Fortinet black logo

Resolved issues

Resolved issues

The following issues have been fixed in version 7.2.1. To inquire about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

722304

AV does not block malicious file uploads to the MS Exchange server (OWA).

727067

FortiGate should fix the interface between FortiGate and FortiAnalyzer for the CDR file.

794575

If FortiGate Cloud is selected as sandbox server under Security Fabric > Fabric Connectors, an anti virus profile with settings to Send files to FortiSandbox for inspection does not get saved in the GUI.

805655

A scanunit crash with signal 11 occurs for SMTP and QP encoding.

823677

When a FortiGate with DLP patterns configured is connected to FortiSandbox, scanunit crashes when the FortiSandbox extension reloads or worker shuts down.

Application Control

Bug ID

Description

787130

Application control does not block FTP traffic on an explicit proxy.

Data Leak Prevention

Bug ID

Description

807327

A scanunit crash occurs after upgrading to 6.4.9.

DNS Filter

Bug ID

Description

744572

In multi-VDOM with default system fortiguard configuration, the DNS filter does not work for the non-management VDOM.

790974

When the DNS static domain filter entry's action set to allow, it skips DNS translation.

796052

If local-in and transparent requests are hashed into the same local ID list, when the DNS proxy receives a response, it finds the wrong query for requests with the same ID and domain.

798562

DNS filter does not work when the FortiGate is working as a DNS server.

800497

In flow mode with set status disable in the static domain filter, the entry still works when enabled in the DNS filter.

Endpoint Control

Bug ID

Description

775742

Upgrade EMS tags to include classification and severity to guarantee uniqueness.

803198

Intermittent FortiOS failure when using a redundant EMS configuration because the EMS FQDN was resolved once before, and when DNS entry expires or the DNS is used for load balancing.

Explicit Proxy

Bug ID

Description

770440

Explicit web proxy encounter lots of WAD crashes.

774442

WAD is NATting to the wrong IP pool address for the interface.

778339

Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking.

794124

HTTPS websites are not accessible if certificate-inspection is set in a proxy policy.

794255

Microsoft website (microsoft.com) cannot be mapped to the Microsoft-Web ISDB name for proxy policy.

796364

Renaming a ClearPass dynamic address object that is configured in a proxy policy causes the address not to be matched.

798647

Explicit web proxy firewall policy can not pass through HTTP traffic.

801602

In agentless NTLM authentication, the source IP in user domain-controller is not applied.

802829

Explicit proxy encounters a 504 timeout after CONNECT in 7.2.0 GA.

811251

WAD daemon may crash upon user log off when using two type of messages (UI and group) at the same time.

816879

When an explicit proxy is enabled with IP pools, certificate inspection probe sessions use the interface IP instead of IPs from the configured IP pool. Therefore, when an interface IP is not allowed to connect externally, the probe session fails and causes traffic to not work.

Firewall

Bug ID

Description

599638

Get unexpected count for established session count, and diagnose firewall iprope clear does not work as expected.

677855

cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.

750081

Traffic can pass through an EMAC VLAN interface but cannot be offloaded.

752267

Load Balance Monitor detects a server in standby mode as being down.

770383

In multi-VDOM mode, nothing is exported to the NetFlow collector.

777231

Dashboard > FortiView Traffic Shaping page sometimes displays an undefined traffic shaper. This is cosmetic and does not impact functionality.

781144

On the Edit Virtual Server dialog under Policy & Objects > Virtual Servers, a Duplicate entry found error is displayed for the Virtual server IP and Virtual server port fields when there are no duplicate entries.

791735

The number of sessions in session_count does not match the output from diagnose sys session full-stat.

794648

Cannot set src-vendor-mac in policy. The src-vendor-mac policy setting is not lost after upgrading from 7.0.5 and is still in the iprope.

794901

Unable to create a geography type address object and get a Can not be geography address when it is a member of addrgrp used by ipsec_tunnel! error.

797017

The FortiGate does not refresh the iprope group for central SNAT policies after moving a newly created SNAT policy.

797318

NAT64 is not forwarding traffic to the destination IP.

798587

NGFW security policy is missing internet-service6 and internet-service6-src options.

801483

Packet drops noticed in the network when FortiGate is running 7.2.0 GA.

802834

On the Traffic Shaping > Traffic Shapers tab, the Bandwidth Utilization column indicates zero traffic when there is traffic present.

803270

Unexpected value for session_count appears.

806113

The Traffic Shaping Policies edit dialog shows configured reverse shapers as disabled. This is a cosmetic issue and the reverse shaper is configured as defined.

806904

IPv6 source with the same 32-bit prefix always NATs to the same IPv4 address.

820622

IPS engine crashes in NGFW policy mode with internet-service-name in a security policy.

FortiView

Bug ID

Description

787886

The tooltip for the Bandwidth column always displays the receiving bandwidth as zero on the Dashboard > FortiView Traffic Shaping page.

804177

When setting the time period to now filter, the table cannot be filtered by policy type.

811095

Threat type N/A - Static URL Filter is showing on sources that do not have the URL filter enabled.

819924

Information disappears after some time on the FortiView pages.

GUI

Bug ID

Description

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

741745

On certain pages, the loading spinner in the GUI is slow to load, and the page remains blank for a long time.

746618

Export port link status is not correct on tenant VDOM FortiSwitch Ports page.

750727

Log viewer negate filter does not work as expected for Application Name column.

774159

Signature not found in IPS database message when editing the IPS profile from the policy.

778844

Dashboard and Managed FortiAPs pages can take a long time to load when there are over 1000 FortiAPs configured.

781310

Policy & Objects > DNAT & Virtual IPs page can take more than 30 seconds to load if there are more than 25 thousand virtual IPs.

787550

HTTPSD daemon crashes frequently with signal 6 (aborted) at api_v2_page_result.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

792045

FortiGate failed to view matched endpoints after viewing it successfully several times.

798161

System > Certificates page keeps spinning when trying to access it from Safari.

799160

Modem 1 Health is incorrectly displayed as Disconnected in the Diagnostics and Tools pane of the FortiExtenders page.

800632

Search bar on Addresses page does not complete loading and return a result when format is <IP>-<number>.

800959

CPU usage is visible in the Sessions widget when it should not appear there.

802292

Logs sourced from FortiAnalyzer Big Data show the incorrect time.

806218

Get Node exiting due to uncaught error and /tmp/admin_server.crt errors in the crash log when rebooting.

810225

An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.

821606

Unable to change the member order for SD-WAN rules in the GUI.

821734

Log & Report > Forward Traffic logs do not show the Policy ID if there is no Policy Name.

822991

On the Log & Report > Forward Traffic page, using the filter Result : Deny(all) does not work as expected.

HA

Bug ID

Description

722703

ISDB is not updating; last update attempt is stuck at an older date.

734040

Need a way for FortiManager to retrieve an HA-specific configuration of a secondary device through the primary device.

744033

HA out-of-sync messages appear in logs instead of sync messages when the FortiGate is in synchronization.

750087

Multicast convergence on HA failover.

750978

Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.

779180

FGSP does not synchronize the helper-pmap expectation session.

779587

When an authentication log on length is longer than the hasync packet length and when there is a large number of logons, hasync is busy.

781463

FortiGate does not respond to ARP request for management-ip on interface if the interface IP is changed.

782734

Cluster is out-of-sync due to switch controller managed switch checksum mismatch.

786592

Failure in self-pinging towards the management IP.

794707

Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync.

799659

Unusually large uptime and HA behavior occurs.

799765

Multicast is failing after HA failover.

801872

Unexpected HA failover on AWS A-P cluster when ipsec-soft-dec-async is enabled.

803354

After HA-AP failover, the FortiExtender WAN interface of the new primary cannot get the LTE IP address from FortiExtender.

803697

The ha-mgmt-interface stops using the configured gateway6.

805663

After upgrading, rebooting the primary in HA (A-A) results in unusually high bandwidth utilization on redundant interfaces.

