Fortinet black logo

Resolved issues

Resolved issues

The following issues have been fixed in version 7.4.1. To inquire about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

857718

Return Email DNS Check in the email filter profile is case sensitive.

870052

Error condition in scanunitd occurs when email filter profile and proxy inspection are applied to a firewall policy.

Anti Virus

Bug ID

Description

908706

On the Security Profiles > AntiVirus page, a VDOM administrator with a custom administrator profile cannot create or modify an antivirus profile belonging to the VDOM.

911332

When UTM status is enabled and the AV profile has no configuration, all SLL traffic is dropped and there is no WAD output.

923883

The FortiGate may display an error log in the crash log due to AV delta update. In case of failure, a full successful AV update is done.

Application Control

Bug ID

Description

913529

The firewall policy dialog should show the no-inspection profile and the warning should be consistent with the policy list.

939565

can not query meta rules list seen on graceful/non-graceful upgrade.

Data Loss Prevention

Bug ID

Description

911291

The FortiGate does not parse the entries of the sensor from DLP signature package properly, and therefore cannot block files matching a sensor as expected.

914533

The DLP sensor does not block EXE files.

DNS Filter

Bug ID

Description

907365

DNS proxy caches DNS responses with only one CNAME record.

931998

DNS filter flow external domain AAAA query can still check the default category but not the remote category.

Endpoint Control

Bug ID

Description

808737

FortiOS should pull new avatar API from EMS and handle the avatar status on the FortiGate.

933819

Two FortiGates deregistered from EMS on special build 8844.

Explicit Proxy

Bug ID

Description

817582

When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.

859693

Sessions between the explicit proxy and server stay in SYN_SENT state when using IP pools in the explicit proxy policy for source NAT, even though the sessions have established. Traffic is not impacted.

866316

Explicit web proxy fails to forward HTTPS request to a Squid forward server when certificate inspection is applied.

889300

Wrong source IP address used for packets through explicit proxy routed to a member of SD-WAN interface.

890776

The GUI-explicit-proxy setting on the System > Feature Visibility page is not retained after a FortiGate reboot or upgrade.

908989

The Enabled On should display the listening interfaces rather than None in explicit proxy policy on the GUI.

909328

Forward matching is applied to check the group name for SAML Authentication with Proxy Policy.

923302

Cannot send picture through web explicit proxy.

Firewall

Bug ID

Description

708229

ACL feature is incorrectly dropping fragmented UDP packets.

843554

If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

847715

A VIP group having members of the FQDN and static NAT VIP types cannot be created using the GUI (Policy & Objects > Virtual IPs page).

861981

Traffic drops between two back-to-back EMAC VLAN interfaces.

872312

Unable to add more MAC addresses once the MAC address group object for a VWP policy referenced.

895946

Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode.

898938

NAT64 does not recover when the interface changes.

907763

The diffserv-copy option in the config firewall policy command cannot be configured.

909763

Wrong TOS field value in NetFlow report when there is no traffic.

910068

On the Policy & Objects > Firewall Policy page, if any of the interface names contain a space, the page does not load when Interface Pair View is selected.

912089

Optimize CPU usage caused by a rare error condition which leads to no data being sent to the collector.

912740

On a FortiGate managed by FortiManager, after upgrading to 7.4.0, the Firewall Policy list may show separate sequence grouping for each policy because the global-label is updated to be unique for each policy.

914939

UDP fragments dropped due to DF being set. Only the set honor-df global option.

917495

When editing a VLAN ID, the FortiGate deletes firewall policies but does not recreate them again if the interface is in a zone.

919418

On the Policy & Objects > Firewall Policy page, when the interface name used in a virtual wire pair is a substring of interfaces used in a firewall policy, such policies are not displayed. For example, if a virtual wire pair consists of interfaces port1 and port2, firewall policies with port10, port11, port21, port22 are not displayed.

926029

New sessions are created and evaluated after a certain number of UDP packets, even if set block-session-timer 300 is set.

928896

set fixedport enable in a firewall policy does not preserve the source port for SNAT with IP pool.

929138

The Edit Address page does not load if the address name contains has special characters ([ ]).

935034

The clock skew tolerance is not reflected.

FortiGate 6000 and 7000 platforms

Bug ID

Description

758078

After system synchronization, primary blades' reboot command did not take effect on the secondaries.

