After spam mail is detected by the email filter, the X-ASE-REPORT does not insert into the mail header of the spam mail.

The Anti-Spam Block/Allow List Entry dialog page is not showing the proper Type values in the dropdown.

CDR archived files are deleted at random times and not retained.

Flow mode opens port 8008 over the AV profile that does not have HTTP scan enabled.

FortiGate enters conserve mode and the console prints a fork() failed message.

Nothing is displayed in the Advanced Threat Protection Statistics dashboard widget.

Scanunit displays unclear warnings when AV package validation fails.

FortiGate sends too many unnecessary requests to FortiSandbox and causes high resource usage.

Unable to access to some websites when application control with deep inspection is enabled.

DNS UTM log still presents unknown FortiGuard category even when the DNS proxy received a rating value.

Random websites are not accessible after upgrading when using a proxy policy.

Multipart boundary parsing failed with CRLF before the end of boundary 1.

The internet-service6-custom and internet-service6-custom-group options do not work with custom IPv6 addresses.

The proxy-re-authentication-mode option has been removed in 7.2.4 and is replaced with proxy-keep-alive-mode re-authentication. The new proxy-re-authentication-time timer is associated with this re-authentication mode. There are two unresolved issues:

• After upgrading, the previously configured proxy-auth-timeout value for the absolute re-authentication mode is not preserved in the new proxy-re-authentication-time.
• The new proxy-re-authentication-time is currently configured in seconds, but it should be configured in minutes to be consistent with other related authentication timers (such as proxy-auth-timeout).

The hit count and bytes of the implicit deny rule does not increase on the proxy policy.

Transparent web proxy policy has no match if the source or destination interface is the same and member of SD-WAN.

Proxy policy match resolves IP to multiple internet service application IDs.

Enabling http-ip-header on virtual server changes the log produced for transparent web proxy.

Unexpected behavior in WAD caused by deploying virtual servers in non-server pool mode.

Firewall schedule does not work as expected with a proxy policy.

On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

Within the Policy & Objects menu, the firewall, DoS, and traffic shaping policy pages take around five seconds to load when the FortiGate cannot reach the FortiGuard DNS servers.

An httpsd singal 6 crash occurs due to /api/v2/monitor/license/forticare-resllers.

The set sub-type ems-tag option is blocked in HA diff installation.

Inaccurate sFlow interface data reported to PRTG after upgrading to 7.0.

Support matching by destination port when matching a central NAT rule if the protocols are TCP, UDP, or SCTP.

NPD failed to parse zone in the source interface of a DoS/ACL policy and failed to offload.

When the UTM is enabled, NP7 NTurbo is not set properly, which causes the shaper to not guarantee the SIP traffic based on the class ID.

After traffic flow changes to FGSP peer from owner, iprope information for synchronized sessions does not update on the peer side.

NGFW VDOM incorrectly includes all interfaces belonging to the root VDOM on interface and policy related GUI pages.

Explicit FTPS stops working with IP pool after upgrading.

FG-3000D cluster kernel panic occurs when upgrading from 7.0.5 to 7.0.6 and later.

Increased CPU usage in softirq after upgrading from 7.0.5 to 7.0.6.

When the service protocol is an IP with no specific port, it is skipped to be cached and causes a protocol/port service name in the log.

Standard and full ISDB sizes are not configurable on FG-101F.

Packets are not matching the existing session in transparent mode.

Support port block allocation (PBA) IP pools for NAT64 traffic.

The policy or other cache lists are sometimes not freed in time. This may cause unexpected policies to be stored in the cache list.

Egress interface cannot be intermittently matched for wake-on-LAN (broadcast) packets.

Traffic issues occur with virtual servers after upgrading.

Columns for NPU sessions are missing on the FortiView Sessions monitor page.

Unexpected behavior in WAD caused by enabling HTTP/2 while usingvirtual servers.

Implicit deny policy is allowing "icmp/0/0" traffic.

The one-time schedule pre-expiration event log button is always set to disable.

Intermittent behavior in WAD during SSL renegotiation while using virtual servers.

Merge FortiGate 6000 and 7000 series platforms.

The FortiSandbox PDF report query should be changed to on-demand.

The FortiView Sessions monitor displays VDOM sessions from other VDOMs.

On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

Policy page should show new name/content for firewall objects after editing them from the tooltip.

On the Network > Interfaces page when VDOM mode is enabled, the Global view incorrectly shows the status of IPsec tunnel interfaces from non-management VDOMs as up. The VDOM view shows the correct status.

On the Policy & Objects > Firewall Policy page, the policy list can take around 30 seconds or more to load when there is a large number (over 20 thousand) of policies.

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

When a FortiGate local administrator is assigned to more than two VDOMs and tries logging in to the GUI console, they get a command parse error when entering VDOM configuration mode.

Incorrect shortcut name shown on the Network > SD-WAN > Performance SLAs page.

Users should be able to perform a sniffer on a VWP member in the GUI.

Security Fabric root FortiGate is unable to resolve firewall object conflicts in the GUI.

Log & Report > Forward Traffic logs do not show the Policy ID if there is no Policy Name.

On the Log & Report > Forward Traffic page, using the filter Result : Deny(all) does not work as expected.