806660

Internet service database object cannot be synchronized to the secondary unit after a FortiGuard update.

807322

AWS HA does not update the prefix list in the route table.

810175

set admin-restrict-local is not working for SSH.

812090

FGCP with in-band management mode does not send logs to newly added syslog server after being switched from out-of-band.

816883

High CPU usage on secondary device, and CPU lacks the AVX feature needed to load libdpdk.so.

817942

Secondary cluster member's iprope traffic statistics are not updated to the original primary after an A-P HA failover.

Hyperscale

Bug ID

Description

810025

Using EIF to support hairpinning does not work for NAT64 sessions.

812844

Default static route does not work well for hypsercale VDOM.

Intrusion Prevention

Bug ID

Description

698247

Flow mode web filter ovrd crashes and socket leaks in IPS daemon.

771000

High CPU in all cores with device running with one interface set as a one-arm sniffer.

779377

IPS fails to load a configuration if an NGFW policy uses the unrated category group or category of 0.

809691

High CPU usage on IPS engine when certain flow-based policies are active.

813998

IPv6 static routes are not generated for IP-based URL entries in one-arm IPS URL filtering solution.

IPsec VPN

Bug ID

Description

636602

Tunnel to spoke is down on hub after enabling FortiClient access.

765868

The packets did not pass through QTM, and SYN packets bypass the IPsec tunnel once traffic is offloaded. Affected platforms: NP7 models.

771935

Offloaded transit ESP is dropped in one direction until session is deleted.

773221

Traffic that goes through IPsec based on a loopback interface cannot be offloaded.

775011

In VPN peering using IKEv2, the signature and aes256-sha256 proposals fail between the FortiGates and Palo Alto firewalls.

781403

IKE is consuming excessive memory.

787949

FortiGate sends duplicate SNMP traps if the tunnel is brought down on the local side.

790486

Support IPsec FGSP per tunnel failover.

793863

File downloads over L2TP IPsec VPN failed when using the VIP mapped to the internal server.

796546

IPv6 traffic through IPsec tunnel from learned BGP routes is not forwarding to Prisma Cloud provider.

798709

Shortcut fails to be triggered by interested traffic.

803010

The vpn-id-ipip encapsulated IPsec tunnel with NPU offloading cannot be reached by IPv6.

803336

VPN certificate private key changes on SCEP renewal.

803686

Tooltip in Dashboard > Network IPsec widget only displays one address for the local and remote addresses of the phase 2 selector.

810988

GUI does not allow IP overlap for a tunnel interface when allow-subnet-overlap is enabled (CLI allows it).

814366

There are no incoming ESP packets from the hub to spoke after upgrading.

815969

Cannot apply dialup IPsec VPN settings modifications in the GUI when net-device is disabled.

Log & Report

Bug ID

Description

692237

FortiOS is truncating the group field to 35 characters in traffic logs.

699019

The source IP under config log fortiguard setting is not respected.

740157

Event log is missing when the FortiGate Cloud Sandbox server is connected, disconnected, or switched.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

770352

On the Log & Report > Forward Traffic page, filters applied to an interface name with a comma (,) do not show the correct filtered results for that interface.

781357

Add upgrade code for using free-style filter in miglogd for FortiOS 7.0 and later.

788724

The secondary FortiGate did not send the logs to the syslog server (sendmmsg failed to send data).

789459

Empty log Summary tab for System Events and Security Events pages.

790893

Free-style filter for UTM logs does not work when set forward-traffic is disabled.

795595

Date/Time filter changes after setting the time.

797789

FortiGate goes into conserve mode because fgtlogd occupies too much memory.

803262

Anti-spam logs are empty when the log source is FortiCloud (adding a time filter may return a result).

806914

RADVD unloaded interface message appears in system event log when changing a configuration on the FortiGate.

807661

In a FortiAnalyzer with lots of logs, the log view shows no result if the user scrolls down to the bottom of the list.

814427

FortiGate error in FortiAnalyzer connectivity test on secondary device after upgrade.

815150

Negating a range or subnet does not work in the GUI log display.

Proxy

Bug ID

Description

678815

WAD crashes with signal 11 if the client sends a client hello containing a key share that does not match the key share that the server prefers.

760471

WAD crashes and there is high memory after upgrading.

766158

Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category.

768278

WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out.

781161

WAD has signal 11 crash due to invalid reading after freeing WAD user information daemon.

785927

Unexpected behavior in WAD when multiple DHCP servers are configured.

786939

The scan-botnet-connections block setting does not work for TCP:443 with proxy-based inspection.

789703

WAD continually crashing at signal 11.

791662

FortiGate is silently dropping server hello in TLS negotiation.

792505

Memory leak identified for WAD worker dnsproxy_conn causing conserve mode.

793651

An expired certificate can be chosen when creating an SSL/SSH profile for deep inspection.

795321

WAD crash signal 11 and unit goes into conserve mode.

796910

Application wad crash (Segmentation fault) , which is the first crash in a series.

800125

Even if the policy is set to deny FTP_PUT, file uploads are permitted when the UTM feature is enabled.

800436

In proxy inspection, IPS packet logging does not work as expected with HTTPS.

802935

FortiGate cannot block a virus file when using the HTTP PATCH upload method.

803136

thumbnailPhoto files are saved in the memory disk with the incorrect hash name.

803260

Memory increase suddenly and is not released until rebooting.

803380

Device is consuming high memory and going in conserve mode, possible due to a WAD memory leak.

805808

In proxy inspection mode with AV enabled, TCP traffic is dropped after a while.

807332

WAD does not forward the 302 HTTP redirect to the end client.

807431

File from AWS S3 fails to download with UTM, deep inspection, and proxy configured.

808072

When accessing a specific website using UTF8 content encoding (which is unexpected according to the RFC) the FortiGate blocks the traffic as an HTTP evasion when applying an AV profile with deep inspection.

809346

FTPS helper is not opening pinholes for expected traffic for non-standard ports.

811259

WAD memory leak occurs with IPS enabled.

815313

WAD crash occurred due to a certificate validation failure.

817750

WAD daemon keeps crashing when web proxy forward server group does not have a server list.

822039

WAD crash occurs on FG-61E, FG-101F, FG-61F, FG-200E, and FG-401E during stress testing.

822271

Unable to access a website when deep inspection is enabled in a proxy policy.

823814

When ZTNA access proxy is configured with set empty-cert-action accept-unmanageable, users may receive an error loading the page when the client certificate is not properly processed.

Routing

Bug ID

Description

618684

When HA failover is performed to the other cluster member that is not able to reach the BFD neighbor, the BFD session is down as expected but the static route is present in the routing table.

704322

After configuring static routes on IPsec tunnels using the Network > Static Routes page, a warning icon appears. This is cosmetic and does not affect functionality.

720618

Passive health check is not report packet loss when it occurs in the network.

756955

Routing table does not reflect the new changes for the static route until the routing process is restarted when cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.

769523

Multicast is not working in VRRP.

774136

VPN traffic is not being metered by DoS policy when using SD-WAN.

779113

A new route check to make sure the route is removed when the link monitor object fails on ARM based platforms.

787476

BGP conditional-advertise did not withdraw the route upon a condition state change.

787487

Default priority value in static route is set as 0, even though the range is 1- 65535 in transparent mode.

788793

Unable to receive BGP routes on redundant tunnel interfaces.

795213

On the Network > SD-WAN page, adding a named static route to an SD-WAN zone creates a default blackhole route.

796070

Incorrect SD-WAN kernel routes are used on the secondary device.

796409

GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.

797530

SD-WAN health check event log shows the incorrect protocol.

797590

GRE tunnel configured using a loopback interface is not working after changing the interface back and forth.

798245

ICMP traffic is using the incorrect VRF.

799969

BGP neighbor advertisement-interval can be set to 0 but not take effect in ZebOS.

805285

SIP-RTP fails after a route or interface change.

806939

Routing issue with ADVPN and SD-WAN if IPsec aggregate interfaces are configured.

