Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Resolved issues

The following issues have been fixed in version 7.2.0. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

701658

High CPU utilization because of scanunitd process spike and crash.

769563

Archive bomb detection made more lenient to prevent false positives.

Data Leak Prevention

Bug ID

Description

763687

If a filter configured with set archive enable matches a HTTP post, the file is not submitted for archiving (unless full-archive proto is enabled).

DNS Filter

Bug ID

Description

692482

DNS filter forwards the DNS status code 1 FormErr as status code 2 ServFail in cases where the redirect server responses have no question section.

748227

DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.

Endpoint Control

Bug ID

Description

777294

Fabric connection failure between EMS and FortiOS.

793162

Sometimes the FortiGate fails to resolve a FortiClient MAC or IP in the firewall dynamic address table.

Explicit Proxy

Bug ID

Description

754191

Websites are not accessible if the certificate-inspection SSL-SSH profile is set in a proxy policy.

754259

When an explicit proxy policy has a category address as destination address, the FortiGate needs to check if the address is a Google Translate URL for extra rating. This will trigger a keyword match. However, if a web filter profile is not set yet, WAD will crash. The fix will delay the keyword match until a web filter profile is present.

755298

SNI ssl-exempt result conflicts with CN ssl-exempt result when SNI is an IP.

765761

Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP.

766127

PAC file download fails with incorrect service error after upgrading to 7.0.2.

771152

GUI does not display Source Address field when using a proxy address group in authentication rules.

780211

diagnose wad stats policy list output displays information for only 20 proxy policies, so not all policies are included.

783946

Explicit proxy policy does not deny request for ClearPass object if it is used as a source.

785342

FortiGate explicit proxy does not work with SOCKS4a.

Firewall

Bug ID

Description

644638

Policy with a Tor exit node as the source is not blocking traffic coming from Tor.

724145

Expiration timer of expectation session may show a negative number.

744888

FortiGate drops SERVER HELLO when accessing some TLS 1.3 websites using a flow-based policy with SSL deep inspection.

747190

When auto-asic-offload is enabled in policy, IP-in-IP sessions show as expired while tunnel traffic goes through the FortiGate.

752784

Packet is dropped due to the wrong UDP header length. The NP6XLite driver and kernel drop the packet because of the transport header check.

761494

HTTP persistence not working for HTTP cookie and SSL session ID for round-robin load balancer.

761646

FQDN address and FQDN custom service do not work as expected in security policy.

767226

When a policy denies traffic for a VIP and send-deny-packet is enabled, the mappedip is used for the RST packet's source IP instead of the external IP.

767294

The match-vip option is only useful for deny policies; however, its flag is not cleared after changing the policy action from deny to accept. When a policy uses a mapped FQDN VIP, the destination field of the iprope policy accepts the full IP range.

770668

The packet dropped counter is not incremented for per-ip-shaper with max-concurrent-session as the only criterion and offload disabled on the firewall policy.

773035

Custom services name is not displayed correctly in logs with a port range of more than 3000 ports.

775783

Get httpsd signal 11 crash when inline editing custom service from policy list page with FortiGate support tool running.

778513

Forward traffic logs do not show MAC address object name in Device column.

779902

FortiGate policy lookup does not work as expected (in the GUI and CLI) when the destination interface is a loopback interface.

784939

Dashboard > Load Balance Monitor is not loading in 7.0.4 and 7.0.5.

FortiView

Bug ID

Description

546312

Application filter does not work when the source is ISDB or unscanned.

765993

Dashboard > FortiView Sources - WAN monitor does not show data for VLAN interface.

GUI

Bug ID

Description

473841

Newly created deny policy incorrectly has logging disabled and can not be enabled when the CSF is enabled.

535099

The SSID dialog page does not have support for the new MAC address filter.

535794

Policy page should show new name/content for firewall objects after editing them from the tooltip.

630216

A user can browse HA secondary logs in the GUI, but when a user downloads these logs, it is the primary FortiGate logs instead.

663558

Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

720192

GUI logs out when accessing FortiView monitor page if the VDOM administrator only has ftviewgrp permission.

729324

Managed FortiAPs and Managed FortiSwitches pages keep loading when VDOM administrator has netgrp and wifi read/write permissions.

730533

On the Policy & Objects > Firewall Policy page, an unclear error message appears when a user creates a new SSL VPN policy with a web mode portal and a VIP or VIP group is used as the destination address.

746239

On the Policy & Objects > Virtual IP page the GUI does not allow the user to configure two virtual IPs with different service for the same external/mapped IP and external interface.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

750490

Firewall policy changes made in the GUI remove the replacement message group in that policy.

751219

Last Login in SSL-VPN widget is shown as NaN on macOS Safari.

751482

cmbdsvr signal 11 crash occurs when a wildcard FQDN is created with a duplicate ID.

753398

httpsd crashes after NGFW policy is deleted.

754539

On the Policy & Objects > Addresses page, filters applied on the Details column do not work.

755625

Application control profile cannot be renamed from the GUI.

755893

Dashboard menus are not translated for non-English languages.

756420

On the Security Fabric > Fabric Connectors page, the connection to FortiManager is shown as down even if the connection is up.

757130

After upgrading, the new ACME certificates configured in the GUI are using the staging environment.

757606

Dashboard > Users & Devices > Firewall Users widget cannot load if there is a client authenticated by the WiFi captive portal.

758820

The GUI cannot restore a CLI-encrypted configuration file saved on a TFTP server. There is no issue for unencrypted configuration files or if the file is encrypted in the GUI.

760863

PPPoE interface is not selectable if interface type is SSL-VPN Tunnel.

761615

Unable to see details of Apache.Struts.MPV.Input.Validation.Bypass log.

761658

Failed to retrieve information warning appears on secondary node faceplate.

761933

FSSO user login is not sorted correctly by duration on Firewall Users widget.

762683

The feature to send an email under User & Authentication > Guest Management is grayed out.

763724

After the current session is disconnected, pressing the Enter key does not restart a new session on the GUI CLI console.

764744

On the Network > Explicit Proxy page, the GUI does not support configuring multiple outgoing IP addresses.

768261

After a failed administrator login attempt due to a missing two-factor authentication token, the next login attempt for another administrator may incorrectly result in an authentication failure.

770948

When using NGFW policy-based mode, the VPN > Overlay Controller VPN option is removed.

772311

On the LDAP server page, when clicking Browse beside Distinguished Name and then clicking OK after viewing the query results, the LDAP server page is missing fields containing the server settings.

776969

Unable to select and copy serial number from System Information dashboard widget.

777145

Managed FortiSwitches page incorrectly shows a warning about an unregistered FortiSwitch even though it is registered. This only impacts transferred or RMAed FortiSwitches. This is only a display issue with no impact on the FortiSwitch's operation.

778258

Unable to set IP address for IPsec tunnel in the GUI.

778542

Local domain name disappears from the GUI after clicking API Preview.

778932

MAC address name is not displayed in the Device column in the Asset Identity Center.

783152

Filtering by Status in the SD-WAN widget is not working.

787007

httpsd is crashing without any interaction on the GUI at api_cleanup_cache in api_cmdb_v2_handler.

788935

GUI is slow to load when CDN is enabled and accessed on a closed network.

HA

Bug ID

Description

664929

The hatalk process crashed when creating a disabled VLAN interface in an A-P cluster.

683584

The hasync process crashed because the write buffer offset is not validated before using it.

683628

The hasync process crashes often with signal 11 in cases when a CMDB mind map file is deleted and some processes still mind map the old file.

701367

In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.

714788

Uninterruptible upgrade might be broken in large-scale environments.

738728

The secondary unit tries to contact the forward server for sending the health check packets when the healthcheck under web-proxy forward-server is enabled.

744349

Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.

750004

The secondary FortiGate shows a DHCP IP was removed due to conflict, but it is not removed on the primary FortiGate.

750829

In large customer configurations, some functions may time out, which causes an unexpected failover and keeps high cmdbsvr usage for a long time.

751072

HA secondary is consistently unable to synchronize any sessions from the HA primary when the original HA primary returns.

752892

PPPoE connection gets disconnected during HA failover.

752928

fnbamd uses ha-mgmt-interface for certificate related DNS queries when ha-direct is enabled.

752942

When the secondary is being synchronized, the GARP is sent out from the secondary device with the physical MAC address.

753295

Configuration pushed from FortiManager does not respect standalone-config-sync and is pushed to all cluster members.

754599

SCTP sessions are not fully synchronized between nodes in FGSP.

757494

A member might not be able to be added to an aggregate interface that is down in an HA cluster.

760562

hasync crashes when the size of hasync statistics packets is invalid.

761581

Tunnel to Fortimanager is down log message is generated on the secondary FortiGate unit (without HA management interface).

