Fortinet black logo

FortiOS Release Notes

Home FortiGate / FortiOS 7.4.1 FortiOS Release Notes
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.13
5.4.12
5.4.11
5.4.10
5.4.9
5.4.8
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.15
5.2.14
5.2.13
5.2.12
5.2.11
5.2.10
5.2.9
5.2.8
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.14
5.0.13
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2

Known issues

Known issues

The following issues have been identified in version 7.4.1. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Firewall

Bug ID

Description

948393

Policy lookup should not get result with policy_action: deny for non-TCP protocols and non-80/443 TCP ports.

951984

The best output route may not be found for local out DNAT traffic.

953921

GUI does not display the configured parameters for traffic shaping policies when editing a policy with an SD-WAN zone.

967205

Changing the destination in the policy replaces applied services with service, ALL.

FortiGate 6000 and 7000 platforms

Bug ID

Description

790464

Existing ARP entries are removed from all slots when an ARP query of a single slot does not respond.

885205

IPv6 ECMP is not supported for the FortiGate 6000F and 7000E platforms. IPv6 ECMP is supported for the FortiGate 7000F platform.

887946

UTM traffic is blocked by an FGSP configuration with asymmetric routing.

891642

FortiGate 6000 and 7000 platforms do not support managing FortiSwitch devices over FortiLink.

896758

Virtual clustering is not supported by FortiGate 6000 and 7000 platforms.

905450

SNMP walk failed to get the BGP routing information.

907140

Authenticated users are not synchronized to the secondary FortiGate 6000 or 7000 chassis when the secondary chassis joins a primary chassis to form an FGCP cluster.

907695

The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface.

910824

On the FortiGate 7000F platform, fragmented IPv6 ICMP traffic is not load balanced correctly when the dp-icmp-distribution-method option under config load-balance is set to dst-ip. This problem may also occur for other dp-icmp-distribution-method configurations.

910883

The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM.

911244

FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs.

937879

FortiGate-7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate-7000F chassis with FIM-7921Fs.

954862

Graceful upgrade from 7.0.12 to 7.2.6 or 7.2.7, or from 7.0.12 to 7.4.2 or 7.4.3 will fail on the FortiGate 6501F/6500F, FortiGate 7060E with slot6 occupied, and FortiGate 7121F with slot12 occupied.

Workaround: Disable uninterruptible-upgrade before performing the firmware upgrade:

config system ha
    set uninterruptible-upgrade disable 
end

Note that traffic will be interrupted for 15 to 45 minutes, depending on the size of the configurations.

973407

FIM installed NPU session causes the SSE to get stuck.

FortiView

Bug ID

Description
941521

On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI.

GUI

Bug ID

Description

848660

Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.

Workaround: super_admin users can enable the monitor bandwidth feature on the interface first, then the widget can work for read-only administrators.

934644

When the FortiGate is in conserve mode, node process (GUI management) may not release memory properly causing entry-level devices to stay in conserve mode.

961796

When administrator GUI access (HTTPS) is enabled on SD-WAN member interfaces, the GUI may not be accessible on the SD-WAN interface due to incorrect routing of the response packet.

Workaround: access the GUI using another internal interface that is not part of an SD-WAN link.

973432

When editing an SD-WAN rule with more than one destination, some destinations are automatically removed.

Hyperscale

Bug ID

Description

817562

NPD/LPMD cannot differentiate the different VRFs, and considers all VRFs as 0.

896203

The parse error, NPD-0:NPD PARSE ADDR GRP gmail.com MEMBER ERR, appears after rebooting the system.

936747

Connections per second (CPS) performance of SIP sessions accepted by hyperscale firewall policies with EIM and EIF disabled that include overload with port block allocation (PBA) GCN IP pools is lower than expected.

Workaround: enter the following command for each NP7 processor to resolve the performance issue.

# diagnose npu np7 setreg <npu_#> nss.nss_thrd_ctrl.thrd_ctrl 0xF

Where <npu_#> is the NP7 processor number. NP7 processors are numbered 0, 1, 2, and so on.