807635

BGP routes hit the wrong route map.

808840

After cloning a static route, the URL gets stuck with "clone=true".

809321

IS-IS LSP packets do not include the checksum and the authentication key ([Checksum: [missing]], [Checksum Status: Not present] and authentication "hmac-md5 (54), message digest]).

812982

SD-WAN performance SLAs on a dialup IPsec VPN tunnel do not work as expected.

816582

Connected subnet in VRF, other than VRF 0, gets an RPF failure after HA failover.

817670

IPv6 route redistribution metric value is not taking effect.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

741084

Entry-level FortiGate with Security Fabric enabled for 30 or more downstream FortiGates can go into conserve mode when loading the physical or logical topology pages, or running security rating reports.

753742

Add distributed security rating and topology reports.

778511

PPPoE interface is unable to accept Fabric connections.

782518

Threat feeds are showing that the connection status has not started when it should be connected.

788543

Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer.

791324

Test Automation Stitch function only works on the root FortiGate, and is not working on the downstream FortiGate.

795687

On the Fabric Management page, some managed FortiSwitches are not shown.

798795

API that registers appliances to the Fabric stopped working.

799832

GCP bearer token is too long for the header in a google-cloud-function automation action.

801048

During the FortiOS initialization process, there is a small chance that other services using UDP take the specific port that caused csfd initialization to fail.

803600

Automation stitch for a scheduled backup is not working.

807967

Add reliable message for creating event logs on upstream device for use by Report Runner.

815984

Azure SDN connector has a 403 error when the AZD restarts.

SSL VPN

Bug ID

Description

486837

SSL VPN with external DHCP servers is not working.

616896

Link in SSL VPN portal to FortiClient iOS redirects to legacy FortiClient 6.0 rather than the latest 6.2.

626311

SSL VPN users are remaining logged on past the auth-timeout value.

676278

Custom host check AV and firewall for macOS fails for FortiClient SSL VPN.

677031

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

697142

SharePoint server (de***.sc***.gov.sa) is not working on web-based VPN.

757726

SSL VPN web portal does not serve updated certificate.

763611

Slow upload speed on SSL VPN dual-stack configuration.

767832

After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.

767869

SCADA portal will not fully load with SSL VPN web bookmark.

768323

Certain websites do not load properly in SSL VPN web mode.

768983

SSL VPN web mode access to the FortiGate GUI is slow after upgrading.

778034

FortiGate GUI in SSL VPN web mode is very slow.

780305

SSL VPN web mode is unable to redirect from port 62843 to port 8443.

780765

High CPU usage in SSL VPN using libssh2.

781581

Customer internal website is not shown correctly in SSL VPN web mode.

784887

A blank page appears after logging in to an SSL VPN bookmark.

787978

Unable to load NFMT routing display through SSL VPN web mode.

789117

SSL VPN web mode RDP bookmark always asks for credentials.

789267

SSO SSL VPN web mode user cannot connect to RDP intermittently.

789642

Unable to load Grafana application through SSL VPN web mode.

791700

SSL VPN crashes and disconnects users at the same time.

792075

SSL VPN web portal does not load internal e-learning website content.

792944

Internal redirect webpage is not working in SSL VPN web mode.

794800

SSL VPN /remote/logoutok screen loads in basic text.

794820

Slow performance to manage FortiGate trough the bookmark configured in SSL VPN web mode.

795730

Non-Google CAPTCHA cannot be displayed in SSL VPN web mode.

796768

SSL VPN RDP is unable to connect to load-balanced VMs.

797136, 797139

Internal site does not load completely using SSL VPN web mode bookmark.

799308

SSL VPN bookmark is not working.

799780

Website is not loading in SSL VPN web mode.

800751

Unable to download files over 2 GB to and from an SMB file share using SSL VPN web mode.

801308

FortiGuard should only provide an installer for FortiClient VPN, instead of the full FortiClient version.

801588

After Kronos (third-party) update from 8.1.3 to 8.1.13, SSL VPN web portal users get a blank page after logging in successfully.

802379

SSL VPN has memory leaks and crashes.

803576

Comments in front of <html> tag are not handled well in HTML file in SSL VPN web mode.

803622

High CPU in SSL VPN once SAML is used with FortiAuthenticator and an LDAP server.

805922

Unable to configure ssl.root as the associated-interface in a firewall address.

806143

JavaScript error in SSL VPN web mode.

807268

Many SSL VPN users are disconnected periodically, and sslvpnd crashes.

808569

sslvpnd crashes when no certificate is specified.

808634

SSL VPN daemon sometimes could not be recovered, even when setting the server certificate back from empty to a specific certificate.

809209

SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time.

809473

When sslvpnd debugs are enabled, the SSL VPN process crashes more often.

810715

Web application is not loading in the SSL VPN web mode.

811007

The auto-generated URL on the VPN > SSL-VPN Settings page shows the management IP of the FortiGate instead of the SSL VPN interface port IP as defined on the VPN > SSL-VPN Realms page when a realm is created.

812006

The PROD-MDN-WS1 SSL VPN portal is not loading properly, and cannot navigate within the page.

814040

SSL VPN bookmark configuration is added automatically after client logs in to web mode.

814708

The same SAML user failed to establish a tunnel when a stale web session exists with limit-user-logins enabled.

816716

sslvpnd crashed when deleting a VLAN interface.

816881

TX packet loss on ssl.root interface.

817843

Logging out of SSL VPN tunnel mode does not clear the authenticated list.

826582

SSH via SSL VPN web mode does not work for some SSH servers.

Switch Controller

Bug ID

Description

774441

FortiLink topology only displays partially.

794026

The number of quarantined MAC addresses is stuck at 256 due to table size limitations on the FortiGate.

799860

FortiSwitch online/offline status is not consistent between the CLI and SNMP.

803307

The Enable STP security control description should be reworded to mention that Edge ports should have STP enabled once the network topology is stable.

805154

Switch controller preconfiguration of FortiSwitch 108F-POE is incorrect.

810550

When config-sync runs between a FortiGate and a managed FortiSwitch, RSPAN interfaces get deleted and re-added, which causes syslog errors from FortiSwitch.

System

Bug ID

Description

540389

Remote administrator password renewal shows remote token instead of new password (CLI and GUI).

716250

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

725273

application newcli crashed with *** signal 11 (Segmentation fault) received ***.

734912

When VDOMs are enabled, changing system settings causes the GUI to display a failure to save message.

736144

AirCard 340U LTE Modem does not work.

743831

When global daylight saving time (DST) is disabled, the system time in the GUI still shows the time with DST.

753912

FortiGate calculates faulty FDS weight with DST enabled.

756139

When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.

758490

The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device.

761971

AirCard 340U LTE modem does not work on FG-61F.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

766058

FortiGate central management is configured on the backup mode ADOM, and any changes done on the FortiGate are not recorded in the FortiManager.

771331

Incorrect bandwidth utilization traffic widget for VLAN interface on NP6 platforms.

773829

Get /bin/cid crash when cid.tar.gz cannot be unpacked.

781960

A dhcpd crash log occurs.

782392

ICMP traceroute with more than one probe is not working, and drops are seen on NP6 platforms.

783241

Manually updating internet-service database may fail because there is no check of which internet-service database is being updated.

783939

IPv4 session is flushed after creating a new VDOM.

786255

Cached topology reports causes the FortiGate to run out of flash storage on entry-level models.

786998

When enabling the decrypted-traffic-mirror option on a VXLAN interface, the collector device will get a TCP Out-Of-Order packet.

787557

Sudo command is not working inconsistently.

787595

FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.

789203

High memory usage due to DoT leak at ssl.port_1way_client_dox leak\wad_m_dot_conn leak\sni leak when the DoX server is 8.8.8.8.

790656

DNS fails to correctly resolve hosts using the DNS database.

792544

A request is made to the remote authentication server before checking trusthost.

793864

Repeated FortiDDNS failed messages are in the system event logs output.

