FortiGate should fix the interface between FortiGate and FortiAnalyzer for the CDR file.

Flow AV sends HTML files to the FortiGate Cloud Sandbox every time when HTML is not configured in file list.

When the DNS static domain filter entry's action set to allow, it skips DNS translation.

Upgrade EMS tags to include classification and severity to guarantee uniqueness.

Intermittent FortiOS failure when using a redundant EMS configuration because the EMS FQDN was resolved once before, and when DNS entry expires or the DNS is used for load balancing.

Expand web proxy header content string size from 256 to 512, then to 1024.

HTTPS websites are not accessible if certificate-inspection is set in a proxy policy.

When converting an explicit proxy session to SSL redirect, traffic may be interrupted inadvertently in some situations.

cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.

Custom services name is not displayed correctly in logs with a port range of more than 3000 ports.

When a FortiGate virtual server for Exchange incorrectly indicates to the Exchange server that it does not support secure renegotiation when it should, the Exchange server terminates the connection and returns an ERR_EMPTY_RESPONSE.

When using NGFW policy-based mode, modifying a security policy causes all sessions to be reset.

Stress test shows packet loss when testing with flow inspection mode and application control.

Unable to connect to the reserved management interface allowed by the local-in policy.

Packet loss occurs due to a high amount of fragment reassembly failures.

Promethean Screen Share (multicast) is not working on the member interfaces of a software switch.

ISDB source matching is inconsistent between transparent and NAT modes.

Geolocation block on VIP object failed with seemly correct configuration.

Kernel panic occurs while collecting the debug flow.

Traffic is dropped intermittently by the implicit deny policy, even though there is a valid policy on the FortiGate.

When setting the time period to now filter, the table cannot be filtered by policy type.

Threat type N/A - Static URL Filter is showing on sources that do not have the URL filter enabled.

New IPsec design tunnel-id still displays the gateway as an IP address, when it should be a tunnel ID.

Bandwidth widget does not display traffic information for VLAN interfaces when a large number of VLAN interfaces are configured.

Managed FortiSwitches page incorrectly shows a warning about an unregistered FortiSwitch even though it is registered. This only impacts transferred or RMAed FortiSwitches. This is only a display issue with no impact on the FortiSwitch's operation.

Inbound traffic on the interface bandwidth widget shows 0 bps on the VLAN interface.

System > Certificates page keeps spinning when trying to access it from Safari.

Logs sourced from FortiAnalyzer Big Data show the incorrect time.

On the policy dialog page, the Select Entries box for the Service field does not list all service objects if an IPv6 address is in the policy.

High iowait CPU usage and memory consumption issues caused by report runner.

When a VLAN belongs to a zone, and the zone is used in a policy, editing the VLAN ID changes the policy's position in the table.

Managed FortiSwitches page, policy pages, and some FortiView widgets are slow to load.

ISDB is not updating; last update attempt is stuck at an older date.

In large customer configurations, some functions may time out, which causes an unexpected failover and keeps high cmdbsvr usage for a long time.

Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.

Cluster is out-of-sync due to switch controller managed switch checksum mismatch.

In some situations, the fgfmd daemon is blocked by a query to the HA secondary checksum, which causes the tunnel between the FortiManager and FortiGate to go down.

Due to an HA port (Intel i40e) driver issue, not all SW sessions are synchronized to the secondary, so there is a difference.

After HA-AP failover, the FortiExtender WAN interface of the new primary cannot get the LTE IP address from FortiExtender.

High CPU usage on secondary device, and CPU lacks the AVX feature needed to load libdpdk.so.

Secondary cluster member's iprope traffic statistics are not updated to the original primary after an A-P HA failover.

HA split brain scenario occurs after upgrading from 6.4.6 to 7.0.6, and HA heartbeats are lost followed by a kernel panic. Affected platforms: NP7 models.

FGCP in standby sends GARP with physical MAC when it boots up.

A cluster is repeatedly out-of sync due to external files (SSLVPN_AUTH_GROUPS) when there are frequent user logins and logouts.

Certificate upload causes HA checksum mismatch.

Secondary FortiGate FQDN is stuck in the queue, even if the primary FortiGate FQDN has already been resolved.

When the internet service name management checksum is changed, it is out-of-sync when the auto-update is disabled on FortiManager.

A few tasks are hung on issuing stat verbose on the secondary device.