The configuration changes from entering these diagnose commands are reset if the FortiGate restarts. After a system restart, just re-enter the diagnose commands.

949188

ICMP reply packets are dropped by FortiOS in a NAT64 hyperscale policy.

IPsec VPN

Bug ID

Description

852051

Unexpected condition in IPsec engine on SoC4 platforms leads to intermittent IPsec VPN operation.

Log & Report

Bug ID

Description

960661

FortiAnalyzer report is not available to view for the secondary unit in the HA cluster on the Log & Report > Reports page.

Workaround: view the report directly in FortiAnalyzer.

965247

FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.

Proxy

Bug ID

Description

790426

An error case occurs in WAD while redirecting the web filter HTTPS sessions.

845361

A rare error condition occurred in WAD caused by compounded SMB2 requests.

954104

An error case occurs in WAD when it gets the external authenticated users from other daemons.

Routing

Bug ID

Description

903444

The diagnose ip rtcache list command is no longer supported in the FortiOS 4.19 kernel.

949623

DNS over TCP does not work when interface-select-method is set to sdwan in the DNS setting, and the corresponding SD-WAN rule is restricted to the TCP protocol only.

Workaround: change the DNS method to auto instead of sdwan. This will stop prioritizing DNS traffic based on the SD-WAN rule.

config system dns
    set interface-select-method auto
end

Another workaround is to not restrict the SD-WAN rule to the TCP protocol.

config system sdwan
    config service
        edit <id>
            unset protocol
        next
    end
end

Security Fabric

Bug ID

Description

902344

When there are over 30 downstream FortiGates in the Security Fabric, the root FortiGate's GUI may experience slowness when loading the Fabric Management page and prevents the user from upgrading firmware in the GUI.

Workaround: perform the firmware upgrade in the CLI. To perform the firmware upgrade using the GUI, temporarily disable the Security Fabric on the root FortiGate.

SSL VPN

Bug ID

Description

933985

FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.

947210

Multiple instances of *** code requested backtrace *** for SSL VPN daemon observed during a graceful upgrade (on FG-6000F).

System

Bug ID

Description

861962

When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.

899279

NP7 did not offload jumbo packet, but get NPU INFO: offload=9/9 in the console output.

912383

FGR-70F and FGR-70F-3G4G failed to perform regular reboot process (using execute reboot command) with an SD card inserted.

921134

GUI is inaccessible when using a SHA1 certificate as admin-server-cert.

931299

When the URL filter requests the FortiGuard (FGD) rating server address using DNS, it will try to get both A (IPv4) and AAAA (IPv6) records.

937982

High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.

939110

DHCP server on LAN interface is lost after rebooting or restoring the configuration file.

942502

Unexpected behavior occurred in the kernel when creating EMAC VLAN interfaces based on an aggregate interface with the new kernel 4.1.9.

948322

After deauthorizing a downstream FortiGate from the System > Firmware & Registration page, the page may appear to be stuck to loading.

Workaround: perform a full page refresh to allow the page to load again.

948448

A super_admin administrator is unable to log in after restoring the VDOM configuration on the admin VDOM and rebooting the FortiGate.

Upgrade

Bug ID

Description
925567 When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not respect the recommended upgrade path.

User & Authentication

Bug ID

Description

823884

When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to.

884462

NTLM authentication does not work with Chrome.

949699

Administrator single sign-on login with SAML does not work after upgrading the firmware 7.4.1 due to the SAML entity-id field being incorrectly reset to being empty.

Workaround: manually configure the entity-id field in the CLI to match with the previously working configuration.

config system saml
    set entity-id <string>
end

WiFi Controller

Bug ID

Description

814541

When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.

869978

CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled.

903922

Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation.

944465

On the WiFi & Switch Controller > Managed FortiAPs page of a non-management VDOM, the Register button is unavailable in the Device Registration pane.

946796

The eap_proxy daemon may keep reloading randomly due to failing to bind a port. This will cause an IKE and WiFi authentication failure.

