usage is high.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

699152

QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E.

706543

FortiGuard DDNS does not update the IP address when the PPPoE reconnects.

708228

A DNS proxy crash occurs during ssl_ctx_free.

716250

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

722781

MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If the auto-asic-offload option is disabled in the firewall policy, traffic flows as expected.

734912

When VDOMs are enabled, changing system settings causes the GUI to display a failure to save message.

735761

VLAN ID is not taken into consideration at the session level for traffic crossing NP7 platforms.

736144

AirCard 340U LTE Modem does not work.

738423

Unable to create a hardware switch with no member.

749613

Unable to save configuration changes and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

750533

The cmdbsvr crashes when accessing an invalid firewall vip mapped IP that causes traffic to stop traversing the FortiGate.

751044

There is no sensor trap function and related logs on SoC4 platforms.

753912

FortiGate calculates faulty FDS weight with DST enabled.

755268

When changing a per-ip-shaper, if there is ongoing traffic offloaded by NPU and it attaches that shaper, the new shaper's quota will not get updated.

756139

When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.

757478

Kernel panic results in reboot due the size of inner Ethernet header and IP header not being checked properly when the SKB is received by the VXLAN interface.

758490

The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device.

760661

DDNS interface update status can get stuck if changes to the interface are made rapidly.

760942

dnsproxy signal 11 crash at libcrypto.so.1.1 on FWF-61F.

761971

AirCard 340U LTE modem does not work on FG-61F.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

767778

Kernel panic occurs when adding and deleting LAG members on NP6 models.

768979

On a FortiGate with many FortiSwitches and FortiAPs, the Device Inventory widget and user-device-store list are empty.

771267

Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries.

771331

Incorrect bandwidth utilization traffic widget for VLAN interface on NP6 platforms.

771442

Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.

773067

CLI help text for link monitor failtime and recoverytime range should be (1 - 3600, default = 5).

773702

FortiGate running startup configuration is not saved on flash drive.

774443

SCP restore TCP session does not gracefully close with FIN packet.

775529

Hardware switch is not passing VRRP packets.

777044

On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.

778116

Restricted VDOM user is able to access the root VDOM.

778629

Disabling NP6XLite offloading does not work with VLAN interface on LAG one-arm scenario.

779241

DCE-RPC expectation session expires and never times out (timeout=never).

779523

Negative tunnel_count in diagnose firewall gtp profile list for FGSP peer.

782392

ICMP traceroute with more than one probe is not working, and drops are seen on NP6 platforms.

783545

Backing up to SFTP does not work when the username contains a period (.).

785766

Memory leak and httpsd crashes.

786255

Cached topology reports causes the FortiGate to run out of flash storage on low-end models.

789203

High memory usage due to DoT leak at ssl.port_1way_client_dox leak\wad_m_dot_conn leak\sni leak when the DoX server is 8.8.8.8.

790446

The vwl process is spiking CPU and memory, which triggers conserve mode.

790656

DNS fails to correctly resolve hosts using the DNS database.

792544

A request is made to the remote authentication server before checking trusthost.

793401

The fcnacd process keeps using 99% CPU.

793864

Repeated FortiDDNS failed messages are in the system event logs output.

796398

BPDUs packets are blocked even though STF forwarding is enabled on FG-800D in transparent mode (UTP and SFP).

799255

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

800295

NTP server has intermittent unresolvable logs after upgrading to 6.4.

800333

DoS offload does not work and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite.

801477

Disabling forward error correction is not working on FG-3500F.

801738

Kernel panic occurs on FG-2610F when collecting debug flow information.

802917

PPPoE virtual tunnel drops traffic after logon credentials are changed.

Upgrade

Bug ID

Description

754180

MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.

766472

After upgrading, the diagnostic command for redundant PSU is missing on FG-100F.

790823

VDOM links configuration is lost after upgrading.

User & Authentication

Bug ID

Description

667150

Add GUI support for FortiToken Mobile push notification and FortiToken Cloud based on two-factor authentication, which is already supported by authd.

738846

FAS ends up in endless loop while synchronizing with LDAP when a special character (,) is part of a username.

749488

On an HA standby device, certain certificates (such as Fortinet_CA_SSL) regenerate by themselves when trying to edit them in CLI. This also causes issues when backing up configurations on the standby device.

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

765136

Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

767844

User ID/password shows as blank when sending the guest credentials via a custom SMS server in Guest Management.

777004

Local users named pop or map do not work as expected when trying to add then as sources in a firewall policy.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

781992

fssod crashes with signal 11 on logon_dns_callback.

790941

When logged in with an administrator profile using a wildcard RADIUS user, creating a new dashboard widgets fails.

792924

Incorrect captive portal page certificate is used after upgrading from 7.0.3 to 7.0.5.