After changing hyperscale firewall policies, it may take longer than expected for the policy changes to be applied to traffic. The delay occurs because the hyperscale firewall policy engine enhancements added to FortiOS 7.0.6 may cause the FortiGate to take extra time to compile firewall policy changes and generate a new policy set that can be applied to traffic by NP7 processors. The delay is affected by hyperscale policy set complexity, the total number of established sessions to be re-evaluated, and the rate of receiving new sessions.

In the FortiOS MIB files, the trap fields fgFwIppStatsGroupName and fgFwIppStatsInusePBAs have the same OID. As a result, the fgFwIppStatsInusePBAs field always returns a value of 0.

Using EIF to support hairpinning does not work for NAT64 sessions.

Unrelated background traffic gets impacted after changing a policy when a hyperscale license is used.

Creating an access control list (ACL) policy on a FortiGate with NP7 processors causes the npd process to crash.

FortiGate still holds npu-log-server related configuration after removing hyperscale license.

Default static route does not work well for hypsercale VDOM.

Interface routes under DHCP mode remain in LPMD after moving the interface to another VDOM.

Changes in the zone configuration are not updated by the NPD on hyperscale.

High IPS engine CPU usage due to recursive function call.

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

High CPU in all cores with device running with one interface set as a one-arm sniffer.

High CPU usage occurs on all cores in system space in __posix_lock_file for about 30 seconds when updating the configuration or signatures.

Implementing the route-overlap setting on phase 2 configurations brings tunnels down until a reboot is not performed on the FGSP cluster.

IKE crashes after HA failover when the enforce-unique-id option is enabled.

The packets did not pass through QTM, and SYN packets bypass the IPsec tunnel once traffic is offloaded. Affected platforms: NP7 models.

When net-device is enabled on the hub, the tunnel interface IP is missing in the routing table.

BGP route is inactive in the routing table after the hub's IPsec tunnel binding interface bounces.

FortiGate sends duplicate SNMP traps if the tunnel is brought down on the local side.

Support IPsec FGSP per tunnel failover.

FortiGate is unable to install SA (failed to add SA, error 22) when there is an overlap in configured selectors.

Enabling NPU offloading in the phase 1 settings causes a complete traffic outage after a couple of ping packets pass through.

ADVPN hub randomly initiates secondary tunnel to spoke, causing spoke to drop tunnel traffic for RPF check fail.

GUI does not allow IP overlap for a tunnel interface when allow-subnet-overlap is enabled (CLI allows it).

There are no incoming ESP packets from the hub to spoke after upgrading.

NP7 offloaded egress ESP traffic that was not sent out of the FortiGate.

Cannot apply dialup IPsec VPN settings modifications in the GUI when net-device is disabled.

IPsec learned route disappears from the routing table.

NP7 drops outbound ESP after IPsec VPN is established for some time.

Dialup selector routes are not deleted after iked crash.

IKE repeatedly crashes with the combination of DDNS and dialup gateways.

IPsec DPD packets keep getting sent while IPsec traffic passes through the tunnel (DPD mode is on-idle).

IPsec VPN statistics are not increasing on the device.

Free-style filter for UTM logs does not work when set forward-traffic is disabled.

FortiGate error in FortiAnalyzer connectivity test on secondary device after upgrade.

Get an intermittent error when running execute log fortianalyzer-cloud test-connectivity.

FortiGate appears to have a limitation in the syslogd filter configuration.

Forward traffic logs intermittently fail to show the destination hostname.

An issue occurs with TLS 1.3 and the 0RTT process where Firefox cannot access https.google.com using proxy-based UTM with certification inspection.

WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out.

WAD crash occurred when forwarding the release bytes from the IPS engine to the server and the connection to the server is closed.

An expired certificate can be chosen when creating an SSL/SSH profile for deep inspection.

Apple push notification service fails with proxy-based inspection.

WAD crash occurs when TLS/SSL renegotiation encounters an error.

WAD crash occurs when TLS 1.2 receives the client certificate and that server-facing SSL port has been closed due to the SSL bypass.

Even if the policy is set to deny FTP_PUT, file uploads are permitted when the UTM feature is enabled.

Inspecting all ports in deep inspection is dependent on previous protocol port mapping settings.

Device is consuming high memory and going in conserve mode, possible due to a WAD memory leak.

WAD does not forward the 302 HTTP redirect to the end client.

File from AWS S3 fails to download with UTM, deep inspection, and proxy configured.

Upgrading to 7.0.5 broke IM controls and caused Zalo chat file transfer issues.

FTPS helper is not opening pinholes for expected traffic for non-standard ports.

WAD memory leak occurs with IPS enabled.

