Fortinet black logo

Known issues

Known issues

The following issues have been identified in version 7.2.4. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

877613

Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI.

Anti Virus

Bug ID

Description

869398

FortiGate sends too many unnecessary requests to FortiSandbox and causes high resource usage.

908706

On the Security Profiles > AntiVirus page, a VDOM administrator with a custom administrator profile cannot create or modify an antivirus profile belonging to the VDOM.

Workaround: set the VDOM administrator profile to super_admin.

Explicit Proxy

Bug ID

Description

817582

When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.

865828

The internet-service6-custom and internet-service6-custom-group options do not work with custom IPv6 addresses.

875736

The proxy-re-authentication-mode option has been removed in 7.2.4 and is replaced with proxy-keep-alive-mode re-authentication. The new proxy-re-authentication-time timer is associated with this re-authentication mode. There are two unresolved issues:

  • After upgrading, the previously configured proxy-auth-timeout value for the absolute re-authentication mode is not preserved in the new proxy-re-authentication-time.
  • The new proxy-re-authentication-time is currently configured in seconds, but it should be configured in minutes to be consistent with other related authentication timers (such as proxy-auth-timeout).

894557

In some cases, the explicit proxy policy list can take a long time to load due to a delay in retrieving the proxy statistics. This issue does not impact explicit proxy functionality.

Workaround: restart the WAD process, or update the number of WAD processors.

config system global
    set wad-worker-count <integer>
end

Firewall

Bug ID

Description

719311

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

770541

There is a delay opening firewall, DoS, and traffic shaping policies in the GUI.

843554

If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

860480

FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later.

861990

Increased CPU usage in softIRQ after upgrading from 7.0.5 to 7.0.6.

864612

When the service protocol is an IP with no specific port, it is skipped to be cached and causes a protocol/port service name in the log.

884578

Unexpected behavior in WAD caused by enabling HTTP/2 while usingvirtual servers.

Workaround: under config firewall vip, set http-supported-max-version to http1.

895946

Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode.

Workaround: access is possible with one of the following settings.

  • Change the firewall policy inspection mode to proxy-based.
  • Remove the IPS security profile from the firewall policy.
  • Set tcp-mss-sender and tcp-mss-receiver in the firewall policy to 1300.
  • Set tcp-mss to 1300 on the VPN tunnel interface.
  • Bypass the inter-VDOM link (may work in applicable scenarios, such as if the VDOM default route points to physical interface instead of an inter-VDOM).

GUI

Bug ID

Description

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

825598

The FortiGate may display a false alarm message TypeError [ERR_INVALID_URL]: Invalid URL in the crashlog for the node process. This error does not affect the operation of the GUI.

853352

On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries.

854180

On the policy list page, all policy organization with sequence and label grouping is lost.

893560

When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration.

898902

In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog.

Workaround: use the CLI to configure two-factor-authentication under config system admin.

HA

Bug ID

Description

818432

When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.

Hyperscale

Bug ID

Description

802182

After successfully changing the VLAN ID of an interface from the CLI, an error message similar to cmdb_txn_cache_data(query=log.npu-server,leve=1) failed may appear.

824071

ECMP does not load balance IPv6 traffic between two routes in a multi-VDOM setup.

841712

The nat64-force-ipv4-packet-forwarding command is missing under config system npu.

843197

Output of diagnose sys npu-session list/list-full does not mention policy route information.

872146

The diagnose sys npu-session list command shows an incorrect policy ID when traffic is using an intra-zone policy.

IPsec VPN

Bug ID

Description

885818

If a tunnel in an IPsec aggregate is down but its DPD link is on, the IPsec aggregate interface may still forward traffic to a down tunnel causing traffic to drop.

892699

In an HA cluster, static routes via the IPsec tunnel interface are not inactive in the routing table when the tunnel is down.

Workaround: in an SD-WAN scenario, a health check for the IPsec tunnel (SD-WAN member) with update-static-route enable is required.

config system sdwan
    config health-check
        edit <name>
            set server <string>
        next
    end
end

In a non-SD-WAN scenario, a link health monitor configuration is required.

config system link-monitor
    edit <name>
        set srcintf <IPsec_phase1-interface_name>
        set server <address>
        set source-ip <IPsec_tunnel_IP or internal_interface_IP)
    next
end

916260

The IPsec VPN tunnel list can take more than 10 seconds to load if the FortiGate has large number of tunnels, interfaces, policies, and addresses. This is a GUI display issue and does not impact tunnel operation.