808884

Device information is not fully detected on NP7.

VM

Bug ID

Description

735441

Low performance when copying files from server behind FG-VM to another site via IPsec VPN.

774599

FG-VM64 with specific configuration halted while upgrading from 7.0.2.

781879

Flex-VM license activation failed to be applied to FortiGate VM in HA. Standalone mode is OK.

782073

IBM HA is unable to fail over route properly when route table has a delegate VPC route.

785234

GCP HA failover for external IP does not work when using Standard Tier.

785353

Azure performance issue on MLX5 when an unrelated VPN is up.

789223

Azure China uses the wrong API endpoint to get meta data after secondary becomes the new primary.

793914

HA is not in sync when a dynamic AWS service SMTP address object is retrieving a dynamic update from AWS.

799536

Data partition is almost full on FG-VM64 platforms.

VoIP

Bug ID

Description

794517

VoIP daemon memory leak occurs when the following conditions are met:

  • The SIP call is on top of the IPsec tunnel.
  • The call fails before the setup completes (session gets closed in a state earlier than VOIP_SESSION_STATE_RUNNING).

Web Application Firewall

Bug ID

Description

785743

When a web application firewall profile has version constraint enabled, HTTP 2.0 requests will be blocked.

Web Filter

Bug ID

Description

770941

Unable to block https://cle***.com/oauth/dis***-pic*** using URL filter; content from cle***.com is still shown.

781515

The urlfilter daemon continuously crashes on the secondary unit.

798557

When a new URL filter entry is created and the list is re-ordered, the list position is not maintained.

WiFi Controller

Bug ID

Description

489759

Consistent error messages, internal_add_timer, appear on console when running an automation script.

630085

A cw_acd crash is observed on the FortiGate when the FortiAP is deleted from the managed AP list.

745642

Consider not generating rogue AP logs once a certain AP has been marked as accepted.

748479

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

750425

In RADIUS MAC authentication, the FortiGate NAS-IP-Address will revert to 0.0.0.0 after using the FortiGate address.

757189

A batch of APs in cluster are exhibiting control messages that the maximal retransmission limit reached, and the APs disconnect from the FortiGate.

773027

Client limit description tooltip displayed in the GUI shows incorrect information.

773742

Two-factor authentication and WPA2-Enterprise WiFi conflict on remoteauthtimeout setting.

775157

A packet with the wrong IP header could not be processed by the CAPWAP driver, which randomly causes the FortiGate to reboot.

776576

FortiAP upgrade panel still prompts to upgrade to latest firmware, even when FortiAP is operating latest firmware.

780732

Unable to import MPSK keys in the GUI (CSV file into an SSID). An Invalid file content error appears.

783209

The arrp-profile table cannot be purged if no entry is in use.

783752

Improve arrp-profile configuration to avoid confusion.

790367

FWF-60F has kernel panic and reboots by itself every few hours.

791761

CAPWAP tunnel traffic over WPA2-Enterprise SSID is dropped when offloading is enabled on FG-1800F.

792738

The cw_acd process uses high CPU, which causes issues for FortiAP connecting with CAPWAP.

ZTNA

Bug ID

Description

770350

ZTNA tags do not follow the correct policy when bound in a single policy. They also do not work with groups.

770877

Traffic was blocked by mismatched ZTNA EMS tags in a forwarding firewall policy.

777669

The secondary IP address in the EMS dynamic address table does not match the expected policy.

799530

Found wad crash at wad_sched.c upon device tag matching.

802715

ZTNA failed to match the policy when a tag is found for an endpoint in the EMS response.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

787111

FortiOS 7.0.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43072

792067

FortiOS 7.0.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-0778

797229

FortiOS 7.0.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-27491

800259

FortiOS 7.0.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-2905

Resolved issues

The following issues have been fixed in version 7.0.6. For inquires about a particular bug, please contact Customer Service & Support.

Application Control

Bug ID

Description

787130

Application control does not block FTP traffic on an explicit proxy.

DNS Filter

Bug ID

Description

692482

DNS filter forwards the DNS status code 1 FormErr as status code 2 ServFail in cases where the redirect server responses have no question section.

744572

In multi-VDOM with default system fortiguard configuration, the DNS filter does not work for the non-management VDOM.

796052

If local-in and transparent requests are hashed into the same local ID list, when the DNS proxy receives a response, it finds the wrong query for requests with the same ID and domain.

Endpoint Control

Bug ID

Description

776447

When a new device first connects to the EMS server with a customized certificate, the wrong slide-in pane appears in the GUI.

777294

Fabric connection failure between EMS and FortiOS.

793162

Sometimes the FortiGate fails to resolve a FortiClient MAC or IP in the firewall dynamic address table.

Explicit Proxy

Bug ID

Description

754191

Websites are not accessible if the certificate-inspection SSL-SSH profile is set in a proxy policy.

