Unexpected behavior occurs when configuring internet services with custom or ISDB entries, leading to failed negate options and issues with internet-service6 functionality.

The GUI-explicit-proxy setting on the System > Feature Visibility page is not retained after a FortiGate reboot or upgrade.

In some cases, the explicit proxy policy list can take a long time to load due to a delay in retrieving the proxy statistics. This issue does not impact explicit proxy functionality.

Workaround: restart the WAD process, or temporarily disable the WAD debugging process (when FortiGate reboots, this process will need to be disabled again).

diagnose wad toggle

(use direct connect diagnose)

After a failover, ARP entries are removed from all slots when an ARP query of single slot does not respond.

Graceful upgrade of a FortiGate 6000 or 7000 FGCP HA cluster is not supported when upgrading from FortiOS 7.0.12 to 7.2.6.

Upgrading the firmware of a FortiGate 6000 or 7000 FGCP HA cluster from 7.0.12 to 7.2.6 should be done during a maintenance window, since the firmware upgrade process will disrupt traffic for up to 30 minutes.

Before upgrading the firmware, disable uninterruptible-upgrade, then perform a normal firmware upgrade. During the upgrade process the FortiGates in the cluster will not allow traffic until all components (management board and FPCs or FIMs and FPMs) are upgraded and both FortiGates have restarted. This process can take up to 30 minutes.

SLBC for FortiOS 7.0 and 7.2 uses different FGCP HA heartbeat formats. Because of the different heartbeat formats, you cannot create an FGCP HA cluster of two FortiGate 6000s or 7000s when one chassis is running FortiOS 7.0.x and the other is running FortiOS 7.2.x. Instead, to form an FGCP HA cluster, both chassis must be running FortiOS 7.0.x or 7.2.x.

If two chassis are running different patch releases of FortiOS 7.0 or 7.2 (for example, one chassis is running 7.2.5 and the other 7.2.6), they can form a cluster. When the cluster is formed, FGCP elects one chassis to be the primary chassis. The primary chassis synchronizes its firmware to the secondary chassis. As a result, both chassis will be running the same firmware version.

You can also form a cluster if one chassis is running FortiOS 7.2.x and the other is running 7.4.x.

For best results, both chassis should be running the same firmware version, although as described above, this is not a requirement.

Unintended behavior occurs when FortiGate models perform a warm reboot without properly applying virtual domain configurations.

On FortiGate 7000F using FGSP and FGCP, when TCP traffic takes an asymmetric path, the TCP ACK and data packets might be dropped in NP7.

After an HA failover, there is no IPsec route in the kernel.

Workaround: Bring down and bring up the tunnel.

On the FortiGate 6000 platform, IPv6 VRF routing tables appear under the new and old FPC primary units when the primary FPC slot is changed.

SNMP query returns an error when there is a large number of BGP routes.

FGCP HA session synchronization may stop working as expected on a FortiGate 7000F cluster managed by FortiManager. This happens if the HA configuration uses management interfaces as session synchronization interfaces by configuring the session-sync-dev option, for example:

config system ha
    set session-sync-dev 1-M1 1-M2
end

The problem occurs when FortiManager updates the configuration of the FortiGate 7000F devices in the cluster it incorrectly changes to the VDOM of the management interfaces added to the session-sync-dev command from mgmt-vdom to vsys_ha and the interfaces stop working as session sync interfaces.

You can work around the problem by manually changing the vdom of the management interfaces added to session-sync-dev to mgmt-vdom and then retrieving the FortiGate configuration from FortiManager.

config system interface
    edit 1-M1
        set vdom mgmt-vdom
    next
    edit 1-M2
        set vdom mgmt-vdom
    next
end

For an FGSP configuration on the FortiGate 6000 and 7000 platforms, the encryption option of the config system standalone-cluster command does not encrypt session synchronization traffic. Enabling this option has no effect.

GUI unreachable due to certificates and private keys mismatch in a HA setup.

BGP flapping occurs when concurrent IP address management causes unexpected source IP usage on outbound connections during FortiGate VDOM migrations.

Graceful upgrades lead to unintended primary claiming by FortiGate units during HA resynchronization.

On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries.

FortiGate GUI should not display a license expired notification due to an expired FortiManager Cloud license if it still has a valid account level FortiManager Cloud license (function is not affected).

When the number of users in the Firewall User monitor exceeds 2000, the search bar, column filters, and graphs are no longer displayed due to results being lazily loaded.

The Node.JS daemon restarts with a kill ESRCH error on FortiGate after an upgrade.