Security rating test for FortiCare Support fails when connected to FortiManager Cloud or FortiAnalyzer Cloud.

Incorrect information is being displayed for the HA role on the System > HA page.

Unable to load the Network > SD-WAN > SD-WAN Rules table sometimes due to a JavaScript error.

Unable to delete the LAN interface's addresses without switching it back to a none-LAN role.

On the System > HA page, a Failed to retrieve info caution message appears when hovering over the secondary unit's Hostname. The same issue is observed on the Dashboard > Status > Security Fabric widget.

On the System > FortiGuard page, the license table shows expiry notifications for FortiGuard entitlements, which are hidden by the GUI 's Feature Visibility.

Policy and dashboard widgets do not load when the FortiGate manages a FortiSwitch with tenant ports (exported from root to other VDOM).

The local standalone mode in a VAP configuration is disabled when viewing or updating its settings in the GUI.

The CPU and Sessions widgets report the current numbers at the wrong places for most time periods.

The Active Administrator Sessions widget shows the incorrect interface when accessing the firewall through the GUI.

IPsec tunnel interface Bandwidth widget inbound is zero and outbound value is lower than the binding interface.

On the Network > Policy Routes page, entries cannot be copied and pasted above or below.

System > Firmware & Registration menu is not visible for administrator accounts without read-write permissions for the sysgrp-permission category.

FortiCare Reseller dropdown name option needs correcting.

GUI always displays Access denied error after logging in.

Unable to select addresses in FortiView monitors.

An httpsd crash occurs when the GUI fails to get the disk log settings from the FortiGate.

CLI console in GUI reports Connection lost. when the administrator has more than 100 VDOMs assigned.

The VLAN ID cannot be changed in the GUI.

An access privilege prompt is not displayed when logging in to the GUI of a FortiGate managed by a FortiManager with post-login-banner enabled. The user is logged in with read-only permissions.

Global administrator backup configuration for specific VDOM contains configurations associated with only the root VDOM.

On the Network > Routing Objects page, editing a prefix list with a large number of rule entries fails with an error notification that The integer value is not within valid range.

CLI console disconnects and has '/tmp/daemon_debug/node_...' crash.

Node.JS boots earlier than autod, which leads to a Node.JS crash.

GUI being exposed to port 80 on the interfaces defined in the ACME settings, even if administrative access is disabled on the interface.

When remotely accessing the FortiGate from FortiGate Cloud, the web GUI console displays Connection lost. Press Enter to start a new session.

Long lasting sessions are expired on HA secondary device with a 10G interface.

DCE/RPC traffic is dropped when no session matches with the FGSP cluster and asynchronous traffic.

TACACS authentication to secondary FortiGate fails when HA group ID is changed on a FortiGate cluster.

DHCP over IPsec is not working in an FGSP cluster.

FGCP FortiGates go out-of sync when the certificates used for IPsec are updated using SCEP.

Running execute ha manage 0 <remote_admin> fails and displays a Permission denied, please try again. error if the 169.254.0.0/16 local subnet is not in the trusted host list.

HA A-P virtual cluster information is not correctly presented in the GUI and CLI.

New factory reset box failed to synchronize with primary, which was upgraded from 7.0.

Telnet connection running ping fails during FGSP failover for virtual wire pair with VLAN traffic.

FG-500E interface stops sending IPv6 RAs after upgrading from 7.0.5 to 7.0.7.

Unable to synchronize IPsec SA between FGCP members after upgrading.

Output of diagnose sys ntp status is misleading when run on a secondary cluster member.

FortiGate uses dedicated management interface to connect to 154.52.29.102 (productapi.fortinet.com) even though ha-direct is disabled.

FG-2600F kernel panic occurs after a failover on both members of the cluster.

The HBDEV status is displayed as DOWN when upgrading one node of the HA cluster to 6.4.9.

The session is not synchronized after HA failover by detecting monitored interface as down.

Upgrading or re-uploading an image to the HA secondary node causes the OS to be un-certified.

On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the GUI top banner, and as Current HA mode in the CLI.

FGCP A-P devices get out of HA synchronization periodically due to FortiTokens being added and deleted.

HA configuration synchronization packets (Ethertype 0x8893) are dropped when going through VXLAN.

Primary FortiGate synchronizes the changing HA command to the secondary.

In HA A-A mode, authenticated users experience intermittent drops and disconnections.

Several session counts of primary unit do not match.

When re-enabling sync-config on the primary FGCP cluster member, it is automatically disabled on the secondary.

FGSP session-sync-dev ports do not use L2 Ethernet frames but always use UDP, which reduces the performance.

FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces.

hasync crashing with signal 6 after upgrading to 7.2.3 from 7.0.7.

When downloading the speed test server list, the HA cluster gets and stays out-of-sync.

Running diagnose sys ha vlan-hb-monitor incorrectly shows inter-VDOM VLANs inactive.

Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on VDOMs in vcluster2.

HA interfaces flapping on FG-3401E.

When WAN extension redundant mode is configured in HA, after a redundant switch it will makes the HA be out-of-sync.

In HA, sending lot of CLI configurations causes the creation of a VDOM on the secondary unit.