When an LDAP user is authenticated in a firewall policy, the WAD user-info process has a memory leak causing the FortiGate to enter conserve mode.

WAD crash occurred due to a certificate validation failure.

WAD crash occurs on FG-61E, FG-101F, FG-61F, FG-200E, and FG-401E during stress testing.

Unable to access a website when deep inspection is enabled in a proxy policy.

Explicit proxy traffic is terminated when IPS is enabled. The exact failure happened upon certificate inspection.

When WAN optimization is disabled and the dispatcher sends the tunnel manager listener to the workers, the workers cannot handle it properly and a WAD crash segmentation fault occurs.

Changing the virtual server configuration during traffic caused the old configuration to flush, which resulted in a WAD crash.

WAD crash occurs when configuring a proxy policy with no member in an address group.

Routing table does not reflect the new changes for the static route until the routing process is restarted when cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.

Traffic does not fail over to alternate path upon interface being down (FGR-60F in transparent mode).

VPN traffic is not being metered by DoS policy when using SD-WAN.

SD-WAN health check with FortiGate TWAMP server causes very high packet loss.

A new route check to make sure the route is removed when the link-monitor object fails on ARM based platforms.

On the Network > SD-WAN page, adding a named static route to an SD-WAN zone creates a default blackhole route.

Incorrect SD-WAN kernel routes are used on the secondary device.

GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.

SIP-RTP fails after a route or interface change.

Routing issue with ADVPN and SD-WAN if IPsec aggregate interfaces are configured.

After cloning a static route, the URL gets stuck with "clone=true".

SD-WAN performance SLAs on a dialup IPsec VPN tunnel do not work as expected.

Secure SD-WAN Monitor in FortiAnalyzer does not show graphs when the SLA target is not configured in SD-WAN performance SLA.

Disabling BFD causes an OSPF flap/bounce.

When a dynamic address fails, it becomes 0.0.0.0/0 in the SD-WAN rule.

In a BGP neighbor, the allowas-in 0 value is confusing and not accepted by the GUI for validation (1-10 required).

Wrong MAC address is in the ARP response for VRRP IP instead of the VRRP virtual MAC.

When changing interfaces from dense mode to sparse mode, and then back to dense mode, the interfaces did not show up under dense mode.

A downstream FortiGate is sending the config rusted-list to FortiManager in the auto update.

Automation stitch for a scheduled backup is not working.

The threat level threshold in the compromised host trigger does not work.

Azure SDN connector has a 403 error when the AZD restarts.

SSL VPN users are remaining logged on past the auth-timeout value.

Custom host check AV and firewall for macOS fails for FortiClient SSL VPN.

SharePoint server (de***.sc***.gov.sa) is not working on web-based VPN.

After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.

High CPU usage in SSL VPN using libssh2.

SSL VPN web mode has problems accessing ComCenter websites.

VNC using SSL VPN web mode disconnects after 10 minutes.

Unable to load Grafana application through SSL VPN web mode.

SSL VPN RDP is unable to connect to load-balanced VMs.

SSL VPN bookmark is not working.

Unable to configure ssl.root as the associated-interface in a firewall address.

Many SSL VPN users are disconnected periodically, and sslvpnd crashes.

SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time.

When sslvpnd debugs are enabled, the SSL VPN process crashes more often.

EICAR file cannot be blocked through the SSL VPN policy when NTurbo is enabled.

Web application is not loading in the SSL VPN web mode.

The auto-generated URL on the VPN > SSL-VPN Settings page shows the management IP of the FortiGate instead of the SSL VPN interface port IP as defined on the VPN > SSL-VPN Realms page when a realm is created.

SSL VPN bookmark configuration is added automatically after client logs in to web mode.

The same SAML user failed to establish a tunnel when a stale web session exists with limit-user-logins enabled.

sslvpnd crashed when deleting a VLAN interface.

TX packet loss on ssl.root interface.

Logging out of SSL VPN tunnel mode does not clear the authenticated list.

SSL VPN does not work properly after reconnecting without authentication and a TX drop is found.

GUI should not use <server_ip> as a sender to send the SSL VPN configuration (it should use value set in reply-to).

TX packet loss on ssl.root interface caused by TCP checksum error.

Internal website with JavaScript lacks some menus in SSL VPN web mode.

When using SSL VPN to do auto-reconnect without authentication, it always fails the second time it tries to reconnect.

Getting re-authentication pop-up window for VNC quick connection over SSL VPN web proxy.

The number of quarantined MAC addresses is stuck at 256 due to table size limitations on the FortiGate.

