Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Known issues

The following issues have been identified in version 7.2.0. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

727067

FortiGate should fix the interface between FortiGate and FortiAnalyzer for the CDR file.

794575

If FortiGate Cloud is selected as sandbox server under Security Fabric > Fabric Connectors, an anti virus profile with settings to Send files to FortiSandbox for inspection does not get saved in the GUI.

Workaround: configure the anti virus profile using the CLI.

795784

Able to bypass FortiOS AV inspection on email traffic when manipulating a MIME attachment with junk and pad characters in Base64.

823677

A scanunit crash occurs on call to fg_pcre_free.

Endpoint Control

Bug ID

Description

775742

Upgrade EMS tags to include classification and severity to guarantee uniqueness.

Explicit Proxy

Bug ID

Description

774442

WAD is NATting to the wrong IP pool address for the interface.

794255

Microsoft website (microsoft.com) cannot be mapped to the Microsoft-Web ISDB name for proxy policy.

798647

Explicit web proxy firewall policy can not pass through HTTP traffic.

Firewall

Bug ID

Description

750081

Traffic can pass through EMAC VLAN interface but can not be offloaded.

777231

Dashboard > FortiView Traffic Shaping page sometimes displays an undefined traffic shaper. This is cosmetic and does not impact functionality.

781144

On the Edit Virtual Server dialog under Policy & Objects > Virtual Servers, a Duplicate entry found error is displayed for the Virtual server IP and Virtual server port fields when there are no duplicate entries.

Workaround edit the virtual server entries in the CLI.

794648

Cannot set src-vendor-mac in policy. The src-vendor-mac policy setting is not lost after upgrading from 7.0.5 and is still in the iprope.

801483

Packet drops noticed in the network when FortiGate is running 7.2.0 GA.

802834

On the Traffic Shaping > Traffic Shapers tab, the Bandwidth Utilization column indicates zero traffic when there is traffic present.

Workaround: view the traffic on the shaper in the CLI.

806113

The Traffic Shaping Policies edit dialog shows configured reverse shapers as disabled. This is a cosmetic issue and the reverse shaper is configured as defined.

FortiView

Bug ID

Description

787886

The tooltip for the Bandwidth column always displays the receiving bandwidth as zero on the Dashboard > FortiView Traffic Shaping page.

804177

When setting the time period to now filter, the table cannot be filtered by policy type.

GUI

Bug ID

Description

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

778844

Dashboard and Managed FortiAPs pages can take a long time to load when there are over 1000 FortiAPs configured.

781310

Policy & Objects > DNAT & Virtual IPs page can take more than 30 seconds to load if there are more than 25 thousand virtual IPs.

787550

HTTPSD daemon crashes frequently with signal 6 (aborted) at api_v2_page_result.

792045

FortiGate failed to view matched endpoints after viewing it successfully several times.

798161

System -> Certificates page keeps spinning when trying to access it from Safari.

799160

Modem 1 Health is incorrectly displayed as Disconnected in the Diagnostics and Tools pane of the FortiExtenders page.

800632

Search bar on Addresses page does not complete loading and return a result when format is <IP>-<number>.

802292

Logs sourced from FortiAnalyzer Big Data show the incorrect time.

HA

Bug ID

Description

734040

Need a way for FortiManager to retrieve an HA-specific configuration of a secondary device through the primary device.

750087

Multicast convergence on HA failover.

750978

Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.

781463

FortiGate does not respond to ARP request for management-ip on interface if the interface IP is changed.

803354

After HA-AP failover, the FortiExtender WAN interface of the new primary cannot get the LTE IP address from FortiExtender.

807322

AWS HA does not update the prefix list in the route table.

Hyperscale

Bug ID

Description

810025

Using EIF to support hairpinning does not work for NAT64 sessions.

Intrusion Prevention

Bug ID

Description

779377

IPS fails to load a configuration if an NGFW policy uses the unrated category group or category of 0.

IPsec VPN

Bug ID

Description

773221

Traffic going through IPsec based on a loopback interface cannot be offload.