Unexpected failover occurs due to uptime, even if the uptime difference is less than the ha-uptime-diff-margin.

HA shows as being out-of-sync after upgrading due to a checksum mismatch for endpoint-control fctems.

Unable to set the interface configured as an SD-WAN member to pingserver-monitor-interface in the CLI.

HA cluster became out-of-sync after enabling a password policy and logging on to FortiGate.

Firewall virtual IP (VIP) features that are not supported by hyperscale firewall policies are no longer visible from the CLI or GUI when configuring firewall VIPs in a hyperscale firewall VDOM.

Allowing intra-zone traffic is now supported in hyperscale firewall VDOMs. Options to block or allow intra-zone traffic are available in the GUI and CLI.

On FortiGates licensed for hyperscale firewall features, the config system setting options nat46-force-ipv4-packet-forwarding and nat64-force-ipv6-packet-forwarding now also apply to NP7-offloaded traffic. The config system npu option nat46-force-ipv4-packet-forwarding has been removed.

Get PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS console error log when performing a system bootup.

IPSA self test failed, disable IPSA! IPSA disabled: self test failed message appears in system event logs.

Improvements to IPS engine to optimize CPU usage when a decrypted traffic mirror profile is applied to policies in flow mode.

IPv6 with hardware offloading and IPS drops traffic (msg="anti-replay check fails, drop).

Firewall policy change causes high CPU spike with IPS engine.

Unable to pass traffic when using GRE over IPsec (IPsec in transport mode).

Source MAC changes and the packet drops due to both sides of the session using the same source MAC address.

Memory leak was detected due to IPS engine restart.

Under config ips global, configuring set exclude-signatures none does not save to backup configuration.

IPsec aggregate shows down status on Interfaces, Firewall Policy, and Static Routes configuration pages.

IPsec server with NP offloading drops packets with an invalid SPI during rekey.

IPsec VPN Interface shows incorrect TX/RX counter.

Users cannot define an MTU value for the aggregate VPN.

FortiGate is unable to install SA (failed to add SA, error 22) when there is an overlap in configured selectors.

The vpn-id-ipip encapsulated IPsec tunnel with NPU offloading cannot be reached by IPv6.

ASCII-encoded byte code of remote gateway IP is displayed in the GUI and CLI when a VPN tunnel is formed using IKEv1 or v2 if the peer-id is not configured.

iked signal 11 crash occurs once when running a VPN test script.

If mode-cfg is used, a race condition can result in an IP conflict and sporadic routing problems in an ADVPN/SD-WAN network. Connectivity can only be restored by manually flushing the IPsec tunnels on affected spokes.

ESP tunnel traffic hopping from VRF.

Issues with synchronization of the route information (using add-route option) on spokes during HA failover that connect to dialup VPN.

NAT detection in shortcut tunnel sometimes goes wrong.

FortiGate IPsec tunnel role could be incorrect after rebooting or upgrading, and causes negotiation to be stuck when it comes up.

When upgrading from 6.4.9 to 7.0.6 or 7.0.8, the traffic is not working between the spokes on the ADVPN environment.

Native IPsec iOS authentication failure using LDAP account with two-factor authentication.

IPsec phase 2 fails when both HA cluster members reboot at the same time.

In IPsec VPN, the fnbamd process crashes when the password and one-time password are entered in the same Password field of the VPN client.

IPsec tunnel does not coming up after the upgrading firmware on the branch FortiGate (FG-61E).

Phase 2 not initiating the rekey at soft limit timeout on new kernel platforms.

RADIUS server will reject new authentication if a previous session is missing ACCT-STOP to terminate the session, which causes the VPN connection to fail.

ADVPN spoke does not delete the BGP route entry to another spoke over IPsec when the IPsec VPN tunnel is down.

Proxy DHCP is not following RFC 2132 for option 61.

Forwarded broadcast traffic on ADVPN shortcut tunnel interface is dropped.

If a tunnel in an IPsec aggregate is down but its DPD link is on, the IPsec aggregate interface may still forward traffic to a down tunnel causing traffic to drop.

In an L2TP configuration, set enforce-ipsec enable is not working as expected after upgrading.

ADVPN hub is not advertising additional paths by specific tunnels.

The Peer ID field in the IPsec widget should not show a warning message that Two-factor authentication is not enabled.

In an HA cluster, static routes via the IPsec tunnel interface are not inactive in the routing table when the tunnel is down.

The exclude-list log filter is not working as expected.

Unable to view or download generated reports in the GUI if the report layout is custom.

GUI logging issue for automation script that performs a backup to an external FTP server.

FortiGates are showing Logs Queued in the GUI after a FortiAnalyzer reboot, even tough the queued logs were actually all uploaded to FortiAnalyzer and cleared when the connection restores.

Archived Data tab is missing from intrusion prevention and application control log Details pane once log-packet is enabled.

Policy ID filter is not working as expected.

On the Log & Report > ZTNA Traffic page, the client's Device ID is shown as [object Object]. The Log Details pane show the correct ID information.

Packet captured by firewall policy cannot be downloaded.

A deny policy with log traffic disabled is generating logs.

When log pages are scrolled down, no logs are displayed after 500 lines of logs.