888310

The FortiGate 6000 or 7000 front panel does not appear on the Network > Interfaces and System > HA GUI pages.

888447

In some cases, the FortiGate 7000F platform cannot correctly reassemble fragmented packets.

888873, 909160

The FortiGate 7000E and 7000F platforms do not support GTP and PFCP load balancing.

891430

The FortiGate 6000 and 7000 System Information dashboard widget incorrectly displays the management board or primary FIM serial number instead of the chassis serial number. Use get system status to view the chassis serial number.

896333

The diagnose span-sniffer packet CLI command does not work on SLBC platforms.

897629

The FortiGate 6000 and 7000 platforms do not support EMAC VLANs.

899905

Adding a FortiAnalyzer to a FortiGate 6000 or 7000 Security Fabric configuration from the FortiOS GUI is not supported.

902545

Unable to select a management interface LAG to be the direct SLBC logging interface.

905692

On a FortiGate 6000 or 7000, the active worker count returned by the output of diagnose sys ha dump-by group can be incorrect after an FPC or FPM goes down.

905788

Unable to select a management interface LAG to be the FGSP session synchronization interface.

906481

FortiGate 6000 GUI becomes unresponsive, and may work sometimes after a reboot.

908576

On a FortiGate 7000F, after a new FPM becomes the primary FPM, IPsec VPN dynamic routes are not synchronized to the new primary FPM.

908674

Sessions for IPsec dialup tunnels that are configured to be handled by a specific FPC or FPM may be incorrectly sent to a different FPC or FPM, resulting in traffic being blocked.

910095

FGCP session synchronization may not synchronize all sessions on FortiGate 6000 and 7000 models.

913040

Multiple IP pools in SSL VPN is not supported.

918795

An uncertified warning appears only on the secondary chassis' FIM02 and FPMs.

921452

After an SNMP HA failover, the SNMP trap continues to work.

933541

IPV4 DNS/ICMP fragment traffic testing issues even when ip-reassembly diabled on the NPU.

FortiView

Bug ID

Description

808384

Real-time FortiView Traffic Shaping monitor shows 0 bandwidth for active FTP traffic.

894957

On FortiView Websites, the real time view is always empty if disk logging is disabled.

920241

GUI shows Failed to retrieve FortiView data while accessing FortiView Sources and FortiView Destination.

GUI

Bug ID

Description

562570

System > FortiGuard page's License Information table does not show the updated IPS engine version.

825598

The FortiGate may display a false alarm message TypeError [ERR_INVALID_URL]: Invalid URL in the crashlog for the node process. This error does not affect the operation of the GUI.

857464

The CPU and Sessions widgets report the current numbers at the wrong places for most time periods.

863126

In an environment where the Security Fabric is enabled and there are more than 100 firewall object conflicts between the root and downstream FortiGates, the Firewall Object Synchronization pane does not list the details.

892364

Incorrect interface is being selected in the SD-WAN Rules GUI page, but the correct one is displayed in the CLI.

894499

The FortiGate GUI displays only the most recent 100 entries on CRL view.

897004

On rare occasions, the GUI may display blank pages when the user navigates from one menu to another if there is a managed FortiSwitch present.

898386

Browser returns a blank page after logging in to the GUI with an IPv6 address.

898902

In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog.

903856

When using configuration save mode with VDOMs, the GUI still shows unsaved changes after another administrator commits their changes with SSH.

905200

When logged in to the GUI of a non-management VDOM and trying to complete the Migrate Config with FortiConverter step in the startup menu, the page does not update and the loading spinner is stuck.

905795

Random FortiSwitch is shown as offline on the GUI when it is actually online.

914176

GUI should allow user to skip the Migration Config with FortiConverter step without having to wait for a server connection.

920881

Improve the policy list performance.

930960

GUI pages that use the security rating fail to load on an iPhone.

HA

Bug ID

Description

703614

HA secondary synchronization fails and keeps rebooting when the primary has a split port configuration.

771316

Platforms in an HA environment get stuck in a reboot loop while attempting to synchronize configurations that differ in split ports.

858683

FortiGate in A-P HA mode with admin-restrict-local enabled allows the local administrator to log in to the passive host, even if LDAP is available.