764873

FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner.

765619

HA desynchronizes after user from a read-only administrator group logs in.

766842

Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled.

771389

SNMP community name with one extra character at the end stills matches when HA is enabled.

771391

HA uptime remains the same after mondev failure.

773901

The dnsproxy daemon is not updating HA management VDOM DNS after it is configured. The secondary also does not update.

775724

Static routes not installed after HA failover.

775837

When upgrading the secondary unit to build 1097 or later, a root.vpn.certificate.local.Fortinet_SSL configuration error appears.

776258

FortiGate needs time to complete reconnecting PPPoE network if it part of an HA cluster.

778011

The hasync daemon crashes on FG-80E.

779512

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

782769

Unable to form HA pair when HA encryption is enabled.

783483

On the System > HA page, Sessions are shown as 0 after upgrading from 7.0.3 to 7.0.4.

785514

In some cases, the fgfmd daemon is blocked by a query to the HA secondary checksum, and it will cause the tunnel between FortiManager and the FortiGate to go down.

791397

HA secondary address CMDB synchronizes incorrectly for EMS dynamic tags.

Intrusion Prevention

Bug ID

Description

715360

Each time an AV database update occurs (scheduled or manually triggered), the IPS engine restarts on the SLBC secondary blade.

751027

FortiGate can only collect up to 128 packets when detected by a signature.

755859

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

775696

Each time an AV database update occurs (scheduled or manual), the IPS engine restarts on the SLBC secondary blade. This stops UTM analysis for sessions affected by that blade.

780194

IPS engine 7.00105 has signal 14 (Alarm clock) crash during stress testing.

784976

IPS engine goes to 100% (at 5 Gbps) on FG-4200F when testing CCS with CPS and throughput when UTM is enabled.

IPsec VPN

Bug ID

Description

735412

IKE HA resynchronizes the synchronized connection without an established IKE SA.

738863

For dynamic addresses in IKE, the first item under config list that can be successfully converted into an IP address can be used when mode-cfg is enabled and split-include is used.

749509

IPsec traffic dropped due to anti-replay after HA failover.

766750

FortiGate does not accept secondary tunnel IP address in the same subnet as the primary tunnel.

767765

Tooltip in Dashboard > Network > IPsecwidget for phase 2 shows a Timeout year of 1970 in Firefox, Chrome, and Edge.

767945

In a setup with IPsec VPN IKEv2 tunnel on the FortiGate to a Cisco device, the tunnel randomly disconnects after updating to 7.0.2 when there is a CMDB version change (configuration or interface).

768638

Invalid IP address while creating a VPN IPsec tunnel.

770354

L2TP over IPsec stopped encrypting traffic after upgrading from 6.4 to 7.0.2.

770437

Referenced IPsec phase 1 and phase 2 interfaces can be deleted.

771302

Spoke cannot register to OCVPN when FortiGate is in policy-based NGFW mode.

773313

FG-40F-3G4G with WWAN DHCP interface set as L2TP client shows drops in WWAN connections and does not get the WWAN IP.

777398

Calling-Station-ID is not present in the RADIUS packet.

780850

IPsec hub fails to delete selector routes when NAT IP changed and IKE crashed.

781917

Session clash messages appear in event logs for new sessions from VPN towards VIP.

783597

Framed IP is not assigned to IPsec clients configured with set assign-ip-from usrgrp.

786409

Tunnel had one-way traffic after iked crashed.

789705

IKE crash disconnected all users at the same time.

Log & Report

Bug ID

Description

621329

Mixed traffic and UTM logs are in the event log file because the current category in the log packet header is not big enough.

705455

FortiAnalyzer logs are not cached between actual and detected loss of connection.

745689

Unknown interface is shown in flow-based UTM logs.

753904

The reportd process consumes a high amount of CPU.

757703

Report suddenly cannot be generated due to no response from reportd.

764478

Logs are missing on FortiGate Cloud from the FortiGate.

774767

The expected reboot log is missing.

776929

When submitting files for sandbox logging in flow mode, filetype="unknown" is displayed for PDF, DOC, JS, RTF, ZIP, and RAR files.

777008

The syslogd daemon encounters a memory leak.

783145

Cyrillic alphabet is not displayed correctly in file filter and DLP logs.

783725

DoT log is incorrectly categorized as a forward traffic log instead of a local traffic log.

Proxy

Bug ID

Description

650348

FortiGate refuses incoming TCP connection to FTP proxy port after explicit proxy related configurations are changed.

712584

WAD memory leak causes device to go into conserve mode.

738151

Browser has ERR_SSL_KEY_USAGE_INCOMPATIBLE error when both ZTNA and web proxy are enabled.

739627

diagnose wad stats policy list does not show statistics correctly when enabling certificate inspection and HTTP policy redirect.

747915

Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model.

751674

Load balancer based on HTTP host is DNATing traffic to the wrong real server when the correct real server is disabled.

752744

Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.

754969

Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.

755294

Firefox gives SEC_ERROR_REUSED_ISSUER_AND_SERIAL error when ECDSA CA is configured for deep inspection.

756603

WAD memory spike when downloading a file larger than 4 GB.

756616

High CPU usage in proxy-based policy with deep inspection and IPS sensor.

758122

WAD memory usage may spike and cause the FortiGate to enter conserve mode when downloading a large file fails.

758496

WAD crash due to LDAP group looping.

758532

WAD memory usage may spike and cause the FortiGate to enter conserve mode.

760585

Captive portal fails to open requested web page on first try if WAD user is expired.

764193

The three-way handshake packet that was marked as TCP port number reused cannot pass through the FortiGate, and the FortiGate replies with a FIN, ACK to the client.

765349

Once AV is enabled in proxy mode, traffic will be blocked in proxy mode.

768358

Failure to access certain AWS pages with proxy SSL deep inspection.

772041

WAD crash at signal 11.

774859

WAD signal 11 Segmentation fault crash occurs at wad_h2_port_read_sync.

775193

Frequent WAD crashes are causing the FortiGate to go down.

775966

Changes to address group used for full SSL exemptions are not being activated.

776989

In some cases, WAD daemon signal 6 (Aborted) received occurs when adding a VDOM.

778659

Proxy inspection fails due to ipsapp session open failed: all providers busy.

782426

WAD crash with signal 11 and signal 6 occurs when performing SAML authentication if the URL size is larger than 3 KB.

783112

FortiGate goes into conserve mode due to high memory usage of WAD user-info process. The WAD user-info process will query the user count information from the LDAP server every 24 hours. If any of the LDAP query messages are closed by exceptions, there is a memory leak. If obtain-user-info is enabled under config user ldap, this memory leak will be triggered on daily basis.

783438

When diagnosing WAD memory with a significant number of open HTTP sessions, the function pointer may still be called and will cause a segmentation fault.

792505

Memory leak identified for WAD worker dnsproxy_conn causing conserve mode.

REST API

Bug ID

Description

743169

Update various REST API endpoints to prevent information in other VDOMs from being leaked.

768056

HTTPS daemon is not responsive when successive API calls are made to create an interface.

Routing

Bug ID

Description

710606

Some static routes disappear from RIB/FIB after modifying/installing static routes from the GUI script.

717086

External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the interface-select-method configuration in system external-resource is changed.

724541

One IPv6 BGP neighbor is allowed to be configured with one IPv6 address format and shows a different IPv6 address format.

728058

A typo in set dst when configuring a static route with a valid set device will result in a default static route.

744589

LDAP external connector/FSSO polling traffic is not following the SD-WAN rules.

745856

The default SD-WAN route for the LTE wwan interface is not created.

748508

IKE might add two connected static routes to the same destination. If they are using same interface, deleting one of the routes will make the connected address stored on that interface get deleted.

759711

OSPF E2 routes learned by Cisco routers are randomly removed from the routing table when the OSPF/OSPFv3 neighbor flaps.

759752

FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet.

762258

When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down.

769321

After ADVPN HA failover, BGP is not established, and tunnels are up but not passing traffic between the hub and spokes.

770923

OSPF authentication error occurs with MD5 or text authentication.

771052

The set next-hop-self-rr6 enable parameter not effective.

771423

BGP route map community attribute cannot be changed from the GUI when there are two 16-byte concatenated versions.

772023

Deleted BGP summary routes are not removed from routing table and are still advertised to eBGP neighbors.

772400

IPv6 route is not created for SIT tunnel interface in SD-WAN.

778392

Kernel panic crash occurs after receiving new IPv6 prefix via BGP.

779113

When a link monitor fails, the routes indicated in the link monitor are not withdrawn from the routing database.

779320

Multicast PIM hello packet is rejected by the FortiGate.