765761

Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP.

766127

PAC file download fails with incorrect service error after upgrading to 7.0.2.

767951

Explicit web proxy does not bypass ICAP server inspection when the ICAP server is unreachable.

771152

GUI does not display Source Address field when using a proxy address group in authentication rules.

774442

WAD is NATting to the wrong IP pool address for the interface.

778339

Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking.

780211

diagnose wad stats policy list output displays information for only 20 proxy policies, so not all policies are included.

783946

Explicit proxy policy does not deny request for ClearPass object if it is used as a source.

785342

FortiGate explicit proxy does not work with SOCKS4a.

796364

Renaming a ClearPass dynamic address object that is configured in a proxy policy causes the address not to be matched.

801602

In agentless NTLM authentication, the source IP in user domain-controller is not applied.

Firewall

Bug ID

Description

599638

Get unexpected count for established session count, and diagnose firewall iprope clear does not work as expected.

644638

Policy with a Tor exit node as the source is not blocking traffic coming from Tor.

724145

Expiration timer of expectation session may show a negative number.

744888

FortiGate drops SERVER HELLO when accessing some TLS 1.3 websites using a flow-based policy with SSL deep inspection.

752784

Packet is dropped due to the wrong UDP header length. The NP6XLite driver and kernel drop the packet because of the transport header check.

761494

HTTP persistence not working for HTTP cookie and SSL session ID for round-robin load balancer.

767294

The match-vip option is only useful for deny policies; however, its flag is not cleared after changing the policy action from deny to accept. When a policy uses a mapped FQDN VIP, the destination field of the iprope policy accepts the full IP range.

770541

There is a delay opening firewall, DoS, and traffic shaping policies in the GUI.

770668

The packet dropped counter is not incremented for per-ip-shaper with max-concurrent-session as the only criterion and offload disabled on the firewall policy.

775783

Get httpsd signal 11 crash when inline editing custom service from policy list page with FortiGate support tool running.

777231

Dashboard > FortiView Traffic Shaping page sometimes displays an undefined traffic shaper. This is cosmetic and does not impact functionality.

778513

Forward traffic logs do not show MAC address object name in Device column.

779902

FortiGate policy lookup does not work as expected (in the GUI and CLI) when the destination interface is a loopback interface.

784939

Dashboard > Load Balance Monitor is not loading in 7.0.4 and 7.0.5.

791735

The number of sessions in session_count does not match the output from diagnose sys session full-stat.

797017

The FortiGate does not refresh the iprope group for central SNAT policies after moving a newly created SNAT policy.

797318

NAT64 is not forwarding traffic to the destination IP.

802834

On the Traffic Shaping > Traffic Shapers tab, the Bandwidth Utilization column indicates zero traffic when there is traffic present.

803270

Unexpected value for session_count appears.

806113

The Traffic Shaping Policies edit dialog shows configured reverse shapers as disabled. This is a cosmetic issue and the reverse shaper is configured as defined.

806904

IPv6 source with the same 32-bit prefix always NATs to the same IPv4 address.

FortiView

Bug ID

Description

765993

Dashboard > FortiView Sources - WAN monitor does not show data for VLAN interface.

GUI

Bug ID

Description

630216

A user can browse HA secondary logs in the GUI, but when a user downloads these logs, it is the primary FortiGate logs instead.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

720192

GUI logs out when accessing FortiView monitor page if the VDOM administrator only has ftviewgrp permission.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

746618

Export port link status is not correct on tenant VDOM FortiSwitch Ports page.

763724

After the current session is disconnected, pressing the Enter key does not restart a new session on the GUI CLI console.

774159

Signature not found in IPS database message when editing the IPS profile from the policy.

776969

Unable to select and copy serial number from System Information dashboard widget.

778258

Unable to set IP address for IPsec tunnel in the GUI.

778542

Local domain name disappears from the GUI after clicking API Preview.

778932

MAC address name is not displayed in the Device column in the Asset Identity Center.

781310

Policy & Objects > DNAT & Virtual IPs page can take more than 30 seconds to load if there are more than 25 thousand virtual IPs.

783152

Filtering by Status in the SD-WAN widget is not working.

787007

httpsd is crashing without any interaction on the GUI at api_cleanup_cache in api_cmdb_v2_handler.

787550

HTTPSD daemon crashes frequently with signal 6 (aborted) at api_v2_page_result.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

788935

GUI is slow to load when CDN is enabled and accessed on a closed network.

792045

FortiGate failed to view matched endpoints after viewing it successfully several times.

799160

Modem 1 Health is incorrectly displayed as Disconnected in the Diagnostics and Tools pane of the FortiExtenders page.

800632

Search bar on Addresses page does not complete loading and return a result when format is <IP>-<number>.