Logs are outputted, even if FDS-license-expiring-warning is disabled.

Forward traffic log does not contain result and security action values for sessions denied by WAD.

Log filter with negation of destination IP display all logs.

When FortiGate Cloud logging is enabled, the option to display 7 days of logs is not visible on the Dashboard > FortiView pages.

Unable to download more than 500 logs from the FortiGate GUI.

Syslog did not update the time after daylight saving time (DST) adjustment.

The miglogd process may send empty logs to other logging devices.

Unable to back up logs (FG-201E).

Incorrect time and time zone appear in the forward traffic log when timezone is set to 18 (GMT-3 Brasilia).

In A-P mode, when the link monitor fails, the event log displays a description of ha state is changed from 0 to 1.

In Forward Traffic logs, the Policy ID column is blank.

When searching old logs on the Log & Report > Forward Traffic page and then navigating to another page, the log_se process on the FortiGate is still busy as the cancel request is not sent after navigating to the other page.

An internal error occurs on the FortiCloud Report page when a Japanese report name is too long.

A miglogd crash occurs when creating a dynamic interface cache on an ADVPN environment.

A syslogd signal 11 crash occurs once while running VPN scripts.

SAML SSO administrator login with post-login banner enabled does not have a login event.

On the Log & Report > Log Settings > Local Logs page, the Local reports and Historical FortiView settings cannot be enabled.

FortiGate cannot retrieve logs from FortiAnalyzer Cloud. Results are shown rarely.

High memory usage from miglogd processes even without traffic.

Caching a large number of service port entries causes high log daemon memory usage.

FortiAnalyzer override settings are not taking effect when ha-direct is enabled.

The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted.

FG-40F and FWF-61F halt after upgrading.

The video filter does not display the proper replacement message when the user redirects to a blocked video from the YouTube homepage or video recommendation list.

An error case occurs in WAD while handling the HTTP requests for an explicit proxy policy.

Error condition in WAD occurs during traffic scans in proxy mode.

Video filter FortiGuard category takes precedence over allowed channel ID exception in the same category.

Intermittent traffic disruption caused by race condition in WAD.

An error condition occurs in WAD while parsing certain URIs.

Improvements to WAD to optimize CPU usage when using user groups.

An error condition occurs in WAD during an AV scan submission.

Unexpected behavior in WAD when there are multiple LDAP servers configured on the FortiGate.

In a firewall proxy policy, the SD-WAN zone assigned to interface is not checked.

An error condition occurs in WAD when the srcintf of a firewall proxy-policy is set to an SD-WAN zone.

WAD daemon runs high with many child processes and is not coming down after configuring 250 CGN VDOMs.

POP3 proxy is unable to extract the username if AUTH PLAIN or AUTH LOGIN commands were used for authentication.

FortiGate out-of-band certificate check issue occurs in a proxy mode policy with SSL inspection.

Unable to make API calls using Postman Runtime script after upgrading to 7.2.0.

Improvements to WAD to optimize CPU usage when using user groups.

Improvements to WAD to resolve a memory usage issue when user-info updates the FortiAP information.

The WAD process memory usage gradually increases over a few days, causing the FortiGate to enter into conserve mode.

WAD crashed while parsing a Huffman-encoded HTTP header.

Memory usage issue caused by the WAD user-info history daemon.

Memory usage issue occurs on the WAD worker in a specific scenario.

An error condition occurs in WAD when the dstaddr6 of a firewall proxy-policy is set to an IPv6 address.

User information attributes can cause disruption when they are not properly merged.

An error condition occurs in WAD due to an improper NULL check.

Unexpected behavior in WAD due to the activation of firewall protocol options, with both client and server comfort features enabled.

Unable to send logs from FortiClient to FortiAnalyzer when deep inspection is enabled on firewall policy.

An error condition occurs in WAD when a task is queued in the dev-vuln daemon and the user-info daemon restarts.

/api/v2/monitor/system/certificate/download can still download already deleted CSR files.

High CPU usage of httpsd on FG-3600E HA system.

The active sessions count for a specific policy displayed in the Fortiview Sessions monitor (Active Sessions column ), on the Firewall Policy page, and in the results of diagnose sys session list (total session value) are different. The total session count indicated in the CLI is the accurate value.

In the FortiOS API, policies with a large number of service objects drop objects without an error.

No IGMP-IF for ifindex log points to multicast enabled interface.

Router policy destination address not take effect when internet-service-id is configured.

Early packet drop occurs when running UTM traffic on virtual switch interface.

Using set load-balance-mode weight-based in SD-WAN implicit rule does not take effect occasionally.

DHCP relay packets are not being sent out of WWAN interface.

IPsec traffic sourced from a loopback interface does not follow the policy route or SD-WAN rules.

Spoke-to-spoke communication randomly breaks. The BGP route to reach the spoke subnet points to the main ADVPN tunnel instead of the shortcut tunnel.

When creating a new rule on the Network > Routing Objects page, the user cannot create a route map with a rule that has multiple similar or different AS paths in the GUI.

BGP packets are marked with DSCP CS0 instead of CS6.

When enabled, FEC is not effectively reducing packet loss when behind NAT.

OSPF summary address for route redistribution from static route via IPsec VPN always persists.