Edits that are made to IP Exemptions in IPS Signatures and Filters more than once on the Security Profiles > Intrusion Prevention page are not saved.

On FortiGate G series models with dual WAN links, the Interface Bandwidth widget may show an incorrect incoming and outgoing bandwidth count where the actual traffic does not match the display numbers.

When performing HA upgrade in the GUI, if the secondary unit takes several minutes to bootup, the GUI may show a misleading error message Image upgrade failed due to premature timeout.

This is just a GUI display issue and the HA upgrade can still complete without issue.

When adding a new vcluster, the link-failure value of the newly added vcluster is not updated, causing the wrong primary unit to be selected.

The Fabric Management page displays inconsistent information when accessed through secondary HA units on some FortiGate models.

After successfully changing the VLAN ID of an interface from the CLI, an error message similar to cmdb_txn_cache_data(query=log.npu-server,leve=1) failed may appear.

LPMD fails to correctly handle different VRFs, treating all as vrf 0, causing improper route management and affecting network traffic isolation.

IPv6 traffic fails to load balance across multiple virtual domains when using Equal-cost Multipath (ECMP) in NAT mode on FortiGate devices.

The npu-session list fails to display policy-route information when traffic is routed through a policy route on FortiGate models using NPU acceleration.

Traffic drops occur after Failover in HA A-P setups using hardware-only sessions.

The "diagnose sys npu-session list" command displays incorrect policy IDs when traffic uses intra-zone policies.

NAT46 NPU sessions are lost and traffic drops when a HA failover occurs.

diagnose firewall ippool list pba command is executed in a hyperscale device may result in high CPU. No workaround available.

Traffic outage occurs when making ip-pool group changes on hyperscale VDOMs.

CPU usage issues occurred when IPsec VPN traffic was received on the VLAN interface of an NP7 vlink.

SD-WAN Performance SLA health checks fail when FortiGuard is configured as the server due to lack of HTTP support on FortiGuard servers.

The diagnose ip rtcache list command is no longer supported in the FortiOS 4.19 kernel.

On the Network > SD-WAN > SD-WAN Rules page, member interfaces that are down are incorrectly shown as up. The tooltip on the interface shows the correct status.

Security Fabric physical and logical topology is slow to load when there are a lot of downstream devices, including FortiGates, FortiSwitches, FortiAPs, and endpoint device traffic. This is a GUI only display issue and does not impact operations of downstream devices.

FortiGate experiences a CPU usage issue in the node process when there multiple administrator sessions running simultaneously on the GUI in a Security Fabric with multiple downstream devices. This may result in slow loading times for multiple GUI pages.

Workaround: disconnect the other concurrent administrator sessions to avoid overloading node process.

FortiClient Windows cannot be launched with SSL VPN web portal.

The FortiSwitch topology fails to load correctly and triggers Java errors in HTTPS logs when switches are connected via SFPs.

VLAN-over-VXLAN traffic was not being offloaded to NP7, causing performance issues due to increased CPU load.

On FortiGate 400F, 600F, 900G, 3200F, and 3700F models, LAG interface members are not shutting down when the remote end interface (one member in the LAG) is admin down.

On the NP7 platform, setting the interface configuration using set inbandwidth <x> or set outbandwidth <x> commands stops traffic flow.

Workaround: Change the NP7 ""default-qos-type"" setting from shaping to policing. This requires a restart of the device for the configuration to take effect.

config system npu
   set default-qos-type policing
end

On the FortiGate 601F, the ports (x7) have no cables attached but the link LEDs are green.

The node daemon causes a CPU usage and memory usage issue when many interfaces are being edited or created at once.

Traffic is intermittently interrupted on virtual-vlan-switch on Soc5 based platforms when a multicast or broadcast packet is received.

The FortiFirewall 2600F model may become stuck after a fresh image burn. Upgrading from a previous version stills works.

Workaround: power cycle the unit.

On the FG-200G, SDNS is not able to connect to FortiGuard servers.

Workaround: use DNS instead of SDNS.

config system dns
    set protocol cleartext
end

If FGTVM was deployed in UEFI boot mode, do not downgrade to any GA version earlier than 7.2.4.

FortiOS becomes unresponsive when sending IPv6 traffic over MLX5 network adapters due to incorrect WQE handling.

The layer 3 roaming feature may not work when the wireless controller is running multiple cw_acd processes (when the value of acd-process-count is not zero).

In HA cluster of FGT-200F units with 'capwap-offload' enabled, traffic from tunnel SSID cannot pass after HA failover is triggered.

The automatically connect option fails to function when the local radio connection is lost on some FortiGate models.