HA

Bug ID

Description

664929

The hatalk process crashed when creating a disabled VLAN interface in an A-P cluster.

683584

The hasync process crashed because the write buffer offset is not validated before using it.

683628

The hasync process crashes often with signal 11 in cases when a CMDB mind map file is deleted and some processes still mind map the old file.

714788

Uninterruptible upgrade might be broken in large-scale environments.

744349

Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.

751072

HA secondary is consistently unable to synchronize any sessions from the HA primary when the original HA primary returns.

752942

When the secondary is being synchronized, the GARP is sent out from the secondary device with the physical MAC address.

763214

Firmware upgrade fails when the bandwidth between hbdev is reduced to 26 Mbps and lower (Check image file integrity error!).

764873

FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner.

765619

HA desynchronizes after user from a read-only administrator group logs in.

771389

SNMP community name with one extra character at the end stills matches when HA is enabled.

771391

HA uptime remains the same after mondev failure.

773901

The dnsproxy daemon is not updating HA management VDOM DNS after it is configured. The secondary also does not update.

775724

Static routes not installed after HA failover.

775837

When upgrading the secondary unit to build 1097 or later, a root.vpn.certificate.local.Fortinet_SSL configuration error appears.

778011

The hasync daemon crashes on FG-80E.

779180

FGSP does not synchronize the helper-pmap expectation session.

779512

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

779587

When an authentication log on length is longer than the hasync packet length and when there is a large number of logons, hasync is busy.

781463

FortiGate does not respond to ARP request for management-ip on interface if the interface IP is changed.

782769

Unable to form HA pair when HA encryption is enabled.

783483

On the System > HA page, Sessions are shown as 0 after upgrading from 7.0.3 to 7.0.4.

786592

Failure in self-pinging towards the management IP.

791397

HA secondary address CMDB synchronizes incorrectly for EMS dynamic tags.

794707

Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync.

801872

Unexpected HA failover on AWS A-P cluster when ipsec-soft-dec-async is enabled.

803697

The ha-mgmt-interface stops using the configured gateway6.

807322

AWS HA does not update the prefix list in the route table.

Hyperscale

Bug ID

Description

773698

hw-session-sync-dev does not support hyperscale firewall HA hardware session synchronization interface LAGs.

807523

On NP7 platforms the config system npu option for nat46-force-ipv4-packet-forwarding is missing.

Intrusion Prevention

Bug ID

Description

698247

Flow mode web filter ovrd crashes and socket leaks in IPS daemon.

715360

Each time an AV database update occurs (scheduled or manually triggered), the IPS engine restarts on the SLBC secondary blade.

721916

On SoC4 platforms, when HWDOS enabled and the anomaly action is set to block, the FortiGate does not block sessions that exceed the threshold in the DoS policy.

751027

FortiGate can only collect up to 128 packets when detected by a signature.

755859

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

775696

Each time an AV database update occurs (scheduled or manual), the IPS engine restarts on the SLBC secondary blade. This stops UTM analysis for sessions affected by that blade.

780194

IPS engine 7.00105 has signal 14 (Alarm clock) crash during stress testing.

784976

IPS engine goes to 100% (at 5 Gbps) on FG-4200F when testing CCS with CPS and throughput when UTM is enabled.

IPsec VPN

Bug ID

Description

735412

IKE HA resynchronizes the synchronized connection without an established IKE SA.

749509

IPsec traffic dropped due to anti-replay after HA failover.

767765

Tooltip in Dashboard > Network > IPsecwidget for phase 2 shows a Timeout year of 1970 in Firefox, Chrome, and Edge.

768638

Invalid IP address while creating a VPN IPsec tunnel.

770354

L2TP over IPsec stopped encrypting traffic after upgrading from 6.4 to 7.0.2.

771935

Offloaded transit ESP is dropped in one direction until session is not deleted.

773221

Traffic that goes through IPsec based on a loopback interface cannot be offloaded.

773313

FG-40F-3G4G with WWAN DHCP interface set as L2TP client shows drops in WWAN connections and does not get the WWAN IP.

777476

When FGCP and FGSP is configured, but the FGCP cluster is not connected, IKE will ignore the resync event to synchronize SA data to the FGSP peer.

780850

IPsec hub fails to delete selector routes when NAT IP changed and IKE crashed.

781403

IKE is consuming excessive memory.

781917

Session clash messages appear in event logs for new sessions from VPN towards VIP.

783597

Framed IP is not assigned to IPsec clients configured with set assign-ip-from usrgrp.

786409

Tunnel had one-way traffic after iked crashed.

787567

Inbandwidth and outbandwidth on IPsec is not working properly.

789705

IKE crash disconnected all users at the same time.

793863

File downloads over L2TP IPsec VPN failed when using the VIP mapped to the internal server.