Log & Report

Bug ID

Description

860822

When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.

Workaround: use a double backslash (domain\\username) while filtering or searching by username only without the domain

Remote Access

Bug ID

Description

837391

FortiClient does not send the public IP address for SAML, resulting in 0.0.0.0 being shown in FortiOS and SASE.

Routing

Bug ID

Description

846107

IPv6 VRRP backup is sending RA that causes routing issue.

897940

Link monitor's probe timeout value range is not appropriate when the user decreases the minimum interval.

924598

The Network dashboard may not load if the administrator disables SD-WAN Interface under System > Feature Visibility.

Workaround: enable SD-WAN Interface under System > Feature Visibility, or remove the SD-WAN widget from the Network dashboard.

Security Fabric

Bug ID

Description

825291

Security rating test for FortiAnalyzer fails when connected to FortiAnalyzer Cloud.

862424

On a FortiGate that has large tables (over 1000 firewall policies, address, or other tables), security rating reports may cause the FortiGate to go into conserve mode.

880011

When the Security Fabric is enabled and admin-https-redirection is enabled on a downstream FortiGate, the following GUI features do not work for the downstream FortiGate when the administrator manages the downstream FortiGate using the root FortiGate's GUI:

  • Web console access

  • Diagnostic packet capture

  • GUI notification when a new device joins or leaves the Security Fabric

  • GUI notification if a configuration on the current page changes

These features still work for the root FortiGate's GUI.

Workaround: disable admin-https-redirection on the downstream FortiGate.

SSL VPN

Bug ID

Description

795381

FortiClient Windows cannot be launched with SSL VPN web portal.

Switch Controller

Bug ID

Description

904640

When a FortiSwitch port is reconfigured, the FortiGate may incorrectly retain old detected device data from the port that results in an unexpected number of detected device MACs for the port. Using diagnose switch-controller mac-cache show to check the device data can result in the Device Information column being blank on the WiFi & Switch Controller > FortiSwitch Ports page or in the Assets widget.

Workaround: disable the device retention cache to remove old device data.

config switch-controller global
    set mac-retention-period 0
end

911232

Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.

Workaround: select a FortiSwitch and use the Diagnostics & Tools tooltip to view the correct registration status.

System

Bug ID

Description

666664

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

799570

High memory usage occurs on FG-200F.

859795

High CPU utilization occurs when relay is enabled on VLAN, which prevents users from getting an IP from DHCP.

861962

When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.

882187

Optimize memory usage caused by the high volume of disk traffic logs.

883071

Kernel panic occurs due to null pointer dereference.

884023

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.

887940

Status light is not showing on the FortiGate 60F or 100F after a cold and warm reboot.

Upgrade

Bug ID

Description

903113

Upgrading FortiOS firmware with a local file from 6.2.13, 6.4.12, 7.0.11, or 7.2.4 and earlier may fail for certain models because the image file size exceeds the upload limit. Affected models: FortiGate 6000 and 7000 series, FWF-80F-2R, and FWF-81F-2R-POE.

Workaround: upgrade the firmware using FortiGuard, or manually increase the HTTP request size limit to 200 MB.

config system global
    set http-request-limit 200000000
end

User & Authentication

Bug ID

Description

823884

When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to.

853793

FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

VM

Bug ID

Description

878074

FG-ARM64-GCP and FG-ARM64-AZURE have HA synchronization issue with internal IP after failover.

881728

Kernel hangs on FG-VM64-AZURE.

899984

If FGTVM was deployed in UEFI boot mode, do not downgrade to any GA version earlier than 7.2.4.

Web Filter

Bug ID

Description

766126

Block replacement page is not pushed automatically to replace the video content when using a video filter.

885222

HTTP session is logged as HTTPS in web filter when VIP is used.

WiFi Controller

Bug ID

Description

814541

When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.

869106

The layer 3 roaming feature may not work when the wireless controller is running multiple cw_acd processes (when the value of acd-process-count is not zero).

869978

CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled.

873273

The Automatically connect to nearest saved network option does not work as expected when FWF-60E client-mode local radio loses connection.

903922

Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation.

904349

Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.

Workaround: use the CLI to update the profile to dual-5G mode.

Known issues

The following issues have been identified in version 7.2.4. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

877613

Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI.