Redistributed BGP routes to the OSPF change its forward address to the tunnel ID.

Disabling the VDSL interface caused packet drops afterwards on another interface.

Traffic session is processed by a different SD-WAN rule and randomly times out.

FortiGate does not add the route in the routing table when it changes for SD-WAN members.

Application VWL crash occurs after FortiManager configuration push causes an SD-WAN related outage.

SD-WAN GUI does not load, and the lnkmtd process crashes frequently.

Application forticron signal 11 (Segmentation fault) received.

BGP stuck in active state due to collisions when BGP neighborship is done over VDOM link.

When BSM carries multiple CRPs, PIM might use the incorrect prefix to update the mroute's RP information.

SD-WAN and IP pool setting are not working as expected when one SD-WAN member link is down.

Unable to set local-as in BGP confederation configuration.

Routing advertised by directly connected EBGP peer is not installed (denied due to non-connected next-hop).

Sometimes an IPv6 single-hop BFD neighbor fails to come up after a system reboot.

TCP/HTTP health check does not work as expected for virtual servers in active-standby mode.

SD-WAN SLA log information has incorrect inbound and outbound bandwidth values.

When execute speed-test-server download fails with a token parse error, it still reports Download completed.

SD-WAN member shows as selected, even if the interface is down or underlying transport is down.

Delay in joining (S,G) in PIM-SM.

Sandbox traffic does not follow SD-WAN rules.

All BGP routes in dual ADVPN redundant configuration are not getting updated to the correct WAN interface post-rollback to WAN failover.

After upgrading, SD-WAN is unable to fail over the traffic when one interface is down.

GUI does not show gateway IP on the routing table page if VDOM mode is transparent.

ISIS cannot establish the neighborship to peers, and all peers are in INIT states.

Link monitor's probe timeout value range is not appropriate when the user decreases the minimum interval.

Security Fabric widget and Fabric Connectors page do not identify FortiGates properly in HA.

After adding a Fabric device widget, the device widget does not appear in the dashboard.

Security rating test for FortiAnalyzer fails when connected to FortiAnalyzer Cloud.

When using automation email action to reference the result of a previously executed automation CLI script action, there is a 16 KB size limit for the script output.

Root FortiGate cannot finish the security rating with a large Fabric topology (more than 25 to 30 devices) because the REST API is not limited to the local network.

When a custom LLDP profile has auto-isl disabled, the security rating test, Lockdown LLDP Profile, fails.

The FortiAP Firmware Versions and FortiSwitch Firmware Versions security rating tests fail because the firmware version on the FortiAPs and FortiSwitches is not recognized correctly.

Sessions with csf_syncd_log flag in a Security Fabric are not logged.

Various places in the GUI do not show the secondary HA device.

Unable to load topology pages for a specific Security Fabric topology on the root and downstream FortiGates.

Error triggering automation stitch message appears when the license expiry notification type is FortiGuard Web Filter.

In a simple cluster, the primary unit failed to upgrade to 7.2.3.

FortiGate cannot display more than 500 VMs in a GCP dynamic address.

Unable to remove external resource in a certain VDOM when the external resource has no reference in that VDOM.

When the Security Fabric is enabled and admin-https-redirection is enabled on a downstream FortiGate, the following GUI features do not work for the downstream FortiGate when the administrator manages the downstream FortiGate using the root FortiGate's GUI:

• Web console access
• Diagnostic packet capture
• GUI notification when a new device joins or leaves the Security Fabric
• GUI notification if a configuration on the current page changes

These features still work for the root FortiGate's GUI.

The gcpd daemon constantly crashes (signal 11 segmentation fault).

Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.

The dstaddr/dstaddr6 of an SSL VPN policy can be set to all when split tunnel mode is enabled and only the default portal is set.

When sending the SSL VPN settings email (VPN > SSL-VPN Settings > Send SSL-VPN Configuration), the Email template only includes a hyperlink to the configuration, which is not supported by Gmail and Fortinet email.

Customer's internal website does not load properly in SSL VPN web mode.

The web-mode setting should not be enabled when the portal is mapped in an SSL VPN policy where a VIP is applied.

FortiGate is not sending Accounting-Request packet that contains the Interim-Update AVP when two-factor authentication is assigned to a user (defined on the FortiGate ) while connecting using SSL VPN.

Unable to view PDF files in SSL VPN web mode.

Multiple DNS suffixes cannot be set for the SSL VPN portal.

Internal resource pages and menus are not showing correctly in SSL VPN web mode.

SSL VPN stops passing traffic after some time.

On the VPN > SSL-VPN Settings page, when the source-address-negate option is enabled for an address in the CLI, the GUI does not display an exclamation mark against that address entry in the Hosts field.

This is cosmetic and does not affect on the FortiGate functionality or operation. The source-address-negate option being enabled can be confirmed in the CLI.

OS checklist for the SSL VPN in FortiOS does not include macOS Ventura (13).

MacOS clients bypass the host check policy.

Internal web interface is not working using web mode. The page is not loading properly.

Internal website with JavaScript is proxying some functions in SSL VPN web mode, which breaks them.

Problem loading some graphs trough SSL VPN web mode after upgrading.