798709

Shortcut fails to be triggered by interested traffic.

803686

Tooltip in Dashboard > Network IPsec widget only displays one address for the local and remote addresses of the phase2 selector.

Log & Report

Bug ID

Description

764478

Logs are missing on FortiGate Cloud from the FortiGate.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

774767

The expected reboot log is missing.

776929

When submitting files for sandbox logging in flow mode, filetype="unknown" is displayed for PDF, DOC, JS, RTF, ZIP, and RAR files.

777008

The syslogd daemon encounters a memory leak.

783145

Cyrillic alphabet is not displayed correctly in file filter and DLP logs.

783725

DoT log is incorrectly categorized as a forward traffic log instead of a local traffic log.

788724

The secondary FortiGate did not send the logs to the syslog server (sendmmsg failed to send data).

Proxy

Bug ID

Description

650348

FortiGate refuses incoming TCP connection to FTP proxy port after explicit proxy related configurations are changed.

678815

WAD crashes with signal 11 if the client sends a client hello containing a key share that does not match the key share that the server prefers.

747915

Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model.

756616

High CPU usage in proxy-based policy with deep inspection and IPS sensor.

766158

Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category.

774859

WAD signal 11 Segmentation fault crash occurs at wad_h2_port_read_sync.

775193

Frequent WAD crashes are causing the FortiGate to go down.

775966

Changes to address group used for full SSL exemptions are not being activated.

776989

In some cases, WAD daemon signal 6 (Aborted) received occurs when adding a VDOM.

781161

WAD has signal 11 crash due to invalid reading after freeing WAD user information daemon.

782426

WAD crash with signal 11 and signal 6 occurs when performing SAML authentication if the URL size is larger than 3 KB.

783112

FortiGate goes into conserve mode due to high memory usage of WAD user-info process. The WAD user-info process will query the user count information from the LDAP server every 24 hours. If any of the LDAP query messages are closed by exceptions, there is a memory leak. If obtain-user-info is enabled under config user ldap, this memory leak will be triggered on daily basis.

783438

When diagnosing WAD memory with a significant number of open HTTP sessions, the function pointer may still be called and will cause a segmentation fault.

786939

The scan-botnet-connections block setting does not work for TCP:443 with proxy-based inspection.

789703

WAD continually crashing at signal 11.

791662

FortiGate is silently dropping server hello in TLS negotiation.

792505

Memory leak identified for WAD worker dnsproxy_conn causing conserve mode.

795321

WAD crash signal 11 and unit goes into conserve mode.

796910

Application wad crash (Segmentation fault) , which is the first crash in a series.

802935

FortiGate cannot block a virus file when using the HTTP PATCH upload method.

803136

thumbnailPhoto files are saved in the memory disk with the incorrect hash name.

803260

Memory increase suddenly and is not released until rebooting.

808072

When accessing a specific website using UTF8 content encoding (which is unexpected according to the RFC) the FortiGate blocks the traffic as an HTTP evasion when applying an AV profile with deep inspection.

Routing

Bug ID

Description

710606

Some static routes disappear from RIB/FIB after modifying/installing static routes from the GUI script.

717086

External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the interface-select-method configuration in system external-resource is changed.

745856

The default SD-WAN route for the LTE wwan interface is not created.

767225

Unable to set tls-active-probe.

769321

After ADVPN HA failover, BGP is not established, and tunnels are up but not passing traffic between the hub and spokes.

770420

FortiGate assigns an incorrect IP address for SNAT on ipunnumbered interface.

771052

The set next-hop-self-rr6 enable parameter not effective.

771423

BGP route map community attribute cannot be changed from the GUI when there are two 16-byte concatenated versions.

772400

IPv6 route is not created for SIT tunnel interface in SD-WAN.

774136

VPN traffic is not being metered by DoS policy when using SD-WAN.

777047

PING over IPv6 is not working from a loopback interface to any interface if the VRF on the loopback moves to vrf1.

778392

Kernel panic crash occurs after receiving new IPv6 prefix via BGP.

779113

A new route check to make sure the route is removed when the link monitor object fails on non-ARM based platforms.

780210

Changing the interface weight under SD-WAN takes longer to be applied from the GUI than the CLI.

780421

SD-WAN services use a different way to handle IPv6 packets than IPv4, which causes packets loss.

781493

After restarting IKE, ADVPN shortcuts stuck in the SD-WAN service and health check.

783168

IPv6 secondary network is removed from the routing table after reboot.

784950

The ecmp-max-paths are not behaving as expected.

788793

Unable to receive BGP routes on redundant tunnel interfaces.

797530

SD-WAN health check event log shows the incorrect protocol.

797590

GRE tunnel configured using a loopback interface is not working after changing the interface back and forth.