780210

Changing the interface weight under SD-WAN takes longer to be applied from the GUI than the CLI.

780421

SD-WAN services use a different way to handle IPv6 packets than IPv4, which causes packets loss.

781483

Incorrect BGP Originator_ID from route reflector seen on receiving spokes.

781493

After restarting IKE, ADVPN shortcuts stuck in the SD-WAN service and health check.

783168

IPv6 secondary network is removed from the routing table after reboot.

784950

The ecmp-max-paths are not behaving as expected.

Security Fabric

Bug ID

Description

758493

SDN connector on FG-Azure stays stuck if it is alphabetically the first subscription that is not in the permission scope.

764825

When the Security Fabric is enabled, logging is not enabled on deny policies.

765525

The deleted auto-scripts are not sent to FortiManager through the auto-update and cause devices go out of sync.

767976

Downstream FortiGate csfd process crashed randomly with signal 11.

779181

Security rating report for System Uptime incorrectly fails the check for FortiAP, even though the FortiAP is up for more than 24 hours.

793234

Fabric Management page incorrectly shows some FortiAPs with an unregistered FortiCare status even though the FortiAP is already registered. This is just a display issue and does not impact FortiAP operation.

SSL VPN

Bug ID

Description

741674

Customer internal website (https://cm***.msc****.com/x***) cannot be rendered in SSL VPN web mode.

748085

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

749857

Web mode and tunnel mode could not reflect the VRF setting, which causes the traffic to not pass through as expected.

751366

JS error in SSL VPN web mode when trying to retrieve a PDF from https://vpn.ca***.com/.

751717

SAML user configured in groups in the IdP server might match to the wrong group in SSL VPN user authentication if an external browser is used.

752055

VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.

752351

When SSL VPN interface is turned down and then manually turned up again, the SSL routes are not added back to the kernel router.

753590

Brickstream web interface is not loading properly when accessed using SSL VPN web mode.

755296

SSL VPN web mode has issues accessing https://te***.or***.kr.

756561

Outdated OS support for host check should be removed.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

758525

Users can modify the URL in SSL VPN portal to show connection launcher even when the Show Connection Launcher option is disabled.

759664

Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected.

760407

Unable to add domain entry in split-dns if set domains contains an underscore character (_).

760875

SSL VPN PKI users fail to log in when a special character is included in the CN or subject matching field.

762479

Telnet connection gets disconnected after three to four minutes in SSL VPN web mode while the connection is idle.

762685

Punycode is not supported in SSL VPN DNS split tunneling.

763619

SAP Fiori webpage using JSON is not loading in SSL VPN web mode.

764853

SSL VPN bookmark of VNC is not using ZRLE compression and consumes more bandwidth to end clients.

765216

Extend skip-check-for-unsupported-os to support the same OS type but different OS versions.

765258

Endpoint event is not reported when FortiClient 7.0 connects to SSL VPN.

767230

Issues with user log out request with Okta as an identity provider for SAML authentication.

767818

SSL VPN bookmark issues with internal website.

767869

SCADA portal will not fully load with SSL VPN web bookmark.

768362

Default resolution for RDP/VNC in SSL VPN web mode cannot be configured.

768994

SSL VPN crashed when closing web mode RDP after upgrading.

770024

Resource is not reachable using SSL quick connection.

770452

Clicking an SSL VPN web portal bookmark web link displays blank page.

770919

Internal website (*.blt.local) is not loading in SSL VPN web mode.

771145

SSL VPN web mode access problem occurs for web service security camera.

771162

Unable to access SSL VPN bookmark in web mode.

772191

Website is not loading in SSL VPN web mode.

773254

SSL VPN web mode access is causing issues with MiniCAU.

774661

Unable to load SSL VPN web portal internal webpage.

774831

Comma character (,) is acting as delimiter in authentication session decoding when CN format is Surname, Name.

776069

The sslvpn daemon crashes due to memory access after it has been freed.

778031

SSL VPN web mode HTTP throughputs drop over 50%.

781542

Unable to access internal SSL VPN bookmark in web mode.

781550

HTTPS link is not working in SSL VPN web mode.

782732

Webpages of back-end server behind https://vpn-***.sys***.pl/remote/ could not be displayed in SSL VPN web mode.

783508

After upgrading to 6.4.8, NLA security mode for SSL VPN web portal bookmark does not work.

784335

Unable to load internal website in SSL VPN web mode.

784426

SSL VPN web mode has problems accessing ComCenter websites.

784522

When trying to create a support ticket in Jira with SSL VPN proxy web mode, the dropdown field does not contain any values.

784887

A blank page appears after logging in to an SSL VPN bookmark.

786179

Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode.

788641

Internal site not loading in SSL VPN web mode.

789644

Internal site not loading completely using SSL VPN web mode bookmark.

Switch Controller

Bug ID

Description

766583

A bin/cu_acd crash is generated when cfg-revert is enabled and involves FortiSwitch.

774848

Bulk MAC addresses deletions on FortiSwitch is randomly causing all wired clients to disconnect at the same time and reconnect.

776442

FortiSwitch VLANs cannot be created in the FortiGate GUI for a second FortiLink.

System

Bug ID

Description

639861

Support FEC (forward error correction) implementations in 10G, 25G, 40G, and 100G interfaces for FG-3400E and FG-3600E.

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

679035

NP6 drops, and bandwidth is limited to under 10 Gbps in npu-vlink case.

679059

The ipmc_sensord process is killed multiple times when the CPU or memory usage is high.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

699152

Add support for QinQ (802.1ad) on FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, and FG-3600E platforms.

706543

FortiGuard DDNS does not update the IP address when the PPPoE reconnects.

708228

A DNS proxy crash occurs during ssl_ctx_free.

712156

FortiCloud central management does not work if the FortiGate has trusted host enabled for the admin account.

716341

SFP28 port flapping when the speed is set to 10G.

718307, 729078

Verizon LTE connection is not stable, and the connection may drop after a few hours.

720687

On FG-20xF, the RJ45 ports connected to Dell N1548 switch do not automatically have an up link for energy detect mode.

722781

MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.

738423

Unable to create a hardware switch with no member.

743945

Inconsistency between GUI and CLI with respect to changing password for any super_admin accounts.

749250

Firewall does not seem to utilize its ARP cache and is ARPing for a client MAC addresses every 20-30 seconds.

749613

Unable to save configuration changes and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

750533

The cmdbsvr crashes when accessing an invalid firewall vip mapped IP that causes traffic to stop traversing the FortiGate.

751044

There is no sensor trap function and related logs on SoC4 platforms.

751346

DNS server obtained via DHCPv6 prefix delegation is not used by DNS proxy.

751523

When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.

751870

User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.

754567

FortiGate receives Firmware image without valid RSA signature loaded error when loading the image from FortiCloud.

755268

When changing a per-ip-shaper, if there is ongoing traffic offloaded by NPU and it attaches that shaper, the new shaper's quota will not get updated.

755953

Direct CLI script from FortiManager fails due to additional end at the end of diagnose debug crashlog read.

756160

Unable to configure firewall access control lists on FG-20xF.

756445

Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if asic-offload is enabled.

756713

Packet Loss on the LAG interface (eight ports) in static mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

757478

Kernel panic results in reboot due the size of inner Ethernet header and IP header not being checked properly when the SKB is received by the VXLAN interface.

757689

When creating a new interface with MTU override enabled, PPPoE mode, and a set MTU value, the MTU value is overridden by the default value.

757748

WAD memory leak could cause system to halt and print fork() failed on the console.

758545

Memory leak cause by leaked JSON object.

758815

Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.

759689

When updated related configurations change, the updated configurations may crash.

760661

DDNS interface update status can get stuck if changes to the interface are made rapidly.

760942

dnsproxy signal 11 crash at libcrypto.so.1.1 on FWF-61F.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

764954

FortiAnalyzer serial number automatically learned from miglogd does not send it to FortiManager through the automatic update.

764989

Include an entry in SNMP OID that lists the number of octets for the IP type.

765452

Slow memory leak in IPS engine 6.091, which persists in 6.107.

766834

forticron allocates over 700 MB of memory, causes the FortiGate to go into conserve mode, and causes kernel panic due to 100 MB of configured CRL.

767778

Kernel panic occurs while adding and deleting LAG members on FG-1101E.

768979

On a FortiGate with many FortiSwitches and FortiAPs, the Device Inventory widget and user-device-store list are empty.

769384

Kernel goes into conserve mode due to high memory consumption of confsyncd process.

771267

Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries.

771442

Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.

773067

CLI help text for link monitor failtime and recoverytime range should be (1 - 3600, default = 5).

773702

FortiGate running startup configuration is not saved on flash drive.

774443

SCP restore TCP session does not gracefully close with FIN packet.

