Known issues
The following issues have been identified in version 7.4.1. To inquire about a particular bug or report a bug, please contact Customer Service & Support.
Firewall
Bug ID |
Description |
---|---|
948393 |
Policy lookup should not get result with |
951984 |
The best output route may not be found for local out DNAT traffic. |
953921 |
GUI does not display the configured parameters for traffic shaping policies when editing a policy with an SD-WAN zone. |
967205 |
Changing the destination in the policy replaces applied services with service, ALL. |
FortiGate 6000 and 7000 platforms
Bug ID |
Description |
---|---|
790464 |
Existing ARP entries are removed from all slots when an ARP query of a single slot does not respond. |
885205 |
IPv6 ECMP is not supported for the FortiGate 6000F and 7000E platforms. IPv6 ECMP is supported for the FortiGate 7000F platform. |
887946 |
UTM traffic is blocked by an FGSP configuration with asymmetric routing. |
891642 |
FortiGate 6000 and 7000 platforms do not support managing FortiSwitch devices over FortiLink. |
896758 |
Virtual clustering is not supported by FortiGate 6000 and 7000 platforms. |
905450 |
SNMP walk failed to get the BGP routing information. |
907140 |
Authenticated users are not synchronized to the secondary FortiGate 6000 or 7000 chassis when the secondary chassis joins a primary chassis to form an FGCP cluster. |
907695 |
The FortiGate 6000 and 7000 platforms do not support IPsec VPN over a loopback interface or an NPU inter-VDOM link interface. |
910824 |
On the FortiGate 7000F platform, fragmented IPv6 ICMP traffic is not load balanced correctly when the |
910883 |
The FortiGate 6000s or 7000s in an FGSP cluster may load balance FTP data sessions to different FPCs or FPMs. This can cause delays while the affected FortiGate 6000 or 7000 re-installs the sessions on the correct FPC or FPM. |
911244 |
FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs. |
937879 |
FortiGate-7000F chassis with FIM-7941Fs cannot load balance fragmented IPv6 TCP and UDP traffic. Instead, fragmented IPv6 TCP and UDP traffic received by the FIM-7941F interfaces is sent directly to the primary FPM, bypassing the NP7 load balancers. IPv6 ICMP fragmented traffic load balancing works as expected. Load balancing fragmented IPv6 TCP and UDP traffic works as expected in FortiGate-7000F chassis with FIM-7921Fs. |
954862 |
Graceful upgrade from 7.0.12 to 7.2.6 or 7.2.7, or from 7.0.12 to 7.4.2 or 7.4.3 will fail on the FortiGate 6501F/6500F, FortiGate 7060E with slot6 occupied, and FortiGate 7121F with slot12 occupied. Workaround: Disable uninterruptible-upgrade before performing the firmware upgrade: config system ha set uninterruptible-upgrade disable end Note that traffic will be interrupted for 15 to 45 minutes, depending on the size of the configurations. |
973407 |
FIM installed NPU session causes the SSE to get stuck. |
FortiView
Bug ID |
Description |
---|---|
941521 |
On the FortiView Web Sites page, the Category filter does not work in the Japanese GUI. |
GUI
Bug ID |
Description |
---|---|
848660 |
Read-only administrator may encounter a Maximum number of monitored interfaces reached error when viewing an interface bandwidth widget for an interface that does not have the monitor bandwidth feature enabled. Workaround: super_admin users can enable the monitor bandwidth feature on the interface first, then the widget can work for read-only administrators. |
934644 |
When the FortiGate is in conserve mode, node process (GUI management) may not release memory properly causing entry-level devices to stay in conserve mode. |
961796 |
When administrator GUI access (HTTPS) is enabled on SD-WAN member interfaces, the GUI may not be accessible on the SD-WAN interface due to incorrect routing of the response packet. Workaround: access the GUI using another internal interface that is not part of an SD-WAN link. |
973432 |
When editing an SD-WAN rule with more than one destination, some destinations are automatically removed. |
Hyperscale
Bug ID |
Description |
---|---|
817562 |
NPD/LPMD cannot differentiate the different VRFs, and considers all VRFs as 0. |
896203 |
The parse error, |
936747 |
Connections per second (CPS) performance of SIP sessions accepted by hyperscale firewall policies with EIM and EIF disabled that include overload with port block allocation (PBA) GCN IP pools is lower than expected. Workaround: enter the following command for each NP7 processor to resolve the performance issue. # diagnose npu np7 setreg <npu_#> nss.nss_thrd_ctrl.thrd_ctrl 0xF Where The configuration changes from entering these diagnose commands are reset if the FortiGate restarts. After a system restart, just re-enter the diagnose commands. |