Workaround: stop sflowd.

ZTNA

Bug ID

Description

819987

SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting.
Previous
Next

Known issues

The following issues have been identified in version 7.4.1. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

Firewall

Bug ID

Description

948393

Policy lookup should not get result with policy_action: deny for non-TCP protocols and non-80/443 TCP ports.

951984

The best output route may not be found for local out DNAT traffic.

953921

GUI does not display the configured parameters for traffic shaping policies when editing a policy with an SD-WAN zone.

967205

Changing the destination in the policy replaces applied services with service, ALL.

FortiGate 6000 and 7000 platforms

Bug ID

Description

790464

Existing ARP entries are removed from all slots when an ARP query of a single slot does not respond.

885205

IPv6 ECMP is not supported for the FortiGate 6000F and 7000E platforms. IPv6 ECMP is supported for the FortiGate 7000F platform.

887946

UTM traffic is blocked by an FGSP configuration with asymmetric routing.

891642

FortiGate 6000 and 7000 platforms do not support managing FortiSwitch devices over FortiLink.

896758

Virtual clustering is not supported by FortiGate 6000 and 7000 platforms.

905450

SNMP walk failed to get the BGP routing information.

907140

Authenticated users are not synchronized to the secondary FortiGate 6000 or 7000 chassis when the secondary chassis joins a primary chassis to form an FGCP cluster.

907695

The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface.

910824

On the FortiGate 7000F platform, fragmented IPv6 ICMP traffic is not load balanced correctly when the dp-icmp-distribution-method option under config load-balance is set to dst-ip. This problem may also occur for other dp-icmp-distribution-method configurations.

910883

The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM.

911244

FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs.

937879

FortiGate-7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate-7000F chassis with FIM-7921Fs.

954862

Graceful upgrade from 7.0.12 to 7.2.6 or 7.2.7, or from 7.0.12 to 7.4.2 or 7.4.3 will fail on the FortiGate 6501F/6500F, FortiGate 7060E with slot6 occupied, and FortiGate 7121F with slot12 occupied.

Workaround: Disable uninterruptible-upgrade before performing the firmware upgrade:

config system ha
    set uninterruptible-upgrade disable 
end

Note that traffic will be interrupted for 15 to 45 minutes, depending on the size of the configurations.

973407

FIM installed NPU session causes the SSE to get stuck.

FortiView

Bug ID

Description
941521

On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI.

GUI

Bug ID

Description

848660

Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled.

Workaround: super_admin users can enable the monitor bandwidth feature on the interface first, then the widget can work for read-only administrators.

934644

When the FortiGate is in conserve mode, node process (GUI management) may not release memory properly causing entry-level devices to stay in conserve mode.

961796

When administrator GUI access (HTTPS) is enabled on SD-WAN member interfaces, the GUI may not be accessible on the SD-WAN interface due to incorrect routing of the response packet.

Workaround: access the GUI using another internal interface that is not part of an SD-WAN link.

973432

When editing an SD-WAN rule with more than one destination, some destinations are automatically removed.

Hyperscale

Bug ID

Description

817562

NPD/LPMD cannot differentiate the different VRFs, and considers all VRFs as 0.

896203

The parse error, NPD-0:NPD PARSE ADDR GRP gmail.com MEMBER ERR, appears after rebooting the system.

936747

Connections per second (CPS) performance of SIP sessions accepted by hyperscale firewall policies with EIM and EIF disabled that include overload with port block allocation (PBA) GCN IP pools is lower than expected.

Workaround: enter the following command for each NP7 processor to resolve the performance issue.

# diagnose npu np7 setreg <npu_#> nss.nss_thrd_ctrl.thrd_ctrl 0xF

Where <npu_#> is the NP7 processor number. NP7 processors are numbered 0, 1, 2, and so on.

The configuration changes from entering these diagnose commands are reset if the FortiGate restarts. After a system restart, just re-enter the diagnose commands.