781403

IKE is consuming excessive memory.

787949

FortiGate sends duplicate SNMP traps if the tunnel is brought down on the local side.

790486

Support IPsec FGSP per tunnel failover.

803686

Tooltip in Dashboard > Network IPsec widget only displays one address for the local and remote addresses of the phase 2 selector.

810988

GUI does not allow IP overlap for a tunnel interface when allow-subnet-overlap is enabled (CLI allows it).

815969

Cannot apply dialup IPsec VPN settings modifications in the GUI when net-device is disabled.

Log & Report

Bug ID

Description

770352

On the Log & Report > Forward Traffic page, filters applied to an interface name with a comma (,) do not show the correct filtered results for that interface.

788724

The secondary FortiGate did not send the logs to the syslog server (sendmmsg failed to send data).

795595

Date/Time filter changes after setting the time.

797789

FortiGate goes into conserve mode because fgtlogd occupies too much memory.

Proxy

Bug ID

Description

766158

Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category.

793651

An expired certificate can be chosen when creating an SSL/SSH profile for deep inspection.

823814

Found WAD crash at signal 11 on wad_http_engine.c when ap.empty-cert-action is set to accept-unmanageable.

Routing

Bug ID

Description

618684

Static route will still in routing table after HA failover, and the BFD is down on the new primary.

704322

After configuring static routes on IPsec tunnels using the Network > Static Routes page, a warning icon appears. This is cosmetic and does not affect functionality.

795213

On the Network > SD-WAN page, adding a named static route to an SD-WAN zone creates a default blackhole route.

796409

GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.

808840

After cloning a static route, the URL gets stuck with "clone=true".

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

741084

Entry-level FortiGate with Security Fabric enabled for 30 or more downstream FortiGates can go into conserve mode when loading the physical or logical topology pages, or running security rating reports.

Workaround: configure fewer downstream FortiGates in a Security Fabric configuration.

753742

Add distributed security rating and topology reports.

795687

On the Fabric Management page, some managed FortiSwitches are not shown.

799832

GCP bearer token is too long for the header in a google-cloud-function automation action.

803600

Automation stitch for a scheduled backup is not working.

807967

Add reliable message for creating event logs on upstream device for use by Report Runner.

SSL VPN

Bug ID

Description

486837

SSL VPN with external DHCP servers is not working.

616896

Link in SSL VPN portal to FortiClient iOS redirects to legacy FortiClient 6.0 rather than the latest 6.2.

763611

If dual-stack is enabled, the user connects to the tunnel with IPv6 and the tunnel is established successfully. When the user tries to access the IPv4 server to upload or download files, the network speed is very slow.

767832

After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.

795381

FortiClient Windows cannot be launched with SSL VPN web portal.

801308

FortiGuard should only provide an installer for FortiClient VPN, instead of the full FortiClient version.

802379

SSL VPN has memory leaks and crashes.

809473

When sslvpnd debugs are enabled, the SSL VPN process crashes more often.

811007

The auto-generated URL on the VPN > SSL-VPN Settings page shows the management IP of the FortiGate instead of the SSL VPN interface port IP as defined on the VPN > SSL-VPN Realms page when a realm is created.

811492

SSL VPN should not leak information while performing Telnet.

817843

Logging out of SSL VPN tunnel mode does not clear the authenticated list.

Switch Controller

Bug ID

Description

774441

FortiLink topology only displays partially.

794026

FortiGates quarantines are stuck at 256.

799860

FortiSwitch online/offline status is not consistent between the CLI and SNMP.

803307

The Enable STP security control description should be reworded to mention that Edge ports should have STP enabled once the network topology is stable.

805154

Switch controller preconfiguration of FortiSwitch 108F-POE is incorrect.

810550

Send DHCP/ARP packet failed, and get errno = 6 in log when config-sync runs.

System

Bug ID

Description

540389

Remote administrator password renewal shows remote token instead of new password (CLI and GUI).