807635

BGP routes hit the wrong route map.

Security Fabric

Bug ID

Description

764825

When the Security Fabric is enabled, logging is not enabled on deny policies.

778511

PPPoE interface is unable to accept Fabric connections.

779181

Security rating report for System Uptime incorrectly fails the check for FortiAP, even though the FortiAP is up for more than 24 hours.

788543

Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer.

791794

Unable to send alert emails using SMTP TLS in Office 365.

793234

Fabric Management page incorrectly shows some FortiAPs with an unregistered FortiCare status even though the FortiAP is already registered. This is just a display issue and does not impact FortiAP operation.

793474

FortiManager card has red color on Security Fabric > Fabric Connectors page.

795687

On the Fabric Management page, some managed FortiSwitches are not shown.

799832

GCP bearer token is too long for the header in a google-cloud-function automation action.

SSL VPN

Bug ID

Description

486837

SSL VPN with external DHCP servers is not working.

616896

Link in SSL VPN portal to FortiClient iOS redirects to legacy FortiClient 6.0 rather than the latest 6.2.

741674

Customer internal website (https://cm***.msc****.com/x***) cannot be rendered in SSL VPN web mode.

749857

Web mode and tunnel mode could not reflect the VRF setting, which causes the traffic to not pass through as expected.

755296

SSL VPN web mode has issues accessing https://e***.or***.kr.

756561

Outdated OS support for host check should be removed.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

757726

SSL VPN web portal does not serve updated certificate.

760407

Unable to add domain entry in split-dns if set domains contains an underscore character (_).

760875

SSL VPN PKI users fail to log in when a special character is included in the CN or subject matching field.

762479

Telnet connection gets disconnected after three to four minutes in SSL VPN web mode while the connection is idle.

762685

Punycode is not supported in SSL VPN DNS split tunneling.

763611

If dual-stack is enabled, the user connects to the tunnel with IPv6 and the tunnel is established successfully. When the user tries to access the IPv4 server to upload or download files, the network speed is very slow.

764853

SSL VPN bookmark of VNC is not using ZRLE compression and consumes more bandwidth to end clients.

765216

Extend skip-check-for-unsupported-os to support the same OS type but different OS versions.

765258

Endpoint event is not reported when FortiClient 7.0 connects to SSL VPN.

767230

Issues with user log out request with Okta as an identity provider for SAML authentication.

767818

SSL VPN bookmark issues with internal website.

767869

SCADA portal will not fully load with SSL VPN web bookmark.

768323

Certain websites do not load properly in SSL VPN web mode.

768362

Default resolution for RDP/VNC in SSL VPN web mode cannot be configured.

768983

SSL VPN web mode access to the FortiGate GUI is slow after upgrading to 7.0.3.

768994

SSL VPN crashed when closing web mode RDP after upgrading.

770452

Clicking an SSL VPN web portal bookmark web link displays blank page.

770919

Internal website (*.blt.local) is not loading in SSL VPN web mode.

771162

Unable to access SSL VPN bookmark in web mode.

772191

Website is not loading in SSL VPN web mode.

774661

Unable to load SSL VPN web portal internal webpage.

774831

Comma character (,) is acting as delimiter in authentication session decoding when CN format is Surname, Name.

776069

The sslvpn daemon crashes due to memory access after it has been freed.

778031

SSL VPN web mode HTTP throughputs drop over 50%.

778034

FortiGate GUI in SSL VPN web mode is very slow.

780305

SSL VPN web mode is unable to redirect from port 62843 to port 8443.

781542

Unable to access internal SSL VPN bookmark in web mode.

781550

HTTPS link is not working in SSL VPN web mode.

782732

Webpages of back-end server behind https://vpn-***.sys***.pl/remote/ could not be displayed in SSL VPN web mode.

783508

After upgrading to 6.4.8, NLA security mode for SSL VPN web portal bookmark does not work.

784335

Unable to load internal website in SSL VPN web mode.

784426

SSL VPN web mode has problems accessing ComCenter websites.

784522

When trying to create a support ticket in Jira with SSL VPN proxy web mode, the dropdown field does not contain any values.

784887

A blank page appears after logging in to an SSL VPN bookmark.

786179

Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode.

787978

Unable to load NFMT routing display through SSL VPN web mode.

788641

Internal site not loading in SSL VPN web mode.

789267

SSO SSL VPN web mode user cannot connect to RDP intermittently.

789644

Internal site not loading completely using SSL VPN web mode bookmark.

791700

SSL VPN crashes and disconnects users at the same time.

794800

SSL VPN /remote/logoutok screen loads in basic text.

794820

Slow performance to manage FortiGate trough the bookmark configured in SSL VPN web mode.

795730

Non-Google CAPTCHA cannot be displayed in SSL VPN web mode.