777044

On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.

777145

FortiCloud FDS/selective update response contains PendingRegistration when not pending.

778116

Restricted VDOM user is able to access the root VDOM.

778474

dhcpd is not processing discover messages if they contain a 0 length option, such as 80 (rapid commit). The warning, length 0 overflows input buffer, is displayed.

778629

Disabling NP6XLite offloading does not work with VLAN interface on LAG one-arm scenario.

779241

DCE-RPC expectation session expires and never times out (timeout=never).

779523

Negative tunnel_count in diagnose firewall gtp profile list for FGSP peer.

781137

Firewall gives incorrect information related to link_setting when running diagnose hardware device nic <port>.

783545

Backing up to SFTP does not work when the username contains a period (.).

785766

Memory leak and httpsd crashes.

789203

High memory usage due to DoT leak at ssl.port_1way_client_dox leak\wad_m_dot_conn leak\sni leak when the DoX server is 8.8.8.8.

790446

The vwl process is spiking CPU and memory, which triggers conserve mode.

793401

The fcnacd process keeps using 99% CPU.

Upgrade

Bug ID

Description

754180

MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.

766472

After upgrading, the diagnostic command for redundant PSU is missing on FG-100F.

790823

VDOM links configuration is lost after upgrading.

User & Authentication

Bug ID

Description

679016

A fnbamd crash is caused when the LDAP server is unreachable.

747651

There is no LDAP-based authentication possible during the time WAD updates/reads group information from the AD LDAP server.

749488

On an HA standby device, certain certificates (such as Fortinet_CA_SSL) regenerate by themselves when trying to edit them in CLI. This also causes issues when backing up configurations on the standby device.

749694

A fnbamd crash is caused by an LDAP server being unreachable.

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

755302

The fnbamd process spikes to 99% or crashes during RADIUS authentication.

756763

In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement.

757883

FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.

765136

Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

767844

User ID/password shows as blank when sending the guest credentials via a custom SMS server in Guest Management.

777004

Local users named pop or map do not work as expected when trying to add then as sources in a firewall policy.

781992

fssod crashes with signal 11 on logon_dns_callback.

VM

Bug ID

Description

691337

When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.

735441

Low performance when copying files from server behind FG-VM to another site via IPsec VPN.

750889

DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID.

755016

In AWS, if the HA connection between active and passive nodes breaks for a few seconds and reconnects, sometimes the EIP will remain in the passive node.

759300

gcpd has signal 11 crash at gcpd_mime_part_end.

764184

Inconsistent TXQ selection degrades mlx5 vfNIC. Azure FortiGate interface has high latency when the IPsec tunnel is up.

769352

Azure SDN connector is unable to pull service tag from China and Germany regions.

774404

The vmxnet3 driver is causing IPv6 neighbor solicitation packets to be ignored.

781879

Flex-VM license activation failed to be applied to FortiGate VM in HA. Standalone mode is OK.

783604

For S- and V-series VM models, newly installed FG-VM has capacity for only one VDOM, but the upgraded FG-VM still has capacity for two VDOMs.

785234

GCP HA failover for external IP does not work when using Standard Tier.

785353

Azure performance issue on MLX5 when an unrelated VPN is up.

789223

Azure China uses the wrong API endpoint to get meta data after secondary becomes the new primary.

VoIP

Bug ID

Description

757477

PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

770888

Progress OpenLogicalChannel is not translated.

Web Application Firewall

Bug ID

Description

785743

When a web application firewall profile has version constraint enabled, HTTP 2.0 requests will be blocked.

Web Filter

Bug ID

Description

728104

A webpage categorized as one of the blocked categories is not actually blocked because some sites may have subdomains or paths categorized in a block category that should be blocked, but instead the request is transformed into a format unrateable by FortiGuard.

770941

Unable to block https://cle***.com/oauth/dis***-pic*** using URL filter; content from cle***.com is still shown.

779278

FortiGate is responding on TLS 1.0, TLS 1.1, and SSLv3 on TCP port 8015.

781515

The urlfilter daemon continuously crashes on the secondary unit.

WiFi Controller

Bug ID

Description

489759

Consistent error messages, internal_add_timer, appear on console when running an automation script.

630085

A cw_acd crash is observed on the FortiGate when the FortiAP is deleted from the managed AP list.

727301

Unable to quarantine hosts behind FortiAP and FortiSwitch.

734801

Some Apple devices cannot handle 303/307 messages, and may loop to load the external portal page and fail to pass authentication. Some android devices cannot process JavaScript redirect messages after users submit their username and password.

744687

Client should match the new NAC policy if it is reordered to the top one.

745044

Optimize memory usage of wpad daemon in WiFi controller for large-scale 802.11r fast BSS transition deployment.

745642

Consider not generating rogue AP logs once a certain AP has been marked as accepted.

748479

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

750425

In RADIUS MAC authentication, the FortiGate NAS-IP-Address will revert to 0.0.0.0 after using the FortiGate address.

757189

A batch of APs in cluster are exhibiting control messages that the maximal retransmission limit reached, and the APs disconnect from the FortiGate.

761996

If concurrent-client-limit-type is set to unlimited it is limited by the max-clients value in the VAP profile.

766652

FortiAP firmware status is inconsistent on System > Fabric Management page and upgrade slide.

773027

Client limit description tooltip displayed in the GUI shows incorrect information.

773742

Two-factor authentication and WPA2-Enterprise WiFi conflict on remoteauthtimeout setting.

775157

A packet with the wrong IP header could not be processed by the CAPWAP driver, which randomly causes the FortiGate to reboot.

776576

FortiAP upgrade panel still prompts to upgrade to latest firmware, even when FortiAP is operating latest firmware.

780732

Unable to import MPSK keys in the GUI (CSV file into an SSID). An Invalid file content error appears.

783209

The arrp-profile table can now be purged if no entry is in use.

783752

Improve arrp-profile configuration to avoid confusion.

790367

FWF-60F has kernel panic and reboots by itself every few hours.

792738

The cw_acd process uses high CPU, which causes issues for FortiAP connecting with CAPWAP.

ZTNA

Bug ID

Description

765813

ZTNA access is systematically denied for ZTNA rule using SD-WAN zone as an incoming interface.

770350

ZTNA tags do not follow the correct policy when bound in a single policy. They also do not work with groups.

770877

Traffic was blocked by mismatched ZTNA EMS tags in a forwarding firewall policy.

777669

The secondary IP address in the EMS dynamic address table does not match the expected policy.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

707951

FortiOS 7.2.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-41032

749471

FortiOS 7.2.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-42755

752450

FortiOS 7.2.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-44168

764221

FortiOS 7.2.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43206

792067

FortiOS 7.2.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-0778

Resolved issues

The following issues have been fixed in version 7.2.0. For inquires about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

701658

High CPU utilization because of scanunitd process spike and crash.

769563

Archive bomb detection made more lenient to prevent false positives.

Data Leak Prevention

Bug ID

Description

763687

If a filter configured with set archive enable matches a HTTP post, the file is not submitted for archiving (unless full-archive proto is enabled).

DNS Filter

Bug ID

Description

692482

DNS filter forwards the DNS status code 1 FormErr as status code 2 ServFail in cases where the redirect server responses have no question section.

748227

DNS proxy generated local out rating (FortiGuard category) queries can time out if they are triggered for the same DNS domains with the same source DNS ID.

Endpoint Control

Bug ID

Description

777294

Fabric connection failure between EMS and FortiOS.

793162

Sometimes the FortiGate fails to resolve a FortiClient MAC or IP in the firewall dynamic address table.

Explicit Proxy

Bug ID

Description

754191

Websites are not accessible if the certificate-inspection SSL-SSH profile is set in a proxy policy.

754259

When an explicit proxy policy has a category address as destination address, the FortiGate needs to check if the address is a Google Translate URL for extra rating. This will trigger a keyword match. However, if a web filter profile is not set yet, WAD will crash. The fix will delay the keyword match until a web filter profile is present.

755298

SNI ssl-exempt result conflicts with CN ssl-exempt result when SNI is an IP.

765761

Firewall with forward proxy and UTM enabled is sending TLS probe with forward proxy IP instead of real server IP.

766127

PAC file download fails with incorrect service error after upgrading to 7.0.2.

771152

GUI does not display Source Address field when using a proxy address group in authentication rules.

780211

diagnose wad stats policy list output displays information for only 20 proxy policies, so not all policies are included.

783946

Explicit proxy policy does not deny request for ClearPass object if it is used as a source.

785342

FortiGate explicit proxy does not work with SOCKS4a.

Firewall

Bug ID

Description

644638

Policy with a Tor exit node as the source is not blocking traffic coming from Tor.