716250

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

734912

When VDOMs are enabled, changing system settings causes the GUI to display a failure to save message.

758490

The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device.

766058

FortiGate central management is configured on the backup mode ADOM, and any changes done on the FortiGate are not recorded in the FortiManager.

786255

Cached topology reports causes the FortiGate to run out of flash storage on low-end models.

787557

Sudo command is not working inconsistently.

787595

FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.

799255

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

800294

Interface migration wizard fails to migrate interfaces when VLANs have dependencies within dependencies.

801053

FG-1800F existing hardware switch configuration fails after upgrading.

802917

PPPoE virtual tunnel drops traffic after logon credentials are changed.

810622

Message regarding VDOM names longer than 11 characters is shown when set long-vdom-name is enabled.

819640

SSH public key changes after every reboot.

821773

Manual license for air-gap environments is lost after rebooting the FortiGate.

User & Authentication

Bug ID

Description

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

790941

When logged in with an administrator profile using a wildcard RADIUS user, creating a new dashboard widgets fails.

813355

Additional information from user ID login should be displayed.

813407

Captive portal authentication with RADIUS user group truncates the token code to eight characters.

VM

Bug ID

Description

799536

Data partition is almost full on FG-VM64 platforms.

782073

IBM HA is unable to fail over route properly when route table has a delegate VPC route.

809963

Get cmdbsvr crash after concurrent performance test on FG-KVM32.

Web Filter

Bug ID

Description

798557

When a new URL filter entry is created and the list is re-ordered, the list position is not maintained.

Workaround: save changes after creating the new URL filter entry, re-order the list, and save the changes again.

WiFi Controller

Bug ID

Description

796036

Manual quarantine for wireless client connected to SSID on multi-VDOM with wtp-share does not work.

ZTNA

Bug ID

Description

792829

WAD re-challenges user authentication upon HA failover.

799530

Found wad crash at wad_sched.c upon device tag matching.

802715

ZTNA failed to match the policy when a tag is found for an endpoint in the EMS response.

Known issues

The following issues have been identified in version 7.2.0. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

727067

FortiGate should fix the interface between FortiGate and FortiAnalyzer for the CDR file.

794575

If FortiGate Cloud is selected as sandbox server under Security Fabric > Fabric Connectors, an anti virus profile with settings to Send files to FortiSandbox for inspection does not get saved in the GUI.

Workaround: configure the anti virus profile using the CLI.

795784

Able to bypass FortiOS AV inspection on email traffic when manipulating a MIME attachment with junk and pad characters in Base64.

823677

A scanunit crash occurs on call to fg_pcre_free.

Endpoint Control

Bug ID

Description

775742

Upgrade EMS tags to include classification and severity to guarantee uniqueness.

Explicit Proxy

Bug ID

Description

774442

WAD is NATting to the wrong IP pool address for the interface.

794255

Microsoft website (microsoft.com) cannot be mapped to the Microsoft-Web ISDB name for proxy policy.

798647

Explicit web proxy firewall policy can not pass through HTTP traffic.

Firewall

Bug ID

Description

750081

Traffic can pass through EMAC VLAN interface but can not be offloaded.

777231

Dashboard > FortiView Traffic Shaping page sometimes displays an undefined traffic shaper. This is cosmetic and does not impact functionality.

781144

On the Edit Virtual Server dialog under Policy & Objects > Virtual Servers, a Duplicate entry found error is displayed for the Virtual server IP and Virtual server port fields when there are no duplicate entries.

Workaround edit the virtual server entries in the CLI.

794648

Cannot set src-vendor-mac in policy. The src-vendor-mac policy setting is not lost after upgrading from 7.0.5 and is still in the iprope.

801483

Packet drops noticed in the network when FortiGate is running 7.2.0 GA.

802834

On the Traffic Shaping > Traffic Shapers tab, the Bandwidth Utilization column indicates zero traffic when there is traffic present.

Workaround: view the traffic on the shaper in the CLI.