796094

Egress traffic on EMAC VLAN is using base MAC address instead.

796398

BPDUs packets are blocked even though STF forwarding is enabled on FG-800D in transparent mode (UTP and SFP).

797428

SNMP status for NPU is not available on NP6xlite.

799255

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

799487

The debug zone uses over 400 MB of RAM.

800294

Interface migration wizard fails to migrate interfaces when VLANs have dependencies within dependencies.

800295

NTP server has intermittent unresolvable logs after upgrading to 6.4.

801053

FG-1800F existing hardware switch configuration fails after upgrading.

801474

DHCP IP lease is flushed within the lease time.

801738

Kernel panic occurs on FG-2610F when collecting debug flow information.

802917

PPPoE virtual tunnel drops traffic after logon credentials are changed.

805412

DHCPv6 authentication option offer is not accepted from the server.

805644

Trunk port is removed from the VLAN switch after rebooting.

807947

Unable to create new interface and VDOM link with names that contain spaces.

810104

Under certain trace condition scenarios, a kernel panic may be triggered on new kernel platforms after failover with HTTP CCS followed by SIP64 traffic.

810466

EHP and HRX drop on NP6 FortiGate, causing low throughput.

810583

Running diagnose hardware deviceinfo psu shows the incorrect PSU slot.

810622

Message regarding VDOM names longer than 11 characters is shown when set long-vdom-name is enabled.

811449

New DNS system servers with DoT enabled, applying a DNS filter to the FortiGate DNS server fails.

812499

When traffic gets offloaded, an incorrect MAC address is used as a source.

813223

Random kernel panic occurs when the following IPsec VPN phase 2 interface configuration is used:

config vpn ipsec phase2-interface
    edit <name>
        set keylife-type both
        set keylifeseconds 28800
        set keylifekbs 4608000
    next
end 

813606

DHCP relay offers to iPhones is blocked by the FortiGate.

814002

FortiGate may enter kernel panic in HA environment and when sending multicast traffic on new kernel platforms.

815360

NP7 platforms may encounter a kernel panic when deleting more than two hardware switches at the same time.

816278

Memory increase due to iked process.

816823

NP6xLite test failed when running diagnose hardware test pci.

818461

When an aggregate is created after all VLANs and added to a software switch, all VLANs are lost after rebooting.

818811

NTurbo crash occurs when offloading SSL mirror traffic.

821773

Manual license for air-gap environments is lost after rebooting the FortiGate.

Upgrade

Bug ID

Description

792831

[2062] fap_fsw_lst_req: buf of https is too small: 853 debug message appears in console when upgrading to certain builds.

803171

Upgrade takes longer than expected and get synchronization error caused by PPP when HA upgrades.

User & Authentication

Bug ID

Description

738846

FAS ends up in endless loop while synchronizing with LDAP when a special character (,) is part of a username.

754725

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.

760740

REVERSE_INULL found in WanOpt explicit proxy, wad_user_info.c:wad_group_info_cache_free.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

782158

The ç character is not accepted by an LDAPS password change.

790941

When logged in with an administrator profile using a wildcard RADIUS user, creating a new dashboard widgets fails.

792924

Incorrect captive portal page certificate is used after upgrading.

804133

The diagnose test guest del <group_name> <user_ID> command does not work after upgrading.

808884

Device information is not fully detected on NP7.

810033

The samld process is killed if the SP certificate set has an ECC 384-bit public key.

813355

Additional information from user ID login should be displayed.

813407

Captive portal authentication with RADIUS user group truncates the token code to eight characters.

813987

No traffic is generated when creating an ACME certificate that uses a domain name with an uppercase letter.

VM

Bug ID

Description

764392

Incorrect VMDK file size in the OVF file for hw13 and hw15.

782073

IBM HA is unable to fail over route properly when route table has a delegate VPC route.

786278

Bandwidth usage is not shown when DPDK is enabled.

799536

Data partition is almost full on FG-VM64 platforms.

800473

FG-VM64 deployed with 6.4 loses configuration and license after upgrading to 7.2.1 (no issue if deployed with 7.0).

800935

ESXi VLAN interface based on LACP does not work.

803219

Azure SDN connector might miss dynamic IP addresses due to only the first page of the network interface being processed.

809963

Get cmdbsvr crash after concurrent performance test on FG-KVM32.

VoIP

Bug ID

Description

794517

VoIP daemon memory leak occurs when the following conditions are met:

  • The SIP call is on top of the IPsec tunnel.
  • The call fails before the setup completes (session gets closed in a state earlier than VOIP_SESSION_STATE_RUNNING).

WAN Optimization

Bug ID

Description

804662

WANOpt tunnels are not established for traffic matching the profile.

Web Application Firewall

Bug ID

Description

795554

Inspecting all ports in an SSL/SSH inspection profile does not work with the WAF profile.

Web Filter

Bug ID

Description

743195

Disclaimer module does not load and breaks the website.

786448

Web filtering with WISP functionality is intermittent in flow mode.

798557

When a new URL filter entry is created and the list is re-ordered, the list position is not maintained.

801792

IPS daemon has socket FD leaks.

WiFi Controller

Bug ID

Description

790367

FWF-60F has kernel panic and reboots by itself every few hours.

795821

The new sae-h2e-only WPA3-SAE SSID setting may cause a backward compatibility issue where some Wi-Fi devices may not associate with managed FortiAP units running previous firmware versions:

  • FortiAP 6.4.8, 7.0.5, 7.2.0 and earlier
  • FortiAP-W2 6.4.8, 7.0.5, 7.2.0 and earlier
  • FortiAP-S 6.4.8 and earlier
  • FortiAP-U 6.2.4 and earlier

Solution:

  • FortiAP and FortiAP-W2 units may be upgraded to 7.2.1 if applicable
  • FortiAP and FortiAP-W2 issue will be fixed in later 6.4 and 7.0 releases
  • FortiAP-S issue will be fixed in a later 6.4 release
  • FortiAP-U units may be upgraded to 6.2.5

796036

Manual quarantine for wireless client connected to SSID on multi-VDOM with wtp-share does not work.

807605

FortiOS exhibits segmentation fault on hostapd on the secondary controller configured in HA.

ZTNA

Bug ID

Description

792829

WAD re-challenges user authentication upon HA failover.

797433

WAD treats ZTNA SAML URL with multiple query characters as invalid and closes.

799530

Found wad crash at wad_sched.c upon device tag matching.

799759

Applying a ZTNA rule in the GUI removes configured IP pools.

802715

ZTNA failed to match the policy when a tag is found for an endpoint in the EMS response.

808178

After upgrading from 7.0 to 7.2, the client-cert setting under config firewall access-proxy changed from disable to enable.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

789153

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-38378

795784

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-26122

797229

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-27491

800259

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-29055

803283

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-47536

810989

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-38380

811492

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-35842

819640

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-30307

825695

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-35843

863856

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-29175

Resolved issues

The following issues have been fixed in version 7.2.1. To inquire about a particular bug, please contact Customer Service & Support.

Anti Virus

Bug ID

Description

722304

AV does not block malicious file uploads to the MS Exchange server (OWA).

727067

FortiGate should fix the interface between FortiGate and FortiAnalyzer for the CDR file.

794575

If FortiGate Cloud is selected as sandbox server under Security Fabric > Fabric Connectors, an anti virus profile with settings to Send files to FortiSandbox for inspection does not get saved in the GUI.

805655

A scanunit crash with signal 11 occurs for SMTP and QP encoding.

823677

When a FortiGate with DLP patterns configured is connected to FortiSandbox, scanunit crashes when the FortiSandbox extension reloads or worker shuts down.

Application Control

Bug ID

Description

787130

Application control does not block FTP traffic on an explicit proxy.

Data Leak Prevention

Bug ID

Description

807327

A scanunit crash occurs after upgrading to 6.4.9.

DNS Filter

Bug ID

Description

744572

In multi-VDOM with default system fortiguard configuration, the DNS filter does not work for the non-management VDOM.