724145

Expiration timer of expectation session may show a negative number.

744888

FortiGate drops SERVER HELLO when accessing some TLS 1.3 websites using a flow-based policy with SSL deep inspection.

747190

When auto-asic-offload is enabled in policy, IP-in-IP sessions show as expired while tunnel traffic goes through the FortiGate.

752784

Packet is dropped due to the wrong UDP header length. The NP6XLite driver and kernel drop the packet because of the transport header check.

761494

HTTP persistence not working for HTTP cookie and SSL session ID for round-robin load balancer.

761646

FQDN address and FQDN custom service do not work as expected in security policy.

767226

When a policy denies traffic for a VIP and send-deny-packet is enabled, the mappedip is used for the RST packet's source IP instead of the external IP.

767294

The match-vip option is only useful for deny policies; however, its flag is not cleared after changing the policy action from deny to accept. When a policy uses a mapped FQDN VIP, the destination field of the iprope policy accepts the full IP range.

770668

The packet dropped counter is not incremented for per-ip-shaper with max-concurrent-session as the only criterion and offload disabled on the firewall policy.

773035

Custom services name is not displayed correctly in logs with a port range of more than 3000 ports.

775783

Get httpsd signal 11 crash when inline editing custom service from policy list page with FortiGate support tool running.

778513

Forward traffic logs do not show MAC address object name in Device column.

779902

FortiGate policy lookup does not work as expected (in the GUI and CLI) when the destination interface is a loopback interface.

784939

Dashboard > Load Balance Monitor is not loading in 7.0.4 and 7.0.5.

FortiView

Bug ID

Description

546312

Application filter does not work when the source is ISDB or unscanned.

765993

Dashboard > FortiView Sources - WAN monitor does not show data for VLAN interface.

GUI

Bug ID

Description

473841

Newly created deny policy incorrectly has logging disabled and can not be enabled when the CSF is enabled.

535099

The SSID dialog page does not have support for the new MAC address filter.

535794

Policy page should show new name/content for firewall objects after editing them from the tooltip.

630216

A user can browse HA secondary logs in the GUI, but when a user downloads these logs, it is the primary FortiGate logs instead.

663558

Log Details under Log & Report > Events displays the wrong IP address when an administrative user logs in to the web console.

713529

When a FortiGate is managed by FortiManager with FortiWLM configured, the HTTPS daemon may crash while processing some FortiWLM API requests. There is no apparent impact on the GUI operation.

720192

GUI logs out when accessing FortiView monitor page if the VDOM administrator only has ftviewgrp permission.

729324

Managed FortiAPs and Managed FortiSwitches pages keep loading when VDOM administrator has netgrp and wifi read/write permissions.

730533

On the Policy & Objects > Firewall Policy page, an unclear error message appears when a user creates a new SSL VPN policy with a web mode portal and a VIP or VIP group is used as the destination address.

746239

On the Policy & Objects > Virtual IP page the GUI does not allow the user to configure two virtual IPs with different service for the same external/mapped IP and external interface.

746953

On the Network > Interfaces page, users cannot modify the TFTP server setting. A warning with the message This option may not function correctly. It is already configured using the CLI attribute: tftp-server. appears beside the DHCP Options entry.

750490

Firewall policy changes made in the GUI remove the replacement message group in that policy.

751219

Last Login in SSL-VPN widget is shown as NaN on macOS Safari.

751482

cmbdsvr signal 11 crash occurs when a wildcard FQDN is created with a duplicate ID.

753398

httpsd crashes after NGFW policy is deleted.

754539

On the Policy & Objects > Addresses page, filters applied on the Details column do not work.

755625

Application control profile cannot be renamed from the GUI.

755893

Dashboard menus are not translated for non-English languages.

756420

On the Security Fabric > Fabric Connectors page, the connection to FortiManager is shown as down even if the connection is up.

757130

After upgrading, the new ACME certificates configured in the GUI are using the staging environment.

757606

Dashboard > Users & Devices > Firewall Users widget cannot load if there is a client authenticated by the WiFi captive portal.

758820

The GUI cannot restore a CLI-encrypted configuration file saved on a TFTP server. There is no issue for unencrypted configuration files or if the file is encrypted in the GUI.

760863

PPPoE interface is not selectable if interface type is SSL-VPN Tunnel.

761615

Unable to see details of Apache.Struts.MPV.Input.Validation.Bypass log.

761658

Failed to retrieve information warning appears on secondary node faceplate.

761933

FSSO user login is not sorted correctly by duration on Firewall Users widget.

762683

The feature to send an email under User & Authentication > Guest Management is grayed out.

763724

After the current session is disconnected, pressing the Enter key does not restart a new session on the GUI CLI console.

764744

On the Network > Explicit Proxy page, the GUI does not support configuring multiple outgoing IP addresses.

768261

After a failed administrator login attempt due to a missing two-factor authentication token, the next login attempt for another administrator may incorrectly result in an authentication failure.

770948

When using NGFW policy-based mode, the VPN > Overlay Controller VPN option is removed.

772311

On the LDAP server page, when clicking Browse beside Distinguished Name and then clicking OK after viewing the query results, the LDAP server page is missing fields containing the server settings.

776969

Unable to select and copy serial number from System Information dashboard widget.

777145

Managed FortiSwitches page incorrectly shows a warning about an unregistered FortiSwitch even though it is registered. This only impacts transferred or RMAed FortiSwitches. This is only a display issue with no impact on the FortiSwitch's operation.

778258

Unable to set IP address for IPsec tunnel in the GUI.

778542

Local domain name disappears from the GUI after clicking API Preview.

778932

MAC address name is not displayed in the Device column in the Asset Identity Center.

783152

Filtering by Status in the SD-WAN widget is not working.

787007

httpsd is crashing without any interaction on the GUI at api_cleanup_cache in api_cmdb_v2_handler.

788935

GUI is slow to load when CDN is enabled and accessed on a closed network.

HA

Bug ID

Description

664929

The hatalk process crashed when creating a disabled VLAN interface in an A-P cluster.

683584

The hasync process crashed because the write buffer offset is not validated before using it.

683628

The hasync process crashes often with signal 11 in cases when a CMDB mind map file is deleted and some processes still mind map the old file.

701367

In an HA environment with multiple virtual clusters, System > HA will display statistics for Uptime, Sessions, and Throughput under virtual cluster 1. These statistics are for the entire device. Statistics are not displayed for any other virtual clusters.

714788

Uninterruptible upgrade might be broken in large-scale environments.

738728

The secondary unit tries to contact the forward server for sending the health check packets when the healthcheck under web-proxy forward-server is enabled.

744349

Unable to connect to FortiSandbox Cloud through proxy from secondary node in an HA cluster.

750004

The secondary FortiGate shows a DHCP IP was removed due to conflict, but it is not removed on the primary FortiGate.

750829

In large customer configurations, some functions may time out, which causes an unexpected failover and keeps high cmdbsvr usage for a long time.

751072

HA secondary is consistently unable to synchronize any sessions from the HA primary when the original HA primary returns.

752892

PPPoE connection gets disconnected during HA failover.

752928

fnbamd uses ha-mgmt-interface for certificate related DNS queries when ha-direct is enabled.

752942

When the secondary is being synchronized, the GARP is sent out from the secondary device with the physical MAC address.

753295

Configuration pushed from FortiManager does not respect standalone-config-sync and is pushed to all cluster members.

754599

SCTP sessions are not fully synchronized between nodes in FGSP.

757494

A member might not be able to be added to an aggregate interface that is down in an HA cluster.

760562

hasync crashes when the size of hasync statistics packets is invalid.

761581

Tunnel to Fortimanager is down log message is generated on the secondary FortiGate unit (without HA management interface).

764873

FGSP cluster with UTM does not forward UDP or ICMP packets to the session owner.

765619

HA desynchronizes after user from a read-only administrator group logs in.

766842

Long wait and timeout when upgrading FG- 3000D HA cluster due to vluster2 being enabled.

771389

SNMP community name with one extra character at the end stills matches when HA is enabled.

771391

HA uptime remains the same after mondev failure.

773901

The dnsproxy daemon is not updating HA management VDOM DNS after it is configured. The secondary also does not update.

775724

Static routes not installed after HA failover.

775837

When upgrading the secondary unit to build 1097 or later, a root.vpn.certificate.local.Fortinet_SSL configuration error appears.

776258

FortiGate needs time to complete reconnecting PPPoE network if it part of an HA cluster.

778011

The hasync daemon crashes on FG-80E.

779512

If the interface name is a number, an error occurs when that number is used as an hbdev priority.

782769

Unable to form HA pair when HA encryption is enabled.