801308

FortiGuard should only provide an installer for FortiClient VPN, instead of the full FortiClient version.

801588

After Kronos (third-party) update from 8.1.3 to 8.1.13, SSL VPN web portal users get a blank page after logging in successfully.

802379

SSL VPN has memory leaks and crashes.

803622

High CPU in SSL VPN once SAML is used with FortiAuthenticator and an LDAP server.

Switch Controller

Bug ID

Description

774441

FortiLink topology only displays partially.

774848

Bulk MAC addresses deletions on FortiSwitch is randomly causing all wired clients to disconnect at the same time and reconnect.

776442

FortiSwitch VLANs cannot be created in the FortiGate GUI for a second FortiLink.

System

Bug ID

Description

540389

Remote administrator password renewal shows remote token instead of new password (CLI and GUI).

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

679059

The ipmc_sensord process is killed multiple times when the CPU or memory usage is high.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

699152

QinQ (802.1ad) support needed on the following models: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3600E, and FG-3601E.

706543

FortiGuard DDNS does not update the IP address when the PPPoE reconnects.

708228

A DNS proxy crash occurs during ssl_ctx_free.

716250

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

722781

MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. If the auto-asic-offload option is disabled in the firewall policy, traffic flows as expected.

734912

When VDOMs are enabled, changing system settings causes the GUI to display a failure to save message.

735761

VLAN ID is not taken into consideration at the session level for traffic crossing NP7 platforms.

736144

AirCard 340U LTE Modem does not work.

738423

Unable to create a hardware switch with no member.

749613

Unable to save configuration changes and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

750533

The cmdbsvr crashes when accessing an invalid firewall vip mapped IP that causes traffic to stop traversing the FortiGate.

751044

There is no sensor trap function and related logs on SoC4 platforms.

753912

FortiGate calculates faulty FDS weight with DST enabled.

755268

When changing a per-ip-shaper, if there is ongoing traffic offloaded by NPU and it attaches that shaper, the new shaper's quota will not get updated.

756139

When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.

757478

Kernel panic results in reboot due the size of inner Ethernet header and IP header not being checked properly when the SKB is received by the VXLAN interface.

758490

The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device.

760661

DDNS interface update status can get stuck if changes to the interface are made rapidly.

760942

dnsproxy signal 11 crash at libcrypto.so.1.1 on FWF-61F.

761971

AirCard 340U LTE modem does not work on FG-61F.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

767778

Kernel panic occurs when adding and deleting LAG members on NP6 models.

768979

On a FortiGate with many FortiSwitches and FortiAPs, the Device Inventory widget and user-device-store list are empty.

771267

Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries.

771331

Incorrect bandwidth utilization traffic widget for VLAN interface on NP6 platforms.

771442

Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.

773067

CLI help text for link monitor failtime and recoverytime range should be (1 - 3600, default = 5).

773702

FortiGate running startup configuration is not saved on flash drive.

774443

SCP restore TCP session does not gracefully close with FIN packet.

775529

Hardware switch is not passing VRRP packets.

777044

On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.

778116

Restricted VDOM user is able to access the root VDOM.

778629

Disabling NP6XLite offloading does not work with VLAN interface on LAG one-arm scenario.

779241

DCE-RPC expectation session expires and never times out (timeout=never).

779523

Negative tunnel_count in diagnose firewall gtp profile list for FGSP peer.

782392

ICMP traceroute with more than one probe is not working, and drops are seen on NP6 platforms.

783545

Backing up to SFTP does not work when the username contains a period (.).

785766

Memory leak and httpsd crashes.

786255

Cached topology reports causes the FortiGate to run out of flash storage on low-end models.

789203

High memory usage due to DoT leak at ssl.port_1way_client_dox leak\wad_m_dot_conn leak\sni leak when the DoX server is 8.8.8.8.

790446

The vwl process is spiking CPU and memory, which triggers conserve mode.

790656

DNS fails to correctly resolve hosts using the DNS database.

792544

A request is made to the remote authentication server before checking trusthost.

793401

The fcnacd process keeps using 99% CPU.

793864

Repeated FortiDDNS failed messages are in the system event logs output.

796398

BPDUs packets are blocked even though STF forwarding is enabled on FG-800D in transparent mode (UTP and SFP).

799255

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

800295

NTP server has intermittent unresolvable logs after upgrading to 6.4.

800333

DoS offload does not work and the npd daemon keeps crashing if the policy-offload-level is set to dos-offload under config system npu. Affected platforms: NP6XLite.

801477

Disabling forward error correction is not working on FG-3500F.

801738

Kernel panic occurs on FG-2610F when collecting debug flow information.

802917

PPPoE virtual tunnel drops traffic after logon credentials are changed.

Upgrade

Bug ID

Description

754180

MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.