790974

When the DNS static domain filter entry's action set to allow, it skips DNS translation.

796052

If local-in and transparent requests are hashed into the same local ID list, when the DNS proxy receives a response, it finds the wrong query for requests with the same ID and domain.

798562

DNS filter does not work when the FortiGate is working as a DNS server.

800497

In flow mode with set status disable in the static domain filter, the entry still works when enabled in the DNS filter.

Endpoint Control

Bug ID

Description

775742

Upgrade EMS tags to include classification and severity to guarantee uniqueness.

803198

Intermittent FortiOS failure when using a redundant EMS configuration because the EMS FQDN was resolved once before, and when DNS entry expires or the DNS is used for load balancing.

Explicit Proxy

Bug ID

Description

770440

Explicit web proxy encounter lots of WAD crashes.

774442

WAD is NATting to the wrong IP pool address for the interface.

778339

Improve logic of removing HTTP Proxy-Authorization/Authorization header to prevent user credential leaking.

794124

HTTPS websites are not accessible if certificate-inspection is set in a proxy policy.

794255

Microsoft website (microsoft.com) cannot be mapped to the Microsoft-Web ISDB name for proxy policy.

796364

Renaming a ClearPass dynamic address object that is configured in a proxy policy causes the address not to be matched.

798647

Explicit web proxy firewall policy can not pass through HTTP traffic.

801602

In agentless NTLM authentication, the source IP in user domain-controller is not applied.

802829

Explicit proxy encounters a 504 timeout after CONNECT in 7.2.0 GA.

811251

WAD daemon may crash upon user log off when using two type of messages (UI and group) at the same time.

816879

When an explicit proxy is enabled with IP pools, certificate inspection probe sessions use the interface IP instead of IPs from the configured IP pool. Therefore, when an interface IP is not allowed to connect externally, the probe session fails and causes traffic to not work.

Firewall

Bug ID

Description

599638

Get unexpected count for established session count, and diagnose firewall iprope clear does not work as expected.

677855

cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.

750081

Traffic can pass through an EMAC VLAN interface but cannot be offloaded.

752267

Load Balance Monitor detects a server in standby mode as being down.

770383

In multi-VDOM mode, nothing is exported to the NetFlow collector.

777231

Dashboard > FortiView Traffic Shaping page sometimes displays an undefined traffic shaper. This is cosmetic and does not impact functionality.

781144

On the Edit Virtual Server dialog under Policy & Objects > Virtual Servers, a Duplicate entry found error is displayed for the Virtual server IP and Virtual server port fields when there are no duplicate entries.

791735

The number of sessions in session_count does not match the output from diagnose sys session full-stat.

794648

Cannot set src-vendor-mac in policy. The src-vendor-mac policy setting is not lost after upgrading from 7.0.5 and is still in the iprope.

794901

Unable to create a geography type address object and get a Can not be geography address when it is a member of addrgrp used by ipsec_tunnel! error.

797017

The FortiGate does not refresh the iprope group for central SNAT policies after moving a newly created SNAT policy.

797318

NAT64 is not forwarding traffic to the destination IP.

798587

NGFW security policy is missing internet-service6 and internet-service6-src options.

801483

Packet drops noticed in the network when FortiGate is running 7.2.0 GA.

802834

On the Traffic Shaping > Traffic Shapers tab, the Bandwidth Utilization column indicates zero traffic when there is traffic present.

803270

Unexpected value for session_count appears.

806113

The Traffic Shaping Policies edit dialog shows configured reverse shapers as disabled. This is a cosmetic issue and the reverse shaper is configured as defined.

806904

IPv6 source with the same 32-bit prefix always NATs to the same IPv4 address.

820622

IPS engine crashes in NGFW policy mode with internet-service-name in a security policy.

FortiView

Bug ID

Description

787886

The tooltip for the Bandwidth column always displays the receiving bandwidth as zero on the Dashboard > FortiView Traffic Shaping page.

804177

When setting the time period to now filter, the table cannot be filtered by policy type.

811095

Threat type N/A - Static URL Filter is showing on sources that do not have the URL filter enabled.

819924

Information disappears after some time on the FortiView pages.

GUI

Bug ID

Description

695163

When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

740508

Bandwidth widget shows incorrect traffic on FG-40F.

741745

On certain pages, the loading spinner in the GUI is slow to load, and the page remains blank for a long time.

746618

Export port link status is not correct on tenant VDOM FortiSwitch Ports page.

750727

Log viewer negate filter does not work as expected for Application Name column.

774159

Signature not found in IPS database message when editing the IPS profile from the policy.

778844

Dashboard and Managed FortiAPs pages can take a long time to load when there are over 1000 FortiAPs configured.

781310

Policy & Objects > DNAT & Virtual IPs page can take more than 30 seconds to load if there are more than 25 thousand virtual IPs.

787550

HTTPSD daemon crashes frequently with signal 6 (aborted) at api_v2_page_result.

787565

When logged in as guest management administrator, the custom image shows as empty on the user information printout.

792045

FortiGate failed to view matched endpoints after viewing it successfully several times.

798161

System > Certificates page keeps spinning when trying to access it from Safari.

799160

Modem 1 Health is incorrectly displayed as Disconnected in the Diagnostics and Tools pane of the FortiExtenders page.

800632

Search bar on Addresses page does not complete loading and return a result when format is <IP>-<number>.

800959

CPU usage is visible in the Sessions widget when it should not appear there.

802292

Logs sourced from FortiAnalyzer Big Data show the incorrect time.

806218

Get Node exiting due to uncaught error and /tmp/admin_server.crt errors in the crash log when rebooting.

810225

An undefined error is displayed when changing an administrator password for the first time. Affected models: NP7 platforms.

821606

Unable to change the member order for SD-WAN rules in the GUI.

821734

Log & Report > Forward Traffic logs do not show the Policy ID if there is no Policy Name.

822991

On the Log & Report > Forward Traffic page, using the filter Result : Deny(all) does not work as expected.

HA

Bug ID

Description

722703

ISDB is not updating; last update attempt is stuck at an older date.

734040

Need a way for FortiManager to retrieve an HA-specific configuration of a secondary device through the primary device.

744033

HA out-of-sync messages appear in logs instead of sync messages when the FortiGate is in synchronization.

750087

Multicast convergence on HA failover.

750978

Interface link status of HA members go down when cfg-revert tries to reboot post cfg-revert-timeout.

779180

FGSP does not synchronize the helper-pmap expectation session.

779587

When an authentication log on length is longer than the hasync packet length and when there is a large number of logons, hasync is busy.

781463

FortiGate does not respond to ARP request for management-ip on interface if the interface IP is changed.

782734

Cluster is out-of-sync due to switch controller managed switch checksum mismatch.

786592

Failure in self-pinging towards the management IP.

794707

Get invalid IP address when creating a firewall object in the CLI; it synchronized to the secondary in FGSP standalone-config-sync.

799659

Unusually large uptime and HA behavior occurs.

799765

Multicast is failing after HA failover.

801872

Unexpected HA failover on AWS A-P cluster when ipsec-soft-dec-async is enabled.

803354

After HA-AP failover, the FortiExtender WAN interface of the new primary cannot get the LTE IP address from FortiExtender.

803697

The ha-mgmt-interface stops using the configured gateway6.

805663

After upgrading, rebooting the primary in HA (A-A) results in unusually high bandwidth utilization on redundant interfaces.

806660

Internet service database object cannot be synchronized to the secondary unit after a FortiGuard update.

807322

AWS HA does not update the prefix list in the route table.

810175

set admin-restrict-local is not working for SSH.

812090

FGCP with in-band management mode does not send logs to newly added syslog server after being switched from out-of-band.

816883

High CPU usage on secondary device, and CPU lacks the AVX feature needed to load libdpdk.so.

817942

Secondary cluster member's iprope traffic statistics are not updated to the original primary after an A-P HA failover.