806113

The Traffic Shaping Policies edit dialog shows configured reverse shapers as disabled. This is a cosmetic issue and the reverse shaper is configured as defined.

FortiView

Bug ID

Description

787886

The tooltip for the Bandwidth column always displays the receiving bandwidth as zero on the Dashboard > FortiView Traffic Shaping page.

804177

When setting the time period to now filter, the table cannot be filtered by policy type.

GUI

Bug ID

Description

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

778844

Dashboard and Managed FortiAPs pages can take a long time to load when there are over 1000 FortiAPs configured.

781310

Policy & Objects > DNAT & Virtual IPs page can take more than 30 seconds to load if there are more than 25 thousand virtual IPs.

787550

HTTPSD daemon crashes frequently with signal 6 (aborted) at api_v2_page_result.

792045

FortiGate failed to view matched endpoints after viewing it successfully several times.

798161

System -> Certificates page keeps spinning when trying to access it from Safari.

799160

Modem 1 Health is incorrectly displayed as Disconnected in the Diagnostics and Tools pane of the FortiExtenders page.

800632

Search bar on Addresses page does not complete loading and return a result when format is <IP>-<number>.

802292

Logs sourced from FortiAnalyzer Big Data show the incorrect time.

HA

Bug ID

Description

734040

Need a way for FortiManager to retrieve an HA-specific configuration of a secondary device through the primary device.

750087

Multicast convergence on HA failover.

750978

Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.

781463

FortiGate does not respond to ARP request for management-ip on interface if the interface IP is changed.

803354

After HA-AP failover, the FortiExtender WAN interface of the new primary cannot get the LTE IP address from FortiExtender.

807322

AWS HA does not update the prefix list in the route table.

Hyperscale

Bug ID

Description

810025

Using EIF to support hairpinning does not work for NAT64 sessions.

Intrusion Prevention

Bug ID

Description

779377

IPS fails to load a configuration if an NGFW policy uses the unrated category group or category of 0.

IPsec VPN

Bug ID

Description

773221

Traffic going through IPsec based on a loopback interface cannot be offload.

781403

IKE is consuming excessive memory.

787949

FortiGate sends duplicate SNMP traps if the tunnel is brought down on the local side.

790486

Support IPsec FGSP per tunnel failover.

803686

Tooltip in Dashboard > Network IPsec widget only displays one address for the local and remote addresses of the phase 2 selector.

810988

GUI does not allow IP overlap for a tunnel interface when allow-subnet-overlap is enabled (CLI allows it).

815969

Cannot apply dialup IPsec VPN settings modifications in the GUI when net-device is disabled.

Log & Report

Bug ID

Description

770352

On the Log & Report > Forward Traffic page, filters applied to an interface name with a comma (,) do not show the correct filtered results for that interface.

788724

The secondary FortiGate did not send the logs to the syslog server (sendmmsg failed to send data).

795595

Date/Time filter changes after setting the time.

797789

FortiGate goes into conserve mode because fgtlogd occupies too much memory.

Proxy

Bug ID

Description

766158

Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category.

793651

An expired certificate can be chosen when creating an SSL/SSH profile for deep inspection.

823814

Found WAD crash at signal 11 on wad_http_engine.c when ap.empty-cert-action is set to accept-unmanageable.

Routing

Bug ID

Description

618684

Static route will still in routing table after HA failover, and the BFD is down on the new primary.

704322

After configuring static routes on IPsec tunnels using the Network > Static Routes page, a warning icon appears. This is cosmetic and does not affect functionality.

795213

On the Network > SD-WAN page, adding a named static route to an SD-WAN zone creates a default blackhole route.

796409

GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.

808840

After cloning a static route, the URL gets stuck with "clone=true".

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

741084

Entry-level FortiGate with Security Fabric enabled for 30 or more downstream FortiGates can go into conserve mode when loading the physical or logical topology pages, or running security rating reports.

Workaround: configure fewer downstream FortiGates in a Security Fabric configuration.

753742

Add distributed security rating and topology reports.