SSL VPN web mode top-right dropdown button (user profile menu) does not work.

SSL VPN DTLS tunnel is unavailable after changing the SSL VPN listening port.

FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode.

SSL VPN bookmark not accessible.

RDP over SSL VPN web mode to a Windows Server changes the time zone to GMT.

EcoStruxure Building Operations 2022 does not render using SSL VPN bookmark.

In the second authentication of RADIUS two-factor authentication, the acct-update-interval returned is 0. SSL VPN uses the second return and not send RADIUS acct-interim-update packet.

RDP/VNC host name is not encrypted when URL obscuration is enabled.

SSL VPN web mode connection to VMware vCenter 7 is not working.

Kernel does not delete original route after address assigned to the client changes.

Internal website is not displaying user-uploaded PDF files when visited through SSL VPN web mode.

RDP over VPN SSL web mode stops working after upgrading.

SSL VPN web mode does not load when connecting to customer's internal site.

SSL VPN crashes are generating random disconnections (FG-5001E).

SSL VPN web mode to RDP broker leads to connection being closed.

SSL VPN policy is ignored if no user or user group is set and the FSSO group is set.

FortiGate misses the closing parenthesis when running the function to rewrite the URL.

Problem with the internal website using SSL VPN web mode.

Webpage opened in SSL VPN web portal is not displayed correctly.

RDP freezes in web mode with high CPU usage of SSL VPN process.

Internal website access issue with SSL VPN web portal.

Found bad login for SSL VPN web-based access when enabling URL obscuration.

Unable to access to Grafana tool using SSL VPN web mode (bookmark).

SSL VPN tunnel mode gets disconnected when SSL VPN web mode is disconnected by limit-user-logins.

SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in the middle of a post request.

When srcaddr6 contains addrgrp6, sslvpnd crashes after dual-stack tunnel is established.

SSL VPN is adding extra JS code blocking access to a website.

One of the speed-connect website JavaScript files has trouble with host process.

Internal website with JavaScript lacks some menus when using SSL VPN web mode.

FortiOS check would block iOS and Android mobile devices from connecting to the SSL VPN tunnel.

Specific SAP feature is not working with SSL VPN web mode.

SSL VPN web mode is not working as expected for customer's web server.

FortiSwitch enabled VLANs with VLAN and proxy ARP access have large latencies on initial ARP resolutions.

FortiSwitches managed by FortiGate go offline intermittently and require a FortiGate reboot to recover.

Support FortiLink to recognize a FortiSwitch based on its name and not just by serial number.

Switch controller managed switch port configuration changes do not take effect on the FortiSwitch.

On the WiFi & Switch Controller > Managed FortiSwitches page, when an administrator with restricted access permissions is logged in, the Diagnostics and Tools page for a FortiSwitch cannot be accessed.

Redirected traffic should not hit the firewall policy when allow-traffic-redirect is enabled.

FortiLink interface should not permit changes of the system interface allowaccess settings.

FortiLink virtually managed switch port status is not getting pushed after the FortiGate reboots.

When a MAC VLAN appears on the same MCLAG trunk, continuous event logs are received on FortiGate and FortiAnalyzer.

Inadvertent traffic disruption caused by WAD due to deadlock.

diagnose sys logdisk smart does not work for NVMe disk models.

HA synchronization packets are hashed to a single queue when sync-packet-balance is enabled.

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

The forticron daemon is constantly being restarted.

Get can not set mac address(16) error message when setting a MAC address on an interface in HA that is already set.

DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses.

Wrong IP displayed in GUI widget if FortiGuard anycast AWS is used.

HPE does not enforce a limit on fragmented packets sent to the CPU when ip-reassembly is enabled.

On FG-200F, the Outbound bandwidth in the Bandwidth widget does not match outbandwidth setting.

On the Network > Interfaces page, configuring a delegated interface to obtain the IPv6 prefix from an upstream DHCPv6 server fails with an error notification (CLI internal error).

Improve dnsproxy process memory management.

High memory usage occurs on FG-200F.

In FIPS-CC mode, if cfg-save is set to revert, the system will halt a configuration change or certificate purge.

DoS policy ID cannot be moved in GUI and CLI when multiple DoS policies are enabled.

LACP interfaces are flapping after upgrading to 6.4.9.

FCLF8522P2BTLFTN transceiver is not working after upgrade.

VIP traffic access to the EMAC VLAN interface uses incorrect MAC address on NP7 platform.

The tab title does not show the server address when accessing RDP/VNC using SSL VPN web mode.

NP7 platforms may reboot unexpectedly when unable to handle kernel null pointer de-reference.

A cmdbsvr crash is observed on the FortiGate.

DoS anomaly has incorrect threshold after loading a modified configuration file.

When kernel debug level is set to >=KERN_INFO on NP6xLite platforms, some tuples missing debug messages may get flooded and cause the system to get stuck.

After rebooting the FortiGate, the MTU value on the VXLAN interface was changed.

Add 100G speed option for FG-180xF for ports 37, 38, 39, and 40. Upon firmware upgrade, existing port speed configurations are preserved.

NP7 platforms may encounter random kernel crash after reboot or factory reset.

Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF.

FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs.