The Enable STP security control description should be reworded to mention that Edge ports should have STP enabled once the network topology is stable.

Switch controller preconfiguration of FortiSwitch 108F-POE is incorrect.

When config-sync runs between a FortiGate and a managed FortiSwitch, RSPAN interfaces get deleted and re-added, which causes syslog errors from FortiSwitch.

SFP port with 1G copper SFP always is up.

The dnp process goes to 100% CPU usage as soon as the configuration is downloaded via SCP. Affected platforms: FGR-60F and FGR-60F-3G4G.

Get can not set mac address(16) error message when setting a MAC address on an interface in HA that is already set.

Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E.

Client traffic from VLAN to VXLAN encapsulation traffic is failing after upgrading.

Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.

FortiAnalyzer serial number automatically learned from miglogd does not send it to FortiManager through the automatic update.

Poor CPS performance with VLAN interfaces in firewall only mode (NP7 and NP6 platforms).

A dhcpd crash log occurs.

PSU alarm log and SNMP trap are added for FG-10xF and FG-8xF models.

IPv4 session is flushed after creating a new VDOM.

FortiExtender virtual interface on the FortiGate is not receiving the IP address when mapping FortiExtender to it.

FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.

Deleting a VDOM that contains EMAC interfaces might affect the interface bandwidth widget of the parent VLAN.

SNMP status for NPU is not available on NP6xlite.

After upgrading from 6.4.9 to 7.0.5, the FG-110xE's 1000M SFP interface may fail to auto-negotiate and cannot be up due to the missed auto-negotiation.

The threshold for conserve mode is lowered.

Interface migration wizard fails to migrate interfaces when VLANs have dependencies within dependencies.

After a device reboot, the modem interface sometimes does not have a stable route with the local carrier.

Session anomaly was incorrectly triggered though concurrent sessions on the FortiGate that were below the configured threshold.

FG-1800F existing hardware switch configuration fails after upgrading.

DHCP IP lease is flushed within the lease time.

In FIPS-CC mode, if cfg-save is set to revert, the system will halt a configuration change or certificate purge.

In some cases, the HA SNMP OID responds very slowly or does work correctly.

DHCPv6 authentication option offer is not accepted from the server.

Unable to create new interface and VDOM link with names that contain spaces.

Traffic loss occurs when running SNAT PBA pool in a hyperscale VDOM. The NP7 hardware module PRP got stuck, which caused the NP7 to hang.

Under certain trace condition scenarios, a kernel panic may be triggered on new kernel platforms after failover with HTTP CCS followed by SIP64 traffic.

EHP and HRX drop on NP6 FortiGate, causing low throughput.

Running diagnose hardware deviceinfo psu shows the incorrect PSU slot.

DoS policy ID cannot be moved in GUI and CLI when enabling multiple DoS policies.

Packets drop when the standby device is turned on.

Ports 33-35 constantly show suspect messaging in the transceiver output. Affected platforms: FG-2600F and FG-2601F.

New DNS system servers with DoT enabled, applying a DNS filter to the FortiGate DNS server fails.

When traffic gets offloaded, an incorrect MAC address is used as a source.

Random kernel panic occurs when the following IPsec VPN phase 2 interface configuration is used:

config vpn ipsec phase2-interface
    edit <name>
        set keylife-type both
        set keylifeseconds 28800
        set keylifekbs 4608000
    next
end 

DHCP relay offers to iPhones is blocked by the FortiGate.

FortiGate may enter the kernel panic in HA environment and when sending multicast traffic on new kernel platforms.

NP7 platforms may encounter a kernel panic when deleting more than two hardware switches at the same time.

Slow upload speeds when connected to FIOS connection. Affected platforms: NP6Lite and NP6xLite.

Memory increase due to iked process.

When creating an inner VLAN CAPWAP interface or sending inner VLAN traffic when the FortiGate is rebooting/upgrading from capwap-offload disable status, these actions trigger a freeze. Affected platforms: NP7 models.

NP6xLite test failed when running diagnose hardware test pci.

When an aggregate is created after all VLANs and added to a software switch, all VLANs are lost after rebooting.

NTurbo crash occurs when offloading SSL mirror traffic.

There is no 1000auto option under the ports. Affected platforms: FG-110xE.

PPPoE is not working on FG-60E wan2 interface.

When pushing a script from FortiManager to FortiGate, FortiOS will sometimes send the CLI change to FortiManager with the FGFM API. If the tunnel is not up, the session will not exist and it causes a code crash.