Hyperscale

Bug ID

Description

810025

Using EIF to support hairpinning does not work for NAT64 sessions.

812844

Default static route does not work well for hypsercale VDOM.

Intrusion Prevention

Bug ID

Description

698247

Flow mode web filter ovrd crashes and socket leaks in IPS daemon.

771000

High CPU in all cores with device running with one interface set as a one-arm sniffer.

779377

IPS fails to load a configuration if an NGFW policy uses the unrated category group or category of 0.

809691

High CPU usage on IPS engine when certain flow-based policies are active.

813998

IPv6 static routes are not generated for IP-based URL entries in one-arm IPS URL filtering solution.

IPsec VPN

Bug ID

Description

636602

Tunnel to spoke is down on hub after enabling FortiClient access.

765868

The packets did not pass through QTM, and SYN packets bypass the IPsec tunnel once traffic is offloaded. Affected platforms: NP7 models.

771935

Offloaded transit ESP is dropped in one direction until session is deleted.

773221

Traffic that goes through IPsec based on a loopback interface cannot be offloaded.

775011

In VPN peering using IKEv2, the signature and aes256-sha256 proposals fail between the FortiGates and Palo Alto firewalls.

781403

IKE is consuming excessive memory.

787949

FortiGate sends duplicate SNMP traps if the tunnel is brought down on the local side.

790486

Support IPsec FGSP per tunnel failover.

793863

File downloads over L2TP IPsec VPN failed when using the VIP mapped to the internal server.

796546

IPv6 traffic through IPsec tunnel from learned BGP routes is not forwarding to Prisma Cloud provider.

798709

Shortcut fails to be triggered by interested traffic.

803010

The vpn-id-ipip encapsulated IPsec tunnel with NPU offloading cannot be reached by IPv6.

803336

VPN certificate private key changes on SCEP renewal.

803686

Tooltip in Dashboard > Network IPsec widget only displays one address for the local and remote addresses of the phase 2 selector.

810988

GUI does not allow IP overlap for a tunnel interface when allow-subnet-overlap is enabled (CLI allows it).

814366

There are no incoming ESP packets from the hub to spoke after upgrading.

815969

Cannot apply dialup IPsec VPN settings modifications in the GUI when net-device is disabled.

Log & Report

Bug ID

Description

692237

FortiOS is truncating the group field to 35 characters in traffic logs.

699019

The source IP under config log fortiguard setting is not respected.

740157

Event log is missing when the FortiGate Cloud Sandbox server is connected, disconnected, or switched.

769300

Traffic denied by security policy (NGFW policy-based mode) is shown as action="accept" in the traffic log.

770352

On the Log & Report > Forward Traffic page, filters applied to an interface name with a comma (,) do not show the correct filtered results for that interface.

781357

Add upgrade code for using free-style filter in miglogd for FortiOS 7.0 and later.

788724

The secondary FortiGate did not send the logs to the syslog server (sendmmsg failed to send data).

789459

Empty log Summary tab for System Events and Security Events pages.

790893

Free-style filter for UTM logs does not work when set forward-traffic is disabled.

795595

Date/Time filter changes after setting the time.

797789

FortiGate goes into conserve mode because fgtlogd occupies too much memory.

803262

Anti-spam logs are empty when the log source is FortiCloud (adding a time filter may return a result).

806914

RADVD unloaded interface message appears in system event log when changing a configuration on the FortiGate.

807661

In a FortiAnalyzer with lots of logs, the log view shows no result if the user scrolls down to the bottom of the list.

814427

FortiGate error in FortiAnalyzer connectivity test on secondary device after upgrade.

815150

Negating a range or subnet does not work in the GUI log display.

Proxy

Bug ID

Description

678815

WAD crashes with signal 11 if the client sends a client hello containing a key share that does not match the key share that the server prefers.

760471

WAD crashes and there is high memory after upgrading.

766158

Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category.

768278

WAD crashes frequently, authentication stops, and firewall freezes once proxy policy changes are pushed out.

781161

WAD has signal 11 crash due to invalid reading after freeing WAD user information daemon.

785927

Unexpected behavior in WAD when multiple DHCP servers are configured.

786939

The scan-botnet-connections block setting does not work for TCP:443 with proxy-based inspection.

789703

WAD continually crashing at signal 11.

791662

FortiGate is silently dropping server hello in TLS negotiation.

792505

Memory leak identified for WAD worker dnsproxy_conn causing conserve mode.

793651

An expired certificate can be chosen when creating an SSL/SSH profile for deep inspection.

795321

WAD crash signal 11 and unit goes into conserve mode.

796910

Application wad crash (Segmentation fault) , which is the first crash in a series.

800125

Even if the policy is set to deny FTP_PUT, file uploads are permitted when the UTM feature is enabled.

800436

In proxy inspection, IPS packet logging does not work as expected with HTTPS.

802935

FortiGate cannot block a virus file when using the HTTP PATCH upload method.

803136

thumbnailPhoto files are saved in the memory disk with the incorrect hash name.

803260

Memory increase suddenly and is not released until rebooting.

803380

Device is consuming high memory and going in conserve mode, possible due to a WAD memory leak.

805808

In proxy inspection mode with AV enabled, TCP traffic is dropped after a while.

807332

WAD does not forward the 302 HTTP redirect to the end client.

807431

File from AWS S3 fails to download with UTM, deep inspection, and proxy configured.

808072

When accessing a specific website using UTF8 content encoding (which is unexpected according to the RFC) the FortiGate blocks the traffic as an HTTP evasion when applying an AV profile with deep inspection.

809346

FTPS helper is not opening pinholes for expected traffic for non-standard ports.

811259

WAD memory leak occurs with IPS enabled.

815313

WAD crash occurred due to a certificate validation failure.

817750

WAD daemon keeps crashing when web proxy forward server group does not have a server list.

822039

WAD crash occurs on FG-61E, FG-101F, FG-61F, FG-200E, and FG-401E during stress testing.

822271

Unable to access a website when deep inspection is enabled in a proxy policy.

823814

When ZTNA access proxy is configured with set empty-cert-action accept-unmanageable, users may receive an error loading the page when the client certificate is not properly processed.

Routing

Bug ID

Description

618684

When HA failover is performed to the other cluster member that is not able to reach the BFD neighbor, the BFD session is down as expected but the static route is present in the routing table.

704322

After configuring static routes on IPsec tunnels using the Network > Static Routes page, a warning icon appears. This is cosmetic and does not affect functionality.

720618

Passive health check is not report packet loss when it occurs in the network.

756955

Routing table does not reflect the new changes for the static route until the routing process is restarted when cmdbsrv and other processes take CPU resources upon every configuration change in devices with over ten thousand firewall policies.

769523

Multicast is not working in VRRP.

774136

VPN traffic is not being metered by DoS policy when using SD-WAN.

779113

A new route check to make sure the route is removed when the link monitor object fails on ARM based platforms.

787476

BGP conditional-advertise did not withdraw the route upon a condition state change.

787487

Default priority value in static route is set as 0, even though the range is 1- 65535 in transparent mode.

788793

Unable to receive BGP routes on redundant tunnel interfaces.

795213

On the Network > SD-WAN page, adding a named static route to an SD-WAN zone creates a default blackhole route.

796070

Incorrect SD-WAN kernel routes are used on the secondary device.

796409

GUI pages related to SD-WAN rules and performance SLA take 15 to 20 seconds to load.

797530

SD-WAN health check event log shows the incorrect protocol.

797590

GRE tunnel configured using a loopback interface is not working after changing the interface back and forth.

798245

ICMP traffic is using the incorrect VRF.

799969

BGP neighbor advertisement-interval can be set to 0 but not take effect in ZebOS.

805285

SIP-RTP fails after a route or interface change.

806939

Routing issue with ADVPN and SD-WAN if IPsec aggregate interfaces are configured.

807635

BGP routes hit the wrong route map.

808840

After cloning a static route, the URL gets stuck with "clone=true".