795687

On the Fabric Management page, some managed FortiSwitches are not shown.

799832

GCP bearer token is too long for the header in a google-cloud-function automation action.

803600

Automation stitch for a scheduled backup is not working.

807967

Add reliable message for creating event logs on upstream device for use by Report Runner.

SSL VPN

Bug ID

Description

486837

SSL VPN with external DHCP servers is not working.

616896

Link in SSL VPN portal to FortiClient iOS redirects to legacy FortiClient 6.0 rather than the latest 6.2.

763611

If dual-stack is enabled, the user connects to the tunnel with IPv6 and the tunnel is established successfully. When the user tries to access the IPv4 server to upload or download files, the network speed is very slow.

767832

After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.

795381

FortiClient Windows cannot be launched with SSL VPN web portal.

801308

FortiGuard should only provide an installer for FortiClient VPN, instead of the full FortiClient version.

802379

SSL VPN has memory leaks and crashes.

809473

When sslvpnd debugs are enabled, the SSL VPN process crashes more often.

811007

The auto-generated URL on the VPN > SSL-VPN Settings page shows the management IP of the FortiGate instead of the SSL VPN interface port IP as defined on the VPN > SSL-VPN Realms page when a realm is created.

811492

SSL VPN should not leak information while performing Telnet.

817843

Logging out of SSL VPN tunnel mode does not clear the authenticated list.

Switch Controller

Bug ID

Description

774441

FortiLink topology only displays partially.

794026

FortiGates quarantines are stuck at 256.

799860

FortiSwitch online/offline status is not consistent between the CLI and SNMP.

803307

The Enable STP security control description should be reworded to mention that Edge ports should have STP enabled once the network topology is stable.

805154

Switch controller preconfiguration of FortiSwitch 108F-POE is incorrect.

810550

Send DHCP/ARP packet failed, and get errno = 6 in log when config-sync runs.

System

Bug ID

Description

540389

Remote administrator password renewal shows remote token instead of new password (CLI and GUI).

716250

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

734912

When VDOMs are enabled, changing system settings causes the GUI to display a failure to save message.

758490

The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device.

766058

FortiGate central management is configured on the backup mode ADOM, and any changes done on the FortiGate are not recorded in the FortiManager.

786255

Cached topology reports causes the FortiGate to run out of flash storage on low-end models.

787557

Sudo command is not working inconsistently.

787595

FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.

799255

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

800294

Interface migration wizard fails to migrate interfaces when VLANs have dependencies within dependencies.

801053

FG-1800F existing hardware switch configuration fails after upgrading.

802917

PPPoE virtual tunnel drops traffic after logon credentials are changed.

810622

Message regarding VDOM names longer than 11 characters is shown when set long-vdom-name is enabled.

819640

SSH public key changes after every reboot.

821773

Manual license for air-gap environments is lost after rebooting the FortiGate.

User & Authentication

Bug ID

Description

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

790941

When logged in with an administrator profile using a wildcard RADIUS user, creating a new dashboard widgets fails.

813355

Additional information from user ID login should be displayed.

813407

Captive portal authentication with RADIUS user group truncates the token code to eight characters.

VM

Bug ID

Description

799536

Data partition is almost full on FG-VM64 platforms.

782073

IBM HA is unable to fail over route properly when route table has a delegate VPC route.

809963

Get cmdbsvr crash after concurrent performance test on FG-KVM32.

Web Filter

Bug ID

Description

798557

When a new URL filter entry is created and the list is re-ordered, the list position is not maintained.

Workaround: save changes after creating the new URL filter entry, re-order the list, and save the changes again.

WiFi Controller

Bug ID

Description

796036

Manual quarantine for wireless client connected to SSID on multi-VDOM with wtp-share does not work.

ZTNA

Bug ID

Description

792829

WAD re-challenges user authentication upon HA failover.

799530

Found wad crash at wad_sched.c upon device tag matching.

802715

ZTNA failed to match the policy when a tag is found for an endpoint in the EMS response.