CMDB checksum is not updated when a certificate is renewed over CMP, causing a FortiManager failure to synchronize with the certificate.

DoS policy with custom service does not work as expected on a PPPoE interface.

Null pointer causing kernel crash on FWF-61F.

Constant increase (3%-4%) in memory occurs everyday.

FEX-40D-NAM model support was removed after upgrading to 7.0.6 or 7.0.7.

Signature updating from FortiManager does not work after cloud communication is disabled.

High fcnacd usage occurs and unable to retrieve EMS information from the FortiGate CLI.

Kernel panic occurs due to VXLAN.

When the uplink modem is restarted, the FortiGate interface configured as PPPoE is unable to obtain an IP address.

Unable to remove DDNS entry frequently, even if the DDNS setting is disabled.

Kernel panics occurs on secondary HA node on NP7 models (7.0.6).

Unexpected device reboots with the kernel panic error on NP7 models.

Burst in multicast packets is causing high CPU usage on multiple CPU cores.

DoS anomaly has incorrect threshold after loading a modified configuration file.

Running get system auto-update versions causes newcli to crash and the prints quit at the MAC address database.

Link lights on the FG-1100E fail to come up and are inoperative after upgrading.

A fnbamd crash is caused by an LDAP server being unreachable.

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.

Captive portal authentication with RADIUS user group truncates the token code to eight characters.

When multiple FSSO CA connections are configured at the same time, only the last configured FSSO connection comes up.

After a few days, some devices are not displayed in the Users & Devices > Device Inventory widget and WiFi & Switch Controller > FortiSwitch Ports page's Device Information column due to a mismatch in the device count between the following commands.

• diagnose user device list
• diagnose user device stats
• diagnose user-device-store device memory list

The Device detection option is missing in the GUI for redundant interfaces (CLI is OK).

Bandwidth usage is not shown when DPDK is enabled.

HA is not in sync when a dynamic AWS service SMTP address object is retrieving a dynamic update from AWS.

Traffic/session logging incorrectly refers to SR-IOV secondary interfaces when the Rx is from fast path.

Azure SDN connector might miss dynamic IP addresses due to only the first page of the network interface being processed.

Get cmdbsvr crash on FG-KVM32 after running concurrent performance test.

Dynamic address objects are removed after Azure API call failed and caused legitimate traffic drop.

Web filter configured to restrict YouTube access does not work.

FWF-60F has kernel panic and reboots by itself every few hours.

The new sae-h2e-only WPA3-SAE SSID setting may cause a backward compatibility issue where some Wi-Fi devices may not associate with managed FortiAP units running previous firmware versions:

• FortiAP 6.4.8, 7.0.5, 7.2.0 and earlier
• FortiAP-W2 6.4.8, 7.0.5, 7.2.0 and earlier
• FortiAP-S 6.4.8 and earlier
• FortiAP-U 6.2.4 and earlier

Solution:

• FortiAP and FortiAP-W2 units may be upgraded to 7.2.1 if applicable
• FortiAP and FortiAP-W2 issue will be fixed in later 6.4 and 7.0 releases
• FortiAP-S issue will be fixed in a later 6.4 release
• FortiAP-U units may be upgraded to 6.2.5

Manual quarantine for wireless client connected to SSID on multi-VDOM with wtp-share does not work.

FortiOS exhibits segmentation fault on hostapd on the secondary controller configured in HA.

FortiGate is not sending RADIUS accounting message consistently to RADIUS server for wireless SSO.

CAPWAP traffic is dropped when capwap-offload is enabled.

Configuration installation from FortiManager breaks the quarantine setting, and the VAP becomes undeletable.

Wireless multicast traffic causes the cw_acd process to have high CPU usage and triggers a hostapd crash.

Suggest replacing the IP Address column with MAC Address in the Collected Email widget.

CAPWAP data traffic over redundant IPsec tunnels failing when the primary IPsec tunnel is down (failover to backup tunnel).

FortiOS 7.0.8 is no longer vulnerable to the following CVE Reference:

• CVE-2022-38378

FortiOS 7.0.8 is no longer vulnerable to the following CVE Reference:

• CVE-2022-26122

FortiOS 7.0.8 is no longer vulnerable to the following CVE Reference:

• CVE-2022-38380

FortiOS 7.0.8 is no longer vulnerable to the following CVE Reference:

• CVE-2022-35842

FortiOS 7.0.8 is no longer vulnerable to the following CVE Reference:

• CVE-2022-30307

FortiOS 7.0.8 is no longer vulnerable to the following CVE Reference:

• CVE-2022-35843