766472

After upgrading, the diagnostic command for redundant PSU is missing on FG-100F.

790823

VDOM links configuration is lost after upgrading.

User & Authentication

Bug ID

Description

667150

Add GUI support for FortiToken Mobile push notification and FortiToken Cloud based on two-factor authentication, which is already supported by authd.

738846

FAS ends up in endless loop while synchronizing with LDAP when a special character (,) is part of a username.

749488

On an HA standby device, certain certificates (such as Fortinet_CA_SSL) regenerate by themselves when trying to edit them in CLI. This also causes issues when backing up configurations on the standby device.

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

765136

Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

767844

User ID/password shows as blank when sending the guest credentials via a custom SMS server in Guest Management.

777004

Local users named pop or map do not work as expected when trying to add then as sources in a firewall policy.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

781992

fssod crashes with signal 11 on logon_dns_callback.

790941

When logged in with an administrator profile using a wildcard RADIUS user, creating a new dashboard widgets fails.

792924

Incorrect captive portal page certificate is used after upgrading from 7.0.3 to 7.0.5.

808884

Device information is not fully detected on NP7.

VM

Bug ID

Description

735441

Low performance when copying files from server behind FG-VM to another site via IPsec VPN.

774599

FG-VM64 with specific configuration halted while upgrading from 7.0.2.

781879

Flex-VM license activation failed to be applied to FortiGate VM in HA. Standalone mode is OK.

782073

IBM HA is unable to fail over route properly when route table has a delegate VPC route.

785234

GCP HA failover for external IP does not work when using Standard Tier.

785353

Azure performance issue on MLX5 when an unrelated VPN is up.

789223

Azure China uses the wrong API endpoint to get meta data after secondary becomes the new primary.

793914

HA is not in sync when a dynamic AWS service SMTP address object is retrieving a dynamic update from AWS.

799536

Data partition is almost full on FG-VM64 platforms.

VoIP

Bug ID

Description

794517

VoIP daemon memory leak occurs when the following conditions are met:

  • The SIP call is on top of the IPsec tunnel.
  • The call fails before the setup completes (session gets closed in a state earlier than VOIP_SESSION_STATE_RUNNING).

Web Application Firewall

Bug ID

Description

785743

When a web application firewall profile has version constraint enabled, HTTP 2.0 requests will be blocked.

Web Filter

Bug ID

Description

770941

Unable to block https://cle***.com/oauth/dis***-pic*** using URL filter; content from cle***.com is still shown.

781515

The urlfilter daemon continuously crashes on the secondary unit.

798557

When a new URL filter entry is created and the list is re-ordered, the list position is not maintained.

WiFi Controller

Bug ID

Description

489759

Consistent error messages, internal_add_timer, appear on console when running an automation script.

630085

A cw_acd crash is observed on the FortiGate when the FortiAP is deleted from the managed AP list.

745642

Consider not generating rogue AP logs once a certain AP has been marked as accepted.

748479

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

750425

In RADIUS MAC authentication, the FortiGate NAS-IP-Address will revert to 0.0.0.0 after using the FortiGate address.

757189

A batch of APs in cluster are exhibiting control messages that the maximal retransmission limit reached, and the APs disconnect from the FortiGate.

773027

Client limit description tooltip displayed in the GUI shows incorrect information.

773742

Two-factor authentication and WPA2-Enterprise WiFi conflict on remoteauthtimeout setting.

775157

A packet with the wrong IP header could not be processed by the CAPWAP driver, which randomly causes the FortiGate to reboot.

776576

FortiAP upgrade panel still prompts to upgrade to latest firmware, even when FortiAP is operating latest firmware.

780732

Unable to import MPSK keys in the GUI (CSV file into an SSID). An Invalid file content error appears.

783209

The arrp-profile table cannot be purged if no entry is in use.

783752

Improve arrp-profile configuration to avoid confusion.

790367

FWF-60F has kernel panic and reboots by itself every few hours.

791761

CAPWAP tunnel traffic over WPA2-Enterprise SSID is dropped when offloading is enabled on FG-1800F.

792738

The cw_acd process uses high CPU, which causes issues for FortiAP connecting with CAPWAP.

ZTNA

Bug ID

Description

770350

ZTNA tags do not follow the correct policy when bound in a single policy. They also do not work with groups.

770877

Traffic was blocked by mismatched ZTNA EMS tags in a forwarding firewall policy.

777669

The secondary IP address in the EMS dynamic address table does not match the expected policy.

799530

Found wad crash at wad_sched.c upon device tag matching.

802715

ZTNA failed to match the policy when a tag is found for an endpoint in the EMS response.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

787111

FortiOS 7.0.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43072

792067

FortiOS 7.0.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-0778

797229

FortiOS 7.0.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-27491

800259

FortiOS 7.0.6 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-2905