Network device kernel null pointer is causing a kernel crash.

Issue with the server_host_key_algorithm compatibility when using SSH on SolarWinds.

Fortinet 10 GB transceiver LACP flapping when shut/no shut was performed on the interface from the switch side.

False alarm of the PSU2 occurs with only one installed.

Time zone for Kyiv, Ukraine is missing.

The FortiGate is only offering the ssh-ed25519 algorithm for an SSH connection.

High CPU utilization occurs when relay is enabled on VLAN, and this prevents users from getting an IP from DHCP.

execute ping-option interface cannot specific an interface name of a.

SNMP OID 1.3.6.1.2.1.4.32 ipAddressPrefixTable is not available.

GUI displays a blank page if vdom-admin user has partial permissions.

RX and TX counters are incorrect on inter-VDOM link configured with VLANs.

DHCP lease list CLI format gets misaligned when the data is over 15 characters long.

Add check to skip invalid names when creating a VDOM.

FG-400E-BP has crash at initXXXXXXXXXXX[1]: segfault at 3845d5a after package validation fails.

Subnet overlap error occurs when configuring the same IPv4 link-local addresses on two different interfaces.

After a cold reboot (such as a power outage), traffic interfaces may not come up with a possible loss of VLAN configurations.

execute ssh-regen-keys should be global-level command.

If the original packet was forwarded with NAT, generated ICMP error is routed back to SNAT'ed address.

If a device is rebooted that has an ipsec-STS-timeout configured or the user configures the ipsec-STS-timeout before any NPU tunnel is created, NPU will send random STS messages that have an invalid tunnel index and trigger NP6XLite error messages.

SNMP multicast counters are not increasing.

Forticron memory is leaking.

Memory corruption or incorrect memory access when processing a bad WQE.

The fgfmsd process crashes since updating to 6.4.11.

ssh-rsa should be disabled under the SSH server_host_key_algorithm.

Dashboard loads slowly and csfd process has high CPU usage.

HQIP test fails on FG-2201E.

ACME auto-renewal is not performed after HA failover.

No output of execute sensor list is displayed after rebooting.

On the Network > BGP page, creating or editing a table entry increases memory consumption of the FortiGate to 99%.

FortiGate with new kernel crashes when starting debug flow.

Get zip conf file failed -1 error message when running a script configuring the FortiGate.

When traffic is offloaded to an NP7 source MAC, the packets sent from the EMAC VLAN interface are not correct.

Unsetting the port 8888 setting in system fortiguard will set port 443, even if the protocol is UDP.

NP7 is not configured properly when the ULL ports are added to LAG interface, which causes accounting on the LAG to not work.

FG-3501F NP7 is dropping all traffic after it is offloaded.

Unable to use ping and SSH when vne.root is not configured in local-in-policy.

Kernel panic occurs due to null pointer dereference.

Unbalanced throughput on LAG members with LAG enhancement feature enabled.

Control the server host key algorithm in the CLI.

Unable to configure dscp-based-priority when traffic-priority dscp is configured under system global.

CPU usage issue in WAD caused by checking authentication group member information.

Some sessions are still reported as offloaded when auto-asic-offload is disabled.

Unable to configure IPv6 setting on system interface (FWF-81F-2R-POE).

Auto-script causes FortiGate to repeat commands.

Unable to handle kernel NULL pointer dereference at 0000000000000000 for NP7 device; the device keeps rebooting.

LAG interface has NOARP flag after interface settings change.

Daylight saving time is not applied for Cairo time zone.

Interface release from cmdb and iprope keep updating when DHCP client renewal fails.

FSTR session ticket zero causes a memory leak.

FortiGate as L2TP client is not working after upgrading to 7.2.4.

grep command including -f does not provide the full output.

FG-3000F reboots unexpectedly with NULL pointer dereference.

In a certain edge case, traffic directed towards a VLAN interface could trigger a kernal panic.

The endpoint-control fctems entry 0 is added after upgrading from 6.4 to 7.0.8 when the FortiGate does not have EMS server, which means the endpoint-control fctems feature was not enabled previously. This leads to a FortiManager installation failure.

SSH public keys are lost after upgrading from Beta 1 to latest interim build, and they can no longer be configured.

Static route configurations were lost upgrading from 7.0.7 to 7.2.3.

FG-601E crashes randomly after upgrading to 7.0.8 and 7.0.11.

Chrome throttles timers, which causes the keepalive page not update correctly and results in a user timeout.

When MAC-based authentication is enabled, multiple RADIUS authentication requests may be sent at the same time. This results in duplicate sessions for the same device.

If an administrator login fails due to an LDAP server connection timeout, invalid password appears as the reason in the system log, which is confusing. The server connection timeout reason is added to the system event logs for a failed administrator login.

When a user's membership in AD or port range is changed, all of the user sessions are cleared.

RADIUS MAC authentication using ClearPass is intermittently using old credentials.

LDAPS connectivity test fails with old WinAD after OpenSSL was upgraded to 3.0.2.

SSL VPN and firewall authentication SAML does not work when the application requires SHA-256.

FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

Some embedded SSL certificates entered the Error state after enabling FIPS-CC.

All devices are detected as Other identified device in the Device Inventory widget.