949188

ICMP reply packets are dropped by FortiOS in a NAT64 hyperscale policy.

IPsec VPN

Bug ID

Description

852051

Unexpected condition in IPsec engine on SoC4 platforms leads to intermittent IPsec VPN operation.

Log & Report

Bug ID

Description

960661

FortiAnalyzer report is not available to view for the secondary unit in the HA cluster on the Log & Report > Reports page.

Workaround: view the report directly in FortiAnalyzer.

965247

FortiGate syslog format in reliable transport mode is not compliant with RFC 6587.

Proxy

Bug ID

Description

790426

An error case occurs in WAD while redirecting the web filter HTTPS sessions.

845361

A rare error condition occurred in WAD caused by compounded SMB2 requests.

954104

An error case occurs in WAD when it gets the external authenticated users from other daemons.

Routing

Bug ID

Description

903444

The diagnose ip rtcache list command is no longer supported in the FortiOS 4.19 kernel.

949623

DNS over TCP does not work when interface-select-method is set to sdwan in the DNS setting, and the corresponding SD-WAN rule is restricted to the TCP protocol only.

Workaround: change the DNS method to auto instead of sdwan. This will stop prioritizing DNS traffic based on the SD-WAN rule.

config system dns
    set interface-select-method auto
end

Another workaround is to not restrict the SD-WAN rule to the TCP protocol.

config system sdwan
    config service
        edit <id>
            unset protocol
        next
    end
end

Security Fabric

Bug ID

Description

902344

When there are over 30 downstream FortiGates in the Security Fabric, the root FortiGate's GUI may experience slowness when loading the Fabric Management page and prevents the user from upgrading firmware in the GUI.

Workaround: perform the firmware upgrade in the CLI. To perform the firmware upgrade using the GUI, temporarily disable the Security Fabric on the root FortiGate.

SSL VPN

Bug ID

Description

933985

FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices.

947210

Multiple instances of *** code requested backtrace *** for SSL VPN daemon observed during a graceful upgrade (on FG-6000F).

System

Bug ID

Description

861962

When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE.

899279

NP7 did not offload jumbo packet, but get NPU INFO: offload=9/9 in the console output.

912383

FGR-70F and FGR-70F-3G4G failed to perform regular reboot process (using execute reboot command) with an SD card inserted.

921134

GUI is inaccessible when using a SHA1 certificate as admin-server-cert.

931299

When the URL filter requests the FortiGuard (FGD) rating server address using DNS, it will try to get both A (IPv4) and AAAA (IPv6) records.

937982

High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory.

939110

DHCP server on LAN interface is lost after rebooting or restoring the configuration file.

942502

Unexpected behavior occurred in the kernel when creating EMAC VLAN interfaces based on an aggregate interface with the new kernel 4.1.9.

948322

After deauthorizing a downstream FortiGate from the System > Firmware & Registration page, the page may appear to be stuck to loading.

Workaround: perform a full page refresh to allow the page to load again.

948448

A super_admin administrator is unable to log in after restoring the VDOM configuration on the admin VDOM and rebooting the FortiGate.

Upgrade

Bug ID

Description
925567 When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not respect the recommended upgrade path.

User & Authentication

Bug ID

Description

823884

When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to.

884462

NTLM authentication does not work with Chrome.

949699

Administrator single sign-on login with SAML does not work after upgrading the firmware 7.4.1 due to the SAML entity-id field being incorrectly reset to being empty.

Workaround: manually configure the entity-id field in the CLI to match with the previously working configuration.

config system saml
    set entity-id <string>
end

WiFi Controller

Bug ID

Description

814541

When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.

869978

CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled.

903922

Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation.

944465

On the WiFi & Switch Controller > Managed FortiAPs page of a non-management VDOM, the Register button is unavailable in the Device Registration pane.

946796

The eap_proxy daemon may keep reloading randomly due to failing to bind a port. This will cause an IKE and WiFi authentication failure.

Workaround: stop sflowd.

ZTNA

Bug ID

Description

819987

SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting.
Previous
Next