809321

IS-IS LSP packets do not include the checksum and the authentication key ([Checksum: [missing]], [Checksum Status: Not present] and authentication "hmac-md5 (54), message digest]).

812982

SD-WAN performance SLAs on a dialup IPsec VPN tunnel do not work as expected.

816582

Connected subnet in VRF, other than VRF 0, gets an RPF failure after HA failover.

817670

IPv6 route redistribution metric value is not taking effect.

Security Fabric

Bug ID

Description

614691

Slow GUI performance in large Fabric topology with over 50 downstream devices.

741084

Entry-level FortiGate with Security Fabric enabled for 30 or more downstream FortiGates can go into conserve mode when loading the physical or logical topology pages, or running security rating reports.

753742

Add distributed security rating and topology reports.

778511

PPPoE interface is unable to accept Fabric connections.

782518

Threat feeds are showing that the connection status has not started when it should be connected.

788543

Topology tree shows No connection or Unauthorized for FortiAnalyzer while sending log data to FortiAnalyzer.

791324

Test Automation Stitch function only works on the root FortiGate, and is not working on the downstream FortiGate.

795687

On the Fabric Management page, some managed FortiSwitches are not shown.

798795

API that registers appliances to the Fabric stopped working.

799832

GCP bearer token is too long for the header in a google-cloud-function automation action.

801048

During the FortiOS initialization process, there is a small chance that other services using UDP take the specific port that caused csfd initialization to fail.

803600

Automation stitch for a scheduled backup is not working.

807967

Add reliable message for creating event logs on upstream device for use by Report Runner.

815984

Azure SDN connector has a 403 error when the AZD restarts.

SSL VPN

Bug ID

Description

486837

SSL VPN with external DHCP servers is not working.

616896

Link in SSL VPN portal to FortiClient iOS redirects to legacy FortiClient 6.0 rather than the latest 6.2.

626311

SSL VPN users are remaining logged on past the auth-timeout value.

676278

Custom host check AV and firewall for macOS fails for FortiClient SSL VPN.

677031

SSL VPN web mode does not rewrite playback URLs on the internal FileMaker WebDirect portal.

697142

SharePoint server (de***.sc***.gov.sa) is not working on web-based VPN.

757726

SSL VPN web portal does not serve updated certificate.

763611

Slow upload speed on SSL VPN dual-stack configuration.

767832

After upgrading from 6.4.7 to 7.0.1, the Num Lock key is turned off on the SSL VPN webpage.

767869

SCADA portal will not fully load with SSL VPN web bookmark.

768323

Certain websites do not load properly in SSL VPN web mode.

768983

SSL VPN web mode access to the FortiGate GUI is slow after upgrading.

778034

FortiGate GUI in SSL VPN web mode is very slow.

780305

SSL VPN web mode is unable to redirect from port 62843 to port 8443.

780765

High CPU usage in SSL VPN using libssh2.

781581

Customer internal website is not shown correctly in SSL VPN web mode.

784887

A blank page appears after logging in to an SSL VPN bookmark.

787978

Unable to load NFMT routing display through SSL VPN web mode.

789117

SSL VPN web mode RDP bookmark always asks for credentials.

789267

SSO SSL VPN web mode user cannot connect to RDP intermittently.

789642

Unable to load Grafana application through SSL VPN web mode.

791700

SSL VPN crashes and disconnects users at the same time.

792075

SSL VPN web portal does not load internal e-learning website content.

792944

Internal redirect webpage is not working in SSL VPN web mode.

794800

SSL VPN /remote/logoutok screen loads in basic text.

794820

Slow performance to manage FortiGate trough the bookmark configured in SSL VPN web mode.

795730

Non-Google CAPTCHA cannot be displayed in SSL VPN web mode.

796768

SSL VPN RDP is unable to connect to load-balanced VMs.

797136, 797139

Internal site does not load completely using SSL VPN web mode bookmark.

799308

SSL VPN bookmark is not working.

799780

Website is not loading in SSL VPN web mode.

800751

Unable to download files over 2 GB to and from an SMB file share using SSL VPN web mode.

801308

FortiGuard should only provide an installer for FortiClient VPN, instead of the full FortiClient version.

801588

After Kronos (third-party) update from 8.1.3 to 8.1.13, SSL VPN web portal users get a blank page after logging in successfully.

802379

SSL VPN has memory leaks and crashes.

803576

Comments in front of <html> tag are not handled well in HTML file in SSL VPN web mode.

803622

High CPU in SSL VPN once SAML is used with FortiAuthenticator and an LDAP server.

805922

Unable to configure ssl.root as the associated-interface in a firewall address.

806143

JavaScript error in SSL VPN web mode.

807268

Many SSL VPN users are disconnected periodically, and sslvpnd crashes.

808569

sslvpnd crashes when no certificate is specified.

808634

SSL VPN daemon sometimes could not be recovered, even when setting the server certificate back from empty to a specific certificate.

809209

SSL VPN process memory leak is causing the FortiGate to enter conserve mode over a short period of time.

809473

When sslvpnd debugs are enabled, the SSL VPN process crashes more often.

810715

Web application is not loading in the SSL VPN web mode.

811007

The auto-generated URL on the VPN > SSL-VPN Settings page shows the management IP of the FortiGate instead of the SSL VPN interface port IP as defined on the VPN > SSL-VPN Realms page when a realm is created.

812006

The PROD-MDN-WS1 SSL VPN portal is not loading properly, and cannot navigate within the page.

814040

SSL VPN bookmark configuration is added automatically after client logs in to web mode.

814708

The same SAML user failed to establish a tunnel when a stale web session exists with limit-user-logins enabled.

816716

sslvpnd crashed when deleting a VLAN interface.

816881

TX packet loss on ssl.root interface.

817843

Logging out of SSL VPN tunnel mode does not clear the authenticated list.

826582

SSH via SSL VPN web mode does not work for some SSH servers.

Switch Controller

Bug ID

Description

774441

FortiLink topology only displays partially.

794026

The number of quarantined MAC addresses is stuck at 256 due to table size limitations on the FortiGate.

799860

FortiSwitch online/offline status is not consistent between the CLI and SNMP.

803307

The Enable STP security control description should be reworded to mention that Edge ports should have STP enabled once the network topology is stable.

805154

Switch controller preconfiguration of FortiSwitch 108F-POE is incorrect.

810550

When config-sync runs between a FortiGate and a managed FortiSwitch, RSPAN interfaces get deleted and re-added, which causes syslog errors from FortiSwitch.

System

Bug ID

Description

540389

Remote administrator password renewal shows remote token instead of new password (CLI and GUI).

716250

Incorrect bandwidth utilization traffic widget for VLAN interface based on LACP interface.

725273

application newcli crashed with *** signal 11 (Segmentation fault) received ***.

734912

When VDOMs are enabled, changing system settings causes the GUI to display a failure to save message.

736144

AirCard 340U LTE Modem does not work.

743831

When global daylight saving time (DST) is disabled, the system time in the GUI still shows the time with DST.

753912

FortiGate calculates faulty FDS weight with DST enabled.

756139

When split port is enabled on four 10 GB ports, only one LACP port is up, and the other ports do not send/receive the LACP PDU.

758490

The value of the extra-init parameter under config system lte-modem is not passed to the modem after rebooting the device.

761971

AirCard 340U LTE modem does not work on FG-61F.

764483

After restoring the VDOM configuration, Interface <VLAN> not found in the list! is present for VLANs on the aggregate interface.

766058

FortiGate central management is configured on the backup mode ADOM, and any changes done on the FortiGate are not recorded in the FortiManager.

771331

Incorrect bandwidth utilization traffic widget for VLAN interface on NP6 platforms.

773829

Get /bin/cid crash when cid.tar.gz cannot be unpacked.

781960

A dhcpd crash log occurs.

782392

ICMP traceroute with more than one probe is not working, and drops are seen on NP6 platforms.

783241

Manually updating internet-service database may fail because there is no check of which internet-service database is being updated.