783483

On the System > HA page, Sessions are shown as 0 after upgrading from 7.0.3 to 7.0.4.

785514

In some cases, the fgfmd daemon is blocked by a query to the HA secondary checksum, and it will cause the tunnel between FortiManager and the FortiGate to go down.

791397

HA secondary address CMDB synchronizes incorrectly for EMS dynamic tags.

Intrusion Prevention

Bug ID

Description

715360

Each time an AV database update occurs (scheduled or manually triggered), the IPS engine restarts on the SLBC secondary blade.

751027

FortiGate can only collect up to 128 packets when detected by a signature.

755859

The IPS sessions count is higher than system sessions, which causes the FortiGate to enter conserve mode.

775696

Each time an AV database update occurs (scheduled or manual), the IPS engine restarts on the SLBC secondary blade. This stops UTM analysis for sessions affected by that blade.

780194

IPS engine 7.00105 has signal 14 (Alarm clock) crash during stress testing.

784976

IPS engine goes to 100% (at 5 Gbps) on FG-4200F when testing CCS with CPS and throughput when UTM is enabled.

IPsec VPN

Bug ID

Description

735412

IKE HA resynchronizes the synchronized connection without an established IKE SA.

738863

For dynamic addresses in IKE, the first item under config list that can be successfully converted into an IP address can be used when mode-cfg is enabled and split-include is used.

749509

IPsec traffic dropped due to anti-replay after HA failover.

766750

FortiGate does not accept secondary tunnel IP address in the same subnet as the primary tunnel.

767765

Tooltip in Dashboard > Network > IPsecwidget for phase 2 shows a Timeout year of 1970 in Firefox, Chrome, and Edge.

767945

In a setup with IPsec VPN IKEv2 tunnel on the FortiGate to a Cisco device, the tunnel randomly disconnects after updating to 7.0.2 when there is a CMDB version change (configuration or interface).

768638

Invalid IP address while creating a VPN IPsec tunnel.

770354

L2TP over IPsec stopped encrypting traffic after upgrading from 6.4 to 7.0.2.

770437

Referenced IPsec phase 1 and phase 2 interfaces can be deleted.

771302

Spoke cannot register to OCVPN when FortiGate is in policy-based NGFW mode.

773313

FG-40F-3G4G with WWAN DHCP interface set as L2TP client shows drops in WWAN connections and does not get the WWAN IP.

777398

Calling-Station-ID is not present in the RADIUS packet.

780850

IPsec hub fails to delete selector routes when NAT IP changed and IKE crashed.

781917

Session clash messages appear in event logs for new sessions from VPN towards VIP.

783597

Framed IP is not assigned to IPsec clients configured with set assign-ip-from usrgrp.

786409

Tunnel had one-way traffic after iked crashed.

789705

IKE crash disconnected all users at the same time.

Log & Report

Bug ID

Description

621329

Mixed traffic and UTM logs are in the event log file because the current category in the log packet header is not big enough.

705455

FortiAnalyzer logs are not cached between actual and detected loss of connection.

745689

Unknown interface is shown in flow-based UTM logs.

753904

The reportd process consumes a high amount of CPU.

757703

Report suddenly cannot be generated due to no response from reportd.

764478

Logs are missing on FortiGate Cloud from the FortiGate.

774767

The expected reboot log is missing.

776929

When submitting files for sandbox logging in flow mode, filetype="unknown" is displayed for PDF, DOC, JS, RTF, ZIP, and RAR files.

777008

The syslogd daemon encounters a memory leak.

783145

Cyrillic alphabet is not displayed correctly in file filter and DLP logs.

783725

DoT log is incorrectly categorized as a forward traffic log instead of a local traffic log.

Proxy

Bug ID

Description

650348

FortiGate refuses incoming TCP connection to FTP proxy port after explicit proxy related configurations are changed.

712584

WAD memory leak causes device to go into conserve mode.

738151

Browser has ERR_SSL_KEY_USAGE_INCOMPATIBLE error when both ZTNA and web proxy are enabled.

739627

diagnose wad stats policy list does not show statistics correctly when enabling certificate inspection and HTTP policy redirect.

747915

Deep inspection of SMTPS and POP3S starts to fail after restoring the configuration file of another device with the same model.

751674

Load balancer based on HTTP host is DNATing traffic to the wrong real server when the correct real server is disabled.

752744

Proxy-based certificate with deep inspection fails upon receipt of a large handshake message.

754969

Explicit FTP proxy chooses random destination port when the FTP client initiates an FTP session without using the default port.

755294

Firefox gives SEC_ERROR_REUSED_ISSUER_AND_SERIAL error when ECDSA CA is configured for deep inspection.

756603

WAD memory spike when downloading a file larger than 4 GB.

756616

High CPU usage in proxy-based policy with deep inspection and IPS sensor.

758122

WAD memory usage may spike and cause the FortiGate to enter conserve mode when downloading a large file fails.

758496

WAD crash due to LDAP group looping.

758532

WAD memory usage may spike and cause the FortiGate to enter conserve mode.

760585

Captive portal fails to open requested web page on first try if WAD user is expired.

764193

The three-way handshake packet that was marked as TCP port number reused cannot pass through the FortiGate, and the FortiGate replies with a FIN, ACK to the client.

765349

Once AV is enabled in proxy mode, traffic will be blocked in proxy mode.

768358

Failure to access certain AWS pages with proxy SSL deep inspection.

772041

WAD crash at signal 11.

774859

WAD signal 11 Segmentation fault crash occurs at wad_h2_port_read_sync.

775193

Frequent WAD crashes are causing the FortiGate to go down.

775966

Changes to address group used for full SSL exemptions are not being activated.

776989

In some cases, WAD daemon signal 6 (Aborted) received occurs when adding a VDOM.

778659

Proxy inspection fails due to ipsapp session open failed: all providers busy.

782426

WAD crash with signal 11 and signal 6 occurs when performing SAML authentication if the URL size is larger than 3 KB.

783112

FortiGate goes into conserve mode due to high memory usage of WAD user-info process. The WAD user-info process will query the user count information from the LDAP server every 24 hours. If any of the LDAP query messages are closed by exceptions, there is a memory leak. If obtain-user-info is enabled under config user ldap, this memory leak will be triggered on daily basis.

783438

When diagnosing WAD memory with a significant number of open HTTP sessions, the function pointer may still be called and will cause a segmentation fault.

792505

Memory leak identified for WAD worker dnsproxy_conn causing conserve mode.

REST API

Bug ID

Description

743169

Update various REST API endpoints to prevent information in other VDOMs from being leaked.

768056

HTTPS daemon is not responsive when successive API calls are made to create an interface.

Routing

Bug ID

Description

710606

Some static routes disappear from RIB/FIB after modifying/installing static routes from the GUI script.

717086

External resource local out traffic does not follow the SD-WAN rule and specified egress interface when the interface-select-method configuration in system external-resource is changed.

724541

One IPv6 BGP neighbor is allowed to be configured with one IPv6 address format and shows a different IPv6 address format.

728058

A typo in set dst when configuring a static route with a valid set device will result in a default static route.

744589

LDAP external connector/FSSO polling traffic is not following the SD-WAN rules.

745856

The default SD-WAN route for the LTE wwan interface is not created.

748508

IKE might add two connected static routes to the same destination. If they are using same interface, deleting one of the routes will make the connected address stored on that interface get deleted.

759711

OSPF E2 routes learned by Cisco routers are randomly removed from the routing table when the OSPF/OSPFv3 neighbor flaps.

759752

FortiGate is sending malformed packets causing a BGP IPv6 peering flap when there is a large amount of IPv6 routes, and they cannot fit in one packet.

762258

When policy-based routing uses a PPPoE interface, the policy route order changes after rebooting and when the link is up/down.

769321

After ADVPN HA failover, BGP is not established, and tunnels are up but not passing traffic between the hub and spokes.

770923

OSPF authentication error occurs with MD5 or text authentication.

771052

The set next-hop-self-rr6 enable parameter not effective.

771423

BGP route map community attribute cannot be changed from the GUI when there are two 16-byte concatenated versions.

772023

Deleted BGP summary routes are not removed from routing table and are still advertised to eBGP neighbors.

772400

IPv6 route is not created for SIT tunnel interface in SD-WAN.

778392

Kernel panic crash occurs after receiving new IPv6 prefix via BGP.

779113

When a link monitor fails, the routes indicated in the link monitor are not withdrawn from the routing database.

779320

Multicast PIM hello packet is rejected by the FortiGate.

780210

Changing the interface weight under SD-WAN takes longer to be applied from the GUI than the CLI.

780421

SD-WAN services use a different way to handle IPv6 packets than IPv4, which causes packets loss.

781483

Incorrect BGP Originator_ID from route reflector seen on receiving spokes.