Anti Virus

Bug ID

Description

869398

FortiGate sends too many unnecessary requests to FortiSandbox and causes high resource usage.

908706

On the Security Profiles > AntiVirus page, a VDOM administrator with a custom administrator profile cannot create or modify an antivirus profile belonging to the VDOM.

Workaround: set the VDOM administrator profile to super_admin.

Explicit Proxy

Bug ID

Description

817582

When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.

865828

The internet-service6-custom and internet-service6-custom-group options do not work with custom IPv6 addresses.

875736

The proxy-re-authentication-mode option has been removed in 7.2.4 and is replaced with proxy-keep-alive-mode re-authentication. The new proxy-re-authentication-time timer is associated with this re-authentication mode. There are two unresolved issues:

  • After upgrading, the previously configured proxy-auth-timeout value for the absolute re-authentication mode is not preserved in the new proxy-re-authentication-time.
  • The new proxy-re-authentication-time is currently configured in seconds, but it should be configured in minutes to be consistent with other related authentication timers (such as proxy-auth-timeout).

894557

In some cases, the explicit proxy policy list can take a long time to load due to a delay in retrieving the proxy statistics. This issue does not impact explicit proxy functionality.

Workaround: restart the WAD process, or update the number of WAD processors.

config system global
    set wad-worker-count <integer>
end

Firewall

Bug ID

Description

719311

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

770541

There is a delay opening firewall, DoS, and traffic shaping policies in the GUI.

843554

If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

860480

FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later.

861990

Increased CPU usage in softIRQ after upgrading from 7.0.5 to 7.0.6.

864612

When the service protocol is an IP with no specific port, it is skipped to be cached and causes a protocol/port service name in the log.

884578

Unexpected behavior in WAD caused by enabling HTTP/2 while usingvirtual servers.

Workaround: under config firewall vip, set http-supported-max-version to http1.

895946

Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode.

Workaround: access is possible with one of the following settings.

  • Change the firewall policy inspection mode to proxy-based.
  • Remove the IPS security profile from the firewall policy.
  • Set tcp-mss-sender and tcp-mss-receiver in the firewall policy to 1300.
  • Set tcp-mss to 1300 on the VPN tunnel interface.
  • Bypass the inter-VDOM link (may work in applicable scenarios, such as if the VDOM default route points to physical interface instead of an inter-VDOM).

GUI

Bug ID

Description

677806

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

825598

The FortiGate may display a false alarm message TypeError [ERR_INVALID_URL]: Invalid URL in the crashlog for the node process. This error does not affect the operation of the GUI.

853352

On the View/Edit Entries slide-out pane (Policy & Objects > Internet Service Database dialog), users cannot scroll down to the end if there are over 100000 entries.

854180

On the policy list page, all policy organization with sequence and label grouping is lost.

893560

When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration.

898902

In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog.

Workaround: use the CLI to configure two-factor-authentication under config system admin.

HA

Bug ID

Description

818432

When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures.

Hyperscale

Bug ID

Description

802182

After successfully changing the VLAN ID of an interface from the CLI, an error message similar to cmdb_txn_cache_data(query=log.npu-server,leve=1) failed may appear.

824071

ECMP does not load balance IPv6 traffic between two routes in a multi-VDOM setup.

841712

The nat64-force-ipv4-packet-forwarding command is missing under config system npu.

843197

Output of diagnose sys npu-session list/list-full does not mention policy route information.

872146

The diagnose sys npu-session list command shows an incorrect policy ID when traffic is using an intra-zone policy.

IPsec VPN

Bug ID

Description

885818

If a tunnel in an IPsec aggregate is down but its DPD link is on, the IPsec aggregate interface may still forward traffic to a down tunnel causing traffic to drop.

892699

In an HA cluster, static routes via the IPsec tunnel interface are not inactive in the routing table when the tunnel is down.

Workaround: in an SD-WAN scenario, a health check for the IPsec tunnel (SD-WAN member) with update-static-route enable is required.

config system sdwan
    config health-check
        edit <name>
            set server <string>
        next
    end
end

In a non-SD-WAN scenario, a link health monitor configuration is required.

config system link-monitor
    edit <name>
        set srcintf <IPsec_phase1-interface_name>
        set server <address>
        set source-ip <IPsec_tunnel_IP or internal_interface_IP)
    next
end

916260

The IPsec VPN tunnel list can take more than 10 seconds to load if the FortiGate has large number of tunnels, interfaces, policies, and addresses. This is a GUI display issue and does not impact tunnel operation.