783939

IPv4 session is flushed after creating a new VDOM.

786255

Cached topology reports causes the FortiGate to run out of flash storage on entry-level models.

786998

When enabling the decrypted-traffic-mirror option on a VXLAN interface, the collector device will get a TCP Out-Of-Order packet.

787557

Sudo command is not working inconsistently.

787595

FFDB cannot be updated with exec update-now or execute internet-service refresh after upgrading the firmware in a large configuration.

789203

High memory usage due to DoT leak at ssl.port_1way_client_dox leak\wad_m_dot_conn leak\sni leak when the DoX server is 8.8.8.8.

790656

DNS fails to correctly resolve hosts using the DNS database.

792544

A request is made to the remote authentication server before checking trusthost.

793864

Repeated FortiDDNS failed messages are in the system event logs output.

796094

Egress traffic on EMAC VLAN is using base MAC address instead.

796398

BPDUs packets are blocked even though STF forwarding is enabled on FG-800D in transparent mode (UTP and SFP).

797428

SNMP status for NPU is not available on NP6xlite.

799255

Any configuration changes on FG-2601F causes cmbdr crash with signal 6 and traffic to stop flowing.

799487

The debug zone uses over 400 MB of RAM.

800294

Interface migration wizard fails to migrate interfaces when VLANs have dependencies within dependencies.

800295

NTP server has intermittent unresolvable logs after upgrading to 6.4.

801053

FG-1800F existing hardware switch configuration fails after upgrading.

801474

DHCP IP lease is flushed within the lease time.

801738

Kernel panic occurs on FG-2610F when collecting debug flow information.

802917

PPPoE virtual tunnel drops traffic after logon credentials are changed.

805412

DHCPv6 authentication option offer is not accepted from the server.

805644

Trunk port is removed from the VLAN switch after rebooting.

807947

Unable to create new interface and VDOM link with names that contain spaces.

810104

Under certain trace condition scenarios, a kernel panic may be triggered on new kernel platforms after failover with HTTP CCS followed by SIP64 traffic.

810466

EHP and HRX drop on NP6 FortiGate, causing low throughput.

810583

Running diagnose hardware deviceinfo psu shows the incorrect PSU slot.

810622

Message regarding VDOM names longer than 11 characters is shown when set long-vdom-name is enabled.

811449

New DNS system servers with DoT enabled, applying a DNS filter to the FortiGate DNS server fails.

812499

When traffic gets offloaded, an incorrect MAC address is used as a source.

813223

Random kernel panic occurs when the following IPsec VPN phase 2 interface configuration is used:

config vpn ipsec phase2-interface
    edit <name>
        set keylife-type both
        set keylifeseconds 28800
        set keylifekbs 4608000
    next
end 

813606

DHCP relay offers to iPhones is blocked by the FortiGate.

814002

FortiGate may enter kernel panic in HA environment and when sending multicast traffic on new kernel platforms.

815360

NP7 platforms may encounter a kernel panic when deleting more than two hardware switches at the same time.

816278

Memory increase due to iked process.

816823

NP6xLite test failed when running diagnose hardware test pci.

818461

When an aggregate is created after all VLANs and added to a software switch, all VLANs are lost after rebooting.

818811

NTurbo crash occurs when offloading SSL mirror traffic.

821773

Manual license for air-gap environments is lost after rebooting the FortiGate.

Upgrade

Bug ID

Description

792831

[2062] fap_fsw_lst_req: buf of https is too small: 853 debug message appears in console when upgrading to certain builds.

803171

Upgrade takes longer than expected and get synchronization error caused by PPP when HA upgrades.

User & Authentication

Bug ID

Description

738846

FAS ends up in endless loop while synchronizing with LDAP when a special character (,) is part of a username.

754725

After updating the FSSO DC agent to version 5.0.0301, the DC agent keeps crashing on Windows 2012 R2 and 2016, which causes lsass.exe to reboot.

760740

REVERSE_INULL found in WanOpt explicit proxy, wad_user_info.c:wad_group_info_cache_free.

778521

SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

782158

The ç character is not accepted by an LDAPS password change.

790941

When logged in with an administrator profile using a wildcard RADIUS user, creating a new dashboard widgets fails.

792924

Incorrect captive portal page certificate is used after upgrading.

804133

The diagnose test guest del <group_name> <user_ID> command does not work after upgrading.

808884

Device information is not fully detected on NP7.

810033

The samld process is killed if the SP certificate set has an ECC 384-bit public key.

813355

Additional information from user ID login should be displayed.

813407

Captive portal authentication with RADIUS user group truncates the token code to eight characters.

813987

No traffic is generated when creating an ACME certificate that uses a domain name with an uppercase letter.

VM

Bug ID

Description

764392

Incorrect VMDK file size in the OVF file for hw13 and hw15.

782073

IBM HA is unable to fail over route properly when route table has a delegate VPC route.

786278

Bandwidth usage is not shown when DPDK is enabled.

799536

Data partition is almost full on FG-VM64 platforms.

800473

FG-VM64 deployed with 6.4 loses configuration and license after upgrading to 7.2.1 (no issue if deployed with 7.0).

800935

ESXi VLAN interface based on LACP does not work.

803219

Azure SDN connector might miss dynamic IP addresses due to only the first page of the network interface being processed.

809963

Get cmdbsvr crash after concurrent performance test on FG-KVM32.

VoIP

Bug ID

Description

794517

VoIP daemon memory leak occurs when the following conditions are met:

  • The SIP call is on top of the IPsec tunnel.
  • The call fails before the setup completes (session gets closed in a state earlier than VOIP_SESSION_STATE_RUNNING).

WAN Optimization

Bug ID

Description

804662

WANOpt tunnels are not established for traffic matching the profile.

Web Application Firewall

Bug ID

Description

795554

Inspecting all ports in an SSL/SSH inspection profile does not work with the WAF profile.

Web Filter

Bug ID

Description

743195

Disclaimer module does not load and breaks the website.

786448

Web filtering with WISP functionality is intermittent in flow mode.

798557

When a new URL filter entry is created and the list is re-ordered, the list position is not maintained.

801792

IPS daemon has socket FD leaks.

WiFi Controller

Bug ID

Description

790367

FWF-60F has kernel panic and reboots by itself every few hours.

795821

The new sae-h2e-only WPA3-SAE SSID setting may cause a backward compatibility issue where some Wi-Fi devices may not associate with managed FortiAP units running previous firmware versions:

  • FortiAP 6.4.8, 7.0.5, 7.2.0 and earlier
  • FortiAP-W2 6.4.8, 7.0.5, 7.2.0 and earlier
  • FortiAP-S 6.4.8 and earlier
  • FortiAP-U 6.2.4 and earlier

Solution:

  • FortiAP and FortiAP-W2 units may be upgraded to 7.2.1 if applicable
  • FortiAP and FortiAP-W2 issue will be fixed in later 6.4 and 7.0 releases
  • FortiAP-S issue will be fixed in a later 6.4 release
  • FortiAP-U units may be upgraded to 6.2.5

796036

Manual quarantine for wireless client connected to SSID on multi-VDOM with wtp-share does not work.

807605

FortiOS exhibits segmentation fault on hostapd on the secondary controller configured in HA.

ZTNA

Bug ID

Description

792829

WAD re-challenges user authentication upon HA failover.

797433

WAD treats ZTNA SAML URL with multiple query characters as invalid and closes.

799530

Found wad crash at wad_sched.c upon device tag matching.

799759

Applying a ZTNA rule in the GUI removes configured IP pools.

802715

ZTNA failed to match the policy when a tag is found for an endpoint in the EMS response.

808178

After upgrading from 7.0 to 7.2, the client-cert setting under config firewall access-proxy changed from disable to enable.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

789153

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-38378

795784

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-26122

797229

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-27491

800259

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-29055

803283

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-47536

810989

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-38380

811492

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-35842

819640

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-30307

825695

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2022-35843

863856

FortiOS 7.2.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-29175