781493

After restarting IKE, ADVPN shortcuts stuck in the SD-WAN service and health check.

783168

IPv6 secondary network is removed from the routing table after reboot.

784950

The ecmp-max-paths are not behaving as expected.

Security Fabric

Bug ID

Description

758493

SDN connector on FG-Azure stays stuck if it is alphabetically the first subscription that is not in the permission scope.

764825

When the Security Fabric is enabled, logging is not enabled on deny policies.

765525

The deleted auto-scripts are not sent to FortiManager through the auto-update and cause devices go out of sync.

767976

Downstream FortiGate csfd process crashed randomly with signal 11.

779181

Security rating report for System Uptime incorrectly fails the check for FortiAP, even though the FortiAP is up for more than 24 hours.

793234

Fabric Management page incorrectly shows some FortiAPs with an unregistered FortiCare status even though the FortiAP is already registered. This is just a display issue and does not impact FortiAP operation.

SSL VPN

Bug ID

Description

741674

Customer internal website (https://cm***.msc****.com/x***) cannot be rendered in SSL VPN web mode.

748085

Authentication request of SSL VPN realm can now only be sent to user group, local user, and remote group that is mapped to that realm in the SSL VPN settings. The authentication request will not be applied to the user group and remote group of non-realm or other realms.

749857

Web mode and tunnel mode could not reflect the VRF setting, which causes the traffic to not pass through as expected.

751366

JS error in SSL VPN web mode when trying to retrieve a PDF from https://vpn.ca***.com/.

751717

SAML user configured in groups in the IdP server might match to the wrong group in SSL VPN user authentication if an external browser is used.

752055

VNC (protocol version 3.6/3.3) connection is not working in SSL VPN web mode.

752351

When SSL VPN interface is turned down and then manually turned up again, the SSL routes are not added back to the kernel router.

753590

Brickstream web interface is not loading properly when accessed using SSL VPN web mode.

755296

SSL VPN web mode has issues accessing https://te***.or***.kr.

756561

Outdated OS support for host check should be removed.

757450

SNAT is not working in SSL VPN web mode when accessing an SFTP server.

758525

Users can modify the URL in SSL VPN portal to show connection launcher even when the Show Connection Launcher option is disabled.

759664

Renaming the server entry configuration will break the connection between the IdP and FortiGate, which causes the SAML login for SSL VPN to not work as expected.

760407

Unable to add domain entry in split-dns if set domains contains an underscore character (_).

760875

SSL VPN PKI users fail to log in when a special character is included in the CN or subject matching field.

762479

Telnet connection gets disconnected after three to four minutes in SSL VPN web mode while the connection is idle.

762685

Punycode is not supported in SSL VPN DNS split tunneling.

763619

SAP Fiori webpage using JSON is not loading in SSL VPN web mode.

764853

SSL VPN bookmark of VNC is not using ZRLE compression and consumes more bandwidth to end clients.

765216

Extend skip-check-for-unsupported-os to support the same OS type but different OS versions.

765258

Endpoint event is not reported when FortiClient 7.0 connects to SSL VPN.

767230

Issues with user log out request with Okta as an identity provider for SAML authentication.

767818

SSL VPN bookmark issues with internal website.

767869

SCADA portal will not fully load with SSL VPN web bookmark.

768362

Default resolution for RDP/VNC in SSL VPN web mode cannot be configured.

768994

SSL VPN crashed when closing web mode RDP after upgrading.

770024

Resource is not reachable using SSL quick connection.

770452

Clicking an SSL VPN web portal bookmark web link displays blank page.

770919

Internal website (*.blt.local) is not loading in SSL VPN web mode.

771145

SSL VPN web mode access problem occurs for web service security camera.

771162

Unable to access SSL VPN bookmark in web mode.

772191

Website is not loading in SSL VPN web mode.

773254

SSL VPN web mode access is causing issues with MiniCAU.

774661

Unable to load SSL VPN web portal internal webpage.

774831

Comma character (,) is acting as delimiter in authentication session decoding when CN format is Surname, Name.

776069

The sslvpn daemon crashes due to memory access after it has been freed.

778031

SSL VPN web mode HTTP throughputs drop over 50%.

781542

Unable to access internal SSL VPN bookmark in web mode.

781550

HTTPS link is not working in SSL VPN web mode.

782732

Webpages of back-end server behind https://vpn-***.sys***.pl/remote/ could not be displayed in SSL VPN web mode.

783508

After upgrading to 6.4.8, NLA security mode for SSL VPN web portal bookmark does not work.

784335

Unable to load internal website in SSL VPN web mode.

784426

SSL VPN web mode has problems accessing ComCenter websites.

784522

When trying to create a support ticket in Jira with SSL VPN proxy web mode, the dropdown field does not contain any values.

784887

A blank page appears after logging in to an SSL VPN bookmark.

786179

Cannot reach local application (dat***.btn.co.id) while using SSL VPN web mode.

788641

Internal site not loading in SSL VPN web mode.

789644

Internal site not loading completely using SSL VPN web mode bookmark.

Switch Controller

Bug ID

Description

766583

A bin/cu_acd crash is generated when cfg-revert is enabled and involves FortiSwitch.

774848

Bulk MAC addresses deletions on FortiSwitch is randomly causing all wired clients to disconnect at the same time and reconnect.

776442

FortiSwitch VLANs cannot be created in the FortiGate GUI for a second FortiLink.

System

Bug ID

Description

639861

Support FEC (forward error correction) implementations in 10G, 25G, 40G, and 100G interfaces for FG-3400E and FG-3600E.

644782

A large number of detected devices causes httpsd to consume resources, and causes low-end devices to enter conserve mode.

679035

NP6 drops, and bandwidth is limited to under 10 Gbps in npu-vlink case.

679059

The ipmc_sensord process is killed multiple times when the CPU or memory usage is high.

681322

TCP 8008 permitted by authd, even though the service in the policy does not include that port.

699152

Add support for QinQ (802.1ad) on FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, and FG-3600E platforms.

706543

FortiGuard DDNS does not update the IP address when the PPPoE reconnects.

708228

A DNS proxy crash occurs during ssl_ctx_free.

712156

FortiCloud central management does not work if the FortiGate has trusted host enabled for the admin account.

716341

SFP28 port flapping when the speed is set to 10G.

718307, 729078

Verizon LTE connection is not stable, and the connection may drop after a few hours.

720687

On FG-20xF, the RJ45 ports connected to Dell N1548 switch do not automatically have an up link for energy detect mode.

722781

MAC address flapping on the switch is caused by a connected FortiGate where IPS is enabled in transparent mode.

738423

Unable to create a hardware switch with no member.

743945

Inconsistency between GUI and CLI with respect to changing password for any super_admin accounts.

749250

Firewall does not seem to utilize its ARP cache and is ARPing for a client MAC addresses every 20-30 seconds.

749613

Unable to save configuration changes and get failed: No space left on device error on FG-61E, FG-81E, and FG-101E.

750533

The cmdbsvr crashes when accessing an invalid firewall vip mapped IP that causes traffic to stop traversing the FortiGate.

751044

There is no sensor trap function and related logs on SoC4 platforms.

751346

DNS server obtained via DHCPv6 prefix delegation is not used by DNS proxy.

751523

When changing mode from DHCP to static, the existing DHCP IP is kept so no CLI command is generated and sent to FortiManager.

751870

User should be disallowed from sending an alert email from a customized address if the email security compliance check fails.

754567

FortiGate receives Firmware image without valid RSA signature loaded error when loading the image from FortiCloud.

755268

When changing a per-ip-shaper, if there is ongoing traffic offloaded by NPU and it attaches that shaper, the new shaper's quota will not get updated.

755953

Direct CLI script from FortiManager fails due to additional end at the end of diagnose debug crashlog read.

756160

Unable to configure firewall access control lists on FG-20xF.

756445

Flow-based inspection on WCCP (L2 forwarding) enabled policy with VLAN interfaces causes traffic to drop if asic-offload is enabled.

756713

Packet Loss on the LAG interface (eight ports) in static mode. Affected models: FG-110xE, FG-220xE, and FG-330xE.

757478

Kernel panic results in reboot due the size of inner Ethernet header and IP header not being checked properly when the SKB is received by the VXLAN interface.

757689

When creating a new interface with MTU override enabled, PPPoE mode, and a set MTU value, the MTU value is overridden by the default value.

757748

WAD memory leak could cause system to halt and print fork() failed on the console.

758545

Memory leak cause by leaked JSON object.

758815

Connectivity issue on port26 because NP6 table configuration has an incorrect member list. Affected models: FG-110xE, FG-220xE, and FG-330xE.