949188 |
ICMP reply packets are dropped by FortiOS in a NAT64 hyperscale policy. |
IPsec VPN
Bug ID |
Description |
---|---|
852051 |
Unexpected condition in IPsec engine on SoC4 platforms leads to intermittent IPsec VPN operation. |
Log & Report
Bug ID |
Description |
---|---|
960661 |
FortiAnalyzer report is not available to view for the secondary unit in the HA cluster on the Log & Report > Reports page. Workaround: view the report directly in FortiAnalyzer. |
965247 |
FortiGate syslog format in reliable transport mode is not compliant with RFC 6587. |
Proxy
Bug ID |
Description |
---|---|
790426 |
An error case occurs in WAD while redirecting the web filter HTTPS sessions. |
845361 |
A rare error condition occurred in WAD caused by compounded SMB2 requests. |
954104 |
An error case occurs in WAD when it gets the external authenticated users from other daemons. |
Routing
Bug ID |
Description |
---|---|
903444 |
The |
949623 |
DNS over TCP does not work when Workaround: change the DNS method to config system dns set interface-select-method auto end Another workaround is to not restrict the SD-WAN rule to the TCP protocol. config system sdwan config service edit <id> unset protocol next end end |
Security Fabric
Bug ID |
Description |
---|---|
902344 |
When there are over 30 downstream FortiGates in the Security Fabric, the root FortiGate's GUI may experience slowness when loading the Fabric Management page and prevents the user from upgrading firmware in the GUI. Workaround: perform the firmware upgrade in the CLI. To perform the firmware upgrade using the GUI, temporarily disable the Security Fabric on the root FortiGate. |
SSL VPN
Bug ID |
Description |
---|---|
933985 |
FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices. |
947210 |
Multiple instances of |
System
Bug ID |
Description |
---|---|
861962 |
When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE. |
899279 |
NP7 did not offload jumbo packet, but get |
912383 |
FGR-70F and FGR-70F-3G4G failed to perform regular reboot process (using |
921134 |
GUI is inaccessible when using a SHA1 certificate as |
931299 |
When the URL filter requests the FortiGuard (FGD) rating server address using DNS, it will try to get both A (IPv4) and AAAA (IPv6) records. |
937982 |
High CPU usage might be observed on entry-level FortiGates if the cache size reaches 10% of the system memory. |
939110 |
DHCP server on LAN interface is lost after rebooting or restoring the configuration file. |
942502 |
Unexpected behavior occurred in the kernel when creating EMAC VLAN interfaces based on an aggregate interface with the new kernel 4.1.9. |
948322 |
After deauthorizing a downstream FortiGate from the System > Firmware & Registration page, the page may appear to be stuck to loading. Workaround: perform a full page refresh to allow the page to load again. |
948448 |
A super_admin administrator is unable to log in after restoring the VDOM configuration on the admin VDOM and rebooting the FortiGate. |
Upgrade
Bug ID |
Description |
---|---|
925567 | When upgrading multiple firmware versions in the GUI, the Follow upgrade path option does not respect the recommended upgrade path. |
User & Authentication
Bug ID |
Description |
---|---|
823884 |
When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to. |
884462 |
NTLM authentication does not work with Chrome. |
949699 |
Administrator single sign-on login with SAML does not work after upgrading the firmware 7.4.1 due to the SAML Workaround: manually configure the config system saml set entity-id <string> end |
WiFi Controller
Bug ID |
Description |
---|---|
814541 |
When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation. |
869978 |
CAPWAP tunnel traffic over tunnel SSID is dropped when offloading is enabled. |
903922 |
Physical and logical topology is slow to load when there are a lot of managed FortiAP (over 50). This issue does not impact FortiAP management and operation. |
944465 |
On the WiFi & Switch Controller > Managed FortiAPs page of a non-management VDOM, the Register button is unavailable in the Device Registration pane. |
946796 |
The eap_proxy daemon may keep reloading randomly due to failing to bind a port. This will cause an IKE and WiFi authentication failure. Workaround: stop sflowd. |
ZTNA
Bug ID |
Description |
---|---|
819987 |
SMB drive mapping made through a ZTNA access proxy is inaccessible after rebooting. |