The EAP proxy worker application crashes frequently.

SSL VPN group matching does not work as expected for Azure auto login.

Dynamic address only has 100 IP addresses while FSSO group lists all 56K ACI endpoints.

Client's firewall authentication session timeout is set to 900 when it passes MAC authentication bypass by ping.

In some cases, the proper hostnames are not showing up when looking at APs on the FortiSwitch ports screen.

ACME client fails to work with some CA servers.

A cid scan crash occurs when device detections happen in a certain order.

Fortinet_GUI_Server certificate auto-regenerates every day.

ARP does not trigger FortiGuard device identification query.

When the Guest User Print Template is customized in a VDOM, printing the guest user credentials from User & Authentication > Guest Management still uses the default Guest User Print Template.

CMP should be supported for EC certificates.

Adding a new group membership to an FSSO user terminates all the user's open sessions.

IPv6 traffic triggers <interface>: hw csum failure message on CLI console.

Session is not crated over NSX imported object when traffic starts to flow.

Unable to enable FIPS cipher mode on FG-VM-ARM64-AWS.

VPNs over Oracle Cloud stop processing traffic.

CPU spike observed on all the cores in a GCP firewall VM.

Interface does not get turned back up after changing the MTU in the aggregate interface.

During a same zone AWS HA failover, moving the secondary IP will cause the EIP to be in a disassociated state.

Azure auto-scale HA shows certificate error for secondary VM.

FortiGate VM HA primary loses connection when setting up secondary unit.

FG-ARM64-GCP and FG-ARM64-AZURE have HA synchronization issue with internal IP after failover.

Kernel hangs on FG-VM64-AZURE.

AWS MAC is not shown when the interface is attached immediately.

FG-AWS SDN is unable to retrieve EKS cluster information, even thought its role is trusted by the EKS role.

Backup virtual server not working as expected (ERR_EMPTY_RESPONSE).

Azure SDN connector stopped processing when Azure returned NotFound error for VMSS interface from an AD DS-managed subscription.

FG‑VM Rackspace On-Demand upgrade from 7.2.3 to 7.2.4 breaks the pay-as-you-go license, and reverts it to an evaluation license.

PRACK will cause voipd crashes when the following conditions are met: block-unknown is disabled in the SIP profile, the PRACK message contains SDP, and PRACK fails to find any related previous transactions (this is not a usual case).

Block replacement page is not pushed automatically to replace the video content when using a video filter.

In flow mode, URL filter configuration changes cause a spike in CPU usage of the IPS engine process.

The urlfilter process causes a memory leak, even when the firewall policy not using the web filter feature.

FortiOS exhibits segmentation fault on hostapd on the secondary controller configured in HA.

Suggest replacing the IP Address column with MAC Address in the Collected Email widget.

The 6 GHz channel lists should be updated according to the latest WiFi country region channels map.

Connectivity loss occurs due to switch and FortiAPs (hostapd crash).

Application hostapd crash found on FG-101F.

A hostapd process crash is shown in device crash logs.

CAPWAP traffic is not offloaded when re-enabling capwap-offload.

Wireless client shows portal related webpage while doing MAC authentication with MAB mode.

Dynamic VLAN assignment is disabled in the GUI when editing an SSID with radius mac-auth and dynamic-vlan enabled.

The voice-enterprise value changed after upgrading.

HA FortiGate encounters multiple hostapd crashes.

Hostapd segmentation fault signal 6 occurs upon HA failover.

Hostapd segmentation fault signal 11 occurs upon RF chamber setup.

The cw_acd process appears to be stuck, and is sending several access requests for MAC authentication.

Invalid wireless MAC OUI detected for a valid client on the network.

Wireless client gets disconnect from WiFi if it is connected to a WPA2 SSID more than 12 hours.

Incorrect source IP in the self-originating traffic to RADIUS server.

Wi-Fi clients on a RADIUS MAC MPSK SSID get prematurely de-authenticated by the secondary FortiGate in the HA cluster.

Fetching the registration status does not always work.

FortiWiFi fails to act as the root mesh AP, and leaf AP does not come online.

Add support for G-series FortiAP models in syntax XML export files.

Quarantined STA connected to a long interface name VAP is not moved to quarantined VLAN 4093.

MPSK SSID with mpsk-schedules stopped working after the system time was changed due to daylight saving time.

The EMS tag name (defined in the EMS server's Zero Trust Tagging Rules) format changed in 7.2.1 from FCTEMS<serial_number>_<tag_name> to EMS<id>_ZTNA_<tag_name>.

After upgrading from 7.2.0 to 7.2.1, the EMS tag format was converted properly in the CLI configuration, but the WAD daemon is unable to recognize this new format, so the ZTNA traffic will not match any ZTNA policies with EMS tag name checking enabled.

ZTNA server (access proxy VIP) is causing all interfaces that receive ARP request to reply with their MAC address.

ZTNA real server address group gets unset once the FortiGate restarts.

Adding an EMS tag on the Policy & Objects > Firewall Policy edit page for a normal firewall policy forces NAT to be enabled.

An error case occurs in WAD when a client EMS tag changes.

Unable to match first group attribute from SAML assertion for ZTNA rule.