759689

When updated related configurations change, the updated configurations may crash.

760661

DDNS interface update status can get stuck if changes to the interface are made rapidly.

760942

dnsproxy signal 11 crash at libcrypto.so.1.1 on FWF-61F.

763185

High CPU usage on platforms with low free memory upon IPS engine initialization.

764954

FortiAnalyzer serial number automatically learned from miglogd does not send it to FortiManager through the automatic update.

764989

Include an entry in SNMP OID that lists the number of octets for the IP type.

765452

Slow memory leak in IPS engine 6.091, which persists in 6.107.

766834

forticron allocates over 700 MB of memory, causes the FortiGate to go into conserve mode, and causes kernel panic due to 100 MB of configured CRL.

767778

Kernel panic occurs while adding and deleting LAG members on FG-1101E.

768979

On a FortiGate with many FortiSwitches and FortiAPs, the Device Inventory widget and user-device-store list are empty.

769384

Kernel goes into conserve mode due to high memory consumption of confsyncd process.

771267

Zone transfer with FortiGate as primary DNS server fails if the FortiGate has more than 241 DNS entries.

771442

Discrepancy between session count and number of active sessions; sessions number creeps high, causing high memory utilization.

773067

CLI help text for link monitor failtime and recoverytime range should be (1 - 3600, default = 5).

773702

FortiGate running startup configuration is not saved on flash drive.

774443

SCP restore TCP session does not gracefully close with FIN packet.

777044

On a FortiGate only managed by FortiManager, the FDNSetup Authlist has no FortiManager serial number.

777145

FortiCloud FDS/selective update response contains PendingRegistration when not pending.

778116

Restricted VDOM user is able to access the root VDOM.

778474

dhcpd is not processing discover messages if they contain a 0 length option, such as 80 (rapid commit). The warning, length 0 overflows input buffer, is displayed.

778629

Disabling NP6XLite offloading does not work with VLAN interface on LAG one-arm scenario.

779241

DCE-RPC expectation session expires and never times out (timeout=never).

779523

Negative tunnel_count in diagnose firewall gtp profile list for FGSP peer.

781137

Firewall gives incorrect information related to link_setting when running diagnose hardware device nic <port>.

783545

Backing up to SFTP does not work when the username contains a period (.).

785766

Memory leak and httpsd crashes.

789203

High memory usage due to DoT leak at ssl.port_1way_client_dox leak\wad_m_dot_conn leak\sni leak when the DoX server is 8.8.8.8.

790446

The vwl process is spiking CPU and memory, which triggers conserve mode.

793401

The fcnacd process keeps using 99% CPU.

Upgrade

Bug ID

Description

754180

MAC address group is missing in the configuration after upgrading if it has members with other address groups that come behind the current one.

766472

After upgrading, the diagnostic command for redundant PSU is missing on FG-100F.

790823

VDOM links configuration is lost after upgrading.

User & Authentication

Bug ID

Description

679016

A fnbamd crash is caused when the LDAP server is unreachable.

747651

There is no LDAP-based authentication possible during the time WAD updates/reads group information from the AD LDAP server.

749488

On an HA standby device, certain certificates (such as Fortinet_CA_SSL) regenerate by themselves when trying to edit them in CLI. This also causes issues when backing up configurations on the standby device.

749694

A fnbamd crash is caused by an LDAP server being unreachable.

751763

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

755302

The fnbamd process spikes to 99% or crashes during RADIUS authentication.

756763

In the email collection captive portal, a user can click Continue without selecting the checkbox to accept the terms and disclaimer agreement.

757883

FortiGate blocks expired root CA, even if the cross-signed intermediate CA of the root CA is valid.

765136

Dynamic objects are cleared when there is no connection between the FortiGate and FortiManager with NSX-T.

767844

User ID/password shows as blank when sending the guest credentials via a custom SMS server in Guest Management.

777004

Local users named pop or map do not work as expected when trying to add then as sources in a firewall policy.

781992

fssod crashes with signal 11 on logon_dns_callback.

VM

Bug ID

Description

691337

When upgrading from 6.4.7 to 7.0.2, GCP SDN connector entries that have a gcp-project-list configuration will be lost.

735441

Low performance when copying files from server behind FG-VM to another site via IPsec VPN.

750889

DHCP relay fails when VMs on different VLAN interfaces use the same transaction ID.

755016

In AWS, if the HA connection between active and passive nodes breaks for a few seconds and reconnects, sometimes the EIP will remain in the passive node.

759300

gcpd has signal 11 crash at gcpd_mime_part_end.

764184

Inconsistent TXQ selection degrades mlx5 vfNIC. Azure FortiGate interface has high latency when the IPsec tunnel is up.

769352

Azure SDN connector is unable to pull service tag from China and Germany regions.

774404

The vmxnet3 driver is causing IPv6 neighbor solicitation packets to be ignored.

781879

Flex-VM license activation failed to be applied to FortiGate VM in HA. Standalone mode is OK.

783604

For S- and V-series VM models, newly installed FG-VM has capacity for only one VDOM, but the upgraded FG-VM still has capacity for two VDOMs.

785234

GCP HA failover for external IP does not work when using Standard Tier.

785353

Azure performance issue on MLX5 when an unrelated VPN is up.

789223

Azure China uses the wrong API endpoint to get meta data after secondary becomes the new primary.

VoIP

Bug ID

Description

757477

PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

770888

Progress OpenLogicalChannel is not translated.

Web Application Firewall

Bug ID

Description

785743

When a web application firewall profile has version constraint enabled, HTTP 2.0 requests will be blocked.

Web Filter

Bug ID

Description

728104

A webpage categorized as one of the blocked categories is not actually blocked because some sites may have subdomains or paths categorized in a block category that should be blocked, but instead the request is transformed into a format unrateable by FortiGuard.

770941

Unable to block https://cle***.com/oauth/dis***-pic*** using URL filter; content from cle***.com is still shown.

779278

FortiGate is responding on TLS 1.0, TLS 1.1, and SSLv3 on TCP port 8015.

781515

The urlfilter daemon continuously crashes on the secondary unit.

WiFi Controller

Bug ID

Description

489759

Consistent error messages, internal_add_timer, appear on console when running an automation script.

630085

A cw_acd crash is observed on the FortiGate when the FortiAP is deleted from the managed AP list.

727301

Unable to quarantine hosts behind FortiAP and FortiSwitch.

734801

Some Apple devices cannot handle 303/307 messages, and may loop to load the external portal page and fail to pass authentication. Some android devices cannot process JavaScript redirect messages after users submit their username and password.

744687

Client should match the new NAC policy if it is reordered to the top one.

745044

Optimize memory usage of wpad daemon in WiFi controller for large-scale 802.11r fast BSS transition deployment.

745642

Consider not generating rogue AP logs once a certain AP has been marked as accepted.

748479

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

750425

In RADIUS MAC authentication, the FortiGate NAS-IP-Address will revert to 0.0.0.0 after using the FortiGate address.

757189

A batch of APs in cluster are exhibiting control messages that the maximal retransmission limit reached, and the APs disconnect from the FortiGate.

761996

If concurrent-client-limit-type is set to unlimited it is limited by the max-clients value in the VAP profile.

766652

FortiAP firmware status is inconsistent on System > Fabric Management page and upgrade slide.

773027

Client limit description tooltip displayed in the GUI shows incorrect information.

773742

Two-factor authentication and WPA2-Enterprise WiFi conflict on remoteauthtimeout setting.

775157

A packet with the wrong IP header could not be processed by the CAPWAP driver, which randomly causes the FortiGate to reboot.

776576

FortiAP upgrade panel still prompts to upgrade to latest firmware, even when FortiAP is operating latest firmware.

780732

Unable to import MPSK keys in the GUI (CSV file into an SSID). An Invalid file content error appears.

783209

The arrp-profile table can now be purged if no entry is in use.

783752

Improve arrp-profile configuration to avoid confusion.

790367

FWF-60F has kernel panic and reboots by itself every few hours.

792738

The cw_acd process uses high CPU, which causes issues for FortiAP connecting with CAPWAP.

ZTNA

Bug ID

Description

765813

ZTNA access is systematically denied for ZTNA rule using SD-WAN zone as an incoming interface.

770350

ZTNA tags do not follow the correct policy when bound in a single policy. They also do not work with groups.

770877

Traffic was blocked by mismatched ZTNA EMS tags in a forwarding firewall policy.

777669

The secondary IP address in the EMS dynamic address table does not match the expected policy.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

707951

FortiOS 7.2.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-41032

749471

FortiOS 7.2.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-42755

752450

FortiOS 7.2.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-44168

764221

FortiOS 7.2.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2021-43206

792067

FortiOS 7.2.0 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-0778