893041

Cannot access out-of-band IPv6 address on HA secondary unit.

901292

When entering the psksecret under config system standalone-cluster, no verifications are done against the password policy IPsec preshared key.

904318

FortiGate sent ARP request with loopback IP address as the source address.

906036

Secondary blade hostname and mgmt1 IP were changed after a restored configuration on the primary blade.

906367

When upgrading a cluster of four FortiGate 2200E devices, each secondary forms a cluster with the primary only and causes an outage.

908062

FortiGate VM Azure HA cluster goes out-of-sync due to dynamic firewall address type.

912665

FGCP primary-secondary cluster only uses one session-sync-dev, in spite of having multiple session-sync-dev.

916216

When adding a new interface, some other interfaces have the wrong virtual MAC address.

916286

The execute ha failover set <vcluster number> command only support two vclusters, even when mutiple vclusters exist.

916903, 919982, 922867

When an HA management interface is configured, the GUI may not show the last interface entry in config system interface on several pages, such as the interface list, policy list, address list, and DNS servers page. This is a GUI-only display issue and does not impact the underlying operation of the affected interface.

919005

Heartbeat packet loss issue at random times.

920233

The System > HA page is missing from the GUI on 5K models.

922435

Interfaces for the root VDOM are displayed in the GUI when different VDOM is selected on the HA secondary.

929486

When Configuration save mode is set to Manual, any firewall policy change will make the cluster out-of-sync.

931724

HA events not synchronizing between members, leading to unexpected HA status.

931965

Do not automatically enable LLDP transmission on an HA management port with LLDP reception enabled.

935448

Hardware session synchronization is showing as out-of-sync on primary and secondary.

Hyperscale

Bug ID

Description

832924

Timeouts occur when accessing the Migros Bank e-banking application and https://www.gs***.ch/ when the session is offloaded.

854933

The IPv6 neighbor cache configuration is missing after executing a reboot or flush command.

915796

With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic.

919977

First-time HA failover after upgrading causes long service interruption to NAT44.

920405

Problem with synchronizing a high amount of routes to NP7 for hyperscale firewall.

924196

Device is rebooting randomly when driver processes exception packets.

932317

Hyperscale firewall creates a separate session and uses a different source port for IP fragment packets.

933063

LPM daemon is being killed.

Intrusion Prevention

Bug ID

Description

810783

The number of IPS sessions is higher than kernel sessions, which causes the FortiGate to enter conserve mode.

823583

Failover on clustered web application using keepalived daemon does not work seamlessly.

860315

Unexpected behavior in IPS engine when executing diagnose test application ipsmonitor 44.

862830

[?Q?ci_" sekret=] causes the parser to create a new field, "sekret=".

874877

IPS engines do not release memory after stopping traffic more than one hour.

882593

HTTPS traffic slows when IPS with NTurbo is used over a virtual wire pair.

886685

IPS daemon usage issue when notifying device vulnerability information to WAD.

892302

Constant reloading of the external domain table is causing high CPU due to lock contention when reloading the table.

923393

IPS logs show incorrect source and destination IP addresses and policy IDs, and the ports are zeros.

926639

Constant reloading of the shared memory external domain table is causing high CPU usage due to lock contention when reloading the table.

IPsec VPN

Bug ID

Description

664828

L2TP VPN not working when offloading is enabled.

780297

IKE debug log filtering functionality exhibits inaccuracies, resulting in the possibility of displaying unmatched logs when filters are set.

803010

The vpn-id-ipip encapsulated IPsec tunnel with npu-offload cannot be reached with IPv6.

872769

Proxy ARP stops working for a client connected to a dialup IPsec when the previous VPN was established and is deleted.

883138

VM running FIPS cipher mode does not show AES-CBC ciphers when configuring IPsec in the GUI.

885333

Forwarded broadcast traffic on ADVPN shortcut tunnel interface dropped.

898757

Support IKEv2 split DNS mode-cfg (RFC 8598).

898872

IPsec performance drops after upgrade on AWS.

898961

diagnose traffictest issues with dynamic IP addresses and loopback interfaces.

920725

IPsec tunnels that have external DHCP services for IP assignment have an extra selector added after upgrading.

921691

In FGSP, IKE routes are not removed from the kernel when secondary-add-ipsec-routes is disabled.