Log & Report

Bug ID

Description

860822

When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.

Workaround: use a double backslash (domain\\username) while filtering or searching by username only without the domain

Remote Access

Bug ID

Description

837391

FortiClient does not send the public IP address for SAML, resulting in 0.0.0.0 being shown in FortiOS and SASE.

Routing

Bug ID

Description

846107

IPv6 VRRP backup is sending RA that causes routing issue.

897940

Link monitor's probe timeout value range is not appropriate when the user decreases the minimum interval.

924598

The Network dashboard may not load if the administrator disables SD-WAN Interface under System > Feature Visibility.

Workaround: enable SD-WAN Interface under System > Feature Visibility, or remove the SD-WAN widget from the Network dashboard.

Security Fabric

Bug ID

Description

825291

Security rating test for FortiAnalyzer fails when connected to FortiAnalyzer Cloud.

862424

On a FortiGate that has large tables (over 1000 firewall policies, address, or other tables), security rating reports may cause the FortiGate to go into conserve mode.

880011

When the Security Fabric is enabled and admin-https-redirection is enabled on a downstream FortiGate, the following GUI features do not work for the downstream FortiGate when the administrator manages the downstream FortiGate using the root FortiGate's GUI:

  • Web console access

  • Diagnostic packet capture

  • GUI notification when a new device joins or leaves the Security Fabric

  • GUI notification if a configuration on the current page changes

These features still work for the root FortiGate's GUI.

Workaround: disable admin-https-redirection on the downstream FortiGate.

SSL VPN

Bug ID

Description

795381

FortiClient Windows cannot be launched with SSL VPN web portal.

Switch Controller

Bug ID

Description

904640

When a FortiSwitch port is reconfigured, the FortiGate may incorrectly retain old detected device data from the port that results in an unexpected number of detected device MACs for the port. Using diagnose switch-controller mac-cache show to check the device data can result in the Device Information column being blank on the WiFi & Switch Controller > FortiSwitch Ports page or in the Assets widget.

Workaround: disable the device retention cache to remove old device data.

config switch-controller global
    set mac-retention-period 0
end

911232

Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.

Workaround: select a FortiSwitch and use the Diagnostics & Tools tooltip to view the correct registration status.

System

Bug ID

Description

666664

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

799570

High memory usage occurs on FG-200F.

859795

High CPU utilization occurs when relay is enabled on VLAN, which prevents users from getting an IP from DHCP.

861962

When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.

882187

Optimize memory usage caused by the high volume of disk traffic logs.

883071

Kernel panic occurs due to null pointer dereference.

884023

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.

887940

Status light is not showing on the FortiGate 60F or 100F after a cold and warm reboot.

Upgrade

Bug ID

Description

903113

Upgrading FortiOS firmware with a local file from 6.2.13, 6.4.12, 7.0.11, or 7.2.4 and earlier may fail for certain models because the image file size exceeds the upload limit. Affected models: FortiGate 6000 and 7000 series, FWF-80F-2R, and FWF-81F-2R-POE.

Workaround: upgrade the firmware using FortiGuard, or manually increase the HTTP request size limit to 200 MB.

config system global
    set http-request-limit 200000000
end

User & Authentication

Bug ID

Description

823884

When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to.

853793

FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

VM

Bug ID

Description

878074

FG-ARM64-GCP and FG-ARM64-AZURE have HA synchronization issue with internal IP after failover.

881728

Kernel hangs on FG-VM64-AZURE.

899984

If FGTVM was deployed in UEFI boot mode, do not downgrade to any GA version earlier than 7.2.4.

Web Filter

Bug ID

Description

766126

Block replacement page is not pushed automatically to replace the video content when using a video filter.

885222

HTTP session is logged as HTTPS in web filter when VIP is used.

WiFi Controller

Bug ID

Description

814541

When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.

869106

The layer 3 roaming feature may not work when the wireless controller is running multiple cw_acd processes (when the value of acd-process-count is not zero).

869978

CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled.

873273

The Automatically connect to nearest saved network option does not work as expected when FWF-60E client-mode local radio loses connection.

903922

Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation.

904349

Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.

Workaround: use the CLI to update the profile to dual-5G mode.