926048

Traffic through a shortcut got dropped after an HA failover.

Log & Report

Bug ID

Description

831441

The forward traffic log show exabytes of data being sent and received from external to external IP addresses in multiple VDOMs.

839934

Destination interface in traffic log does not match the SD-WAN quality description in the log details.

860822

When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.

881262

When a session starts on one interface and refreshes after a policy or routing change to use a new interface, information displayed in the logs is not updated properly.

902797

IPS alert email not being sent when IPS attack event has triggered.

906888

Free-style filter not working as defined under config fortianalyzer override-filter.

908856

Traffic log can show exabytes of data sent and received when generating log task is triggered from userspace.

929269

After disabling an event under the event filter, the system events summary page still shows event logs for that event.

929338

Secondary FortiGate log cannot be viewed from primary FortiGate in HA.

932817

Forward traffic log has unexpected symbols in the end for some logs.

Proxy

Bug ID

Description

733258

Support HTTP3 for web proxy and ZTNA web service.

783549, 902613, 921247

An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled.

820096

CPU usage issue in proxyd caused by the absence of TCP teardown.

863132

Proxy mode inspection is slow when testing a single TCP stream from fast.com, which causes bandwidth slowness on FG-100F and FG-200F devices.

897347

Memory usage issue caused by the WAD user info process while authenticating the LDAP users.

899358

Proxy-based deep inspection connection issue occurs.

904386

Unable to upload file to the application server in server-load-balance setup.

912116

Website (li***.cz) is not working in proxy inspection mode with deep inspection and web filter applied.

922286

WAD traffic to globalvideoquery.fortinet.net does not follow the FortiGuard interface-select-mode.

932487

Memory usage issue caused by the WAD while using the access proxy.

934547

FortiGate is not sending the certificate chain in proxy-based firewall policy mode.

REST API

Bug ID

Description

886012

The MTU value on an interface cannot be set using the interface REST API.

920260

SD-WAN interfaces should be denoted in the interface statistics API.

Routing

Bug ID

Description

775752

link-down-failover does not bring the BGP peering down.

808190

When ip-fragmentation is set to pre-encapsulation, the VPNv4's VRF information cannot pass fragment traffic.

849988

The Network > SD-WAN > SD-WAN Rules page does not show a red exclamation mark for addresses that have dst-negate enabled. This is cosmetic; users can use the CLI to confirm that the address has dst-negate enabled.

888210

On the Network > SD-WAN page, the Performance SLAs tab is slow to load when there is a large number (~4000) of VPN tunnels, and shortcut tunnels created by ADVPN.

890954

The change of an IPv6 route does not mark sessions as dirty nor trigger a route change.

892704

SD-WAN performance SLA statistics on secondary unit's GUI section are not synchronized with the primary and has stale data.

896090

SD-WAN members can be out-of-sla after some retrieve times.

896891

With ICMP asymmetric routing enabled, ICMP local-in/local-out reply packets will still only return through the original path, in order to maintain the ping SLA.

897666

Issue with SD-WAN rule for FortiGuard.

899827

Speed test result is not accurate.

900226

High CPU due to PIMD/NSM and multicast session not being offloaded.

900770

DHCP relay fails after a period of time with SD-WAN.

900941

config redistribute routing subsections cannot be configured when in workspace mode.

907386

BGP neighbor group configured with password is not working as expected.

909835

Search broken on SD-WAN Rules tab's Source/Destination omniselect.

910656

Router information in the BGP summary still shows removed BGP neighbor/peer configuration.

913338

FortiGate removing SD-WAN routes when network address is specified as the gateway of an SD-WAN member.

914497

SD-WAN rules list in the GUI should show the interface members in priority order instead of alphabetical order.

914815

FortiGate 40F-3G4G not adding LTE dynamic route to route table.

922491

Static routes are installed on hub FortiGate with add-route disabled in ADVPN scenario.

924940

When there are a lot of policies (several thousands), the interface member selection for the SD-WAN Zone dialog may take up to a minute to load.

930749

IPv6 traffic was no longer forwarded according to route list and neighbor-cache list after upgrading from 7.2.4 to 7.2.5.

934803

Synchronized kernel VPNv4 routes are not used in an HA failover.

Security Fabric

Bug ID

Description

862424

On a FortiGate that has large tables (over 1000 firewall policies, address, or other tables), security rating reports may cause the FortiGate to go into conserve mode.

874822

In a configuration with a connected FortiAP-U, the FortiAP & FortiAP-S & FortiAP-W2 & FortiAP-U Command Injection in CLI security rating test fails and suggests an upgrade to 7.0.4, even though the FortiAP is on the latest version (7.0.0).

876422

After adding a 20 MB blocklist file, a FortiGate with 2 GB RAM goes to conserve mode when viewing the Security Fabric > External Connectors page.

876588

External Connectors can cause a FortiGate internal error when the configuration name has invalid characters.

907172

Automation stitch with FortiDeceptor Fabric connector event trigger cannot be triggered.

907819

Advanced GCP connector does not resolve if one element does not exists.

912592

Allow comments and IP addresses to be on the same line for external IP address threat feeds.

912917

Send Fabric API calls with pagination filter.

917024

Unexpected behavior in Security Fabric daemon (CSFD) caused by triggering HA failover while using Security Fabric.

918230

Threat feeds with name starting with "g-" are not allowed on non-VDOM FortiGate.

922896

Azure SDN connector always uses HA management port for DNS resolve. This might not work on premises where the HA management port does not have a public IP address assigned.

926202

Unable to authorize downstream FortiGate with the Security Fabric after upgrade.

935846

Adding a real device to autolink to a serial number model device results in an error.

SSL VPN

Bug ID

Description

719740

The No SSL-VPN policies exist warning is displayed when an SSL VPN zone having an SSL VPN tunnel interface is used in a policy. The warning can be ignored; it does not affect the SSL VPN functionality.

822657

Internal resource pages and menus are not showing correctly in web mode.

830068

SSL VPN stops listening on IPv6 interface after a reboot.

833934

SSL VPN fails to connect to graph.microsoft.com when doing Azure auto-login.

835014

Webpage keeps loading when customer accesses an internal webpage in the SSL VPN web portal.

843756

Customer bookmark (*.tr***.pt) is not accessible when using SSL VPN web mode.

845817

Jira application is not loading properly when connecting through SSL VPN web mode.

851976

PC cannot get IP from DHCP server due to find duplicate ip and causes the dialup SSL VPN to fail.

854607

In SSL VPN web mode, the page keeps loading after logging in.

859275

Issues with accessing an internal site using SSL VPN web mode and bookmark.

878833

Decrease in download speeds observed for SSL VPN users when over 2000 users are connected.

879329

Destination address of SSL VPN firewall policy may be lost after upgrading when dstaddr is set to all and at least one authentication rule has a portal with split tunneling enabled.

881268

Disconnecting from SSL VPN using the SSL-VPN widget does not disconnect the SSL VPN tunnel.

883903

FortiGate does not identify users on SSL VPN as 2FA users if the user and token are put together in the same field (concatenated).

884869

Web mode bookmark showing blank page due to JS rewrite.

885978

Some buttons in URL are not working in SSL VPN web mode.

887345

When a user needs to enter credentials through a pop-up window, the key events for modification key detected by SDL were ignored.

887674

FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs.

889736

The HPE iLO 5 web server is not able to load properly from the SSL VPN portal.

894704

FortiOS check would block iOS and Android mobile devices from connecting to the SSL VPN tunnel.

895120

SSL VPN web portal not loading internal web page.

896396

SSL VPN web portal HTTP bookmark forwarded site throws Java error.

896492

When using RDP bookmarks in SSL web mode, some keys stopped working,

897385

Internal website keeps asking for credential with SSL VPN web mode.

897665

The external DHCP server is not receiving hostnames in SSL VPN and DHCP relay.

904919

DHCP option 12 hostname needed for SSL VPN with external DHCP servers.

906756

Update SSL VPN host check logic for unsupported OS.

922446

SSL VPN service over PPPoE interface does not work as expected if the PPPoE interface is configured with config system pppoe-interface.

config system pppoe-interface
    edit <name>
        set device <string> 
        set username <string>
        set password <password>
    next
end

config vpn ssl settings
    set source-interface <PPPoE_interface_name>
end

This issue is also observed on VNE tunnel configurations.

926612

The SSL VPN log shows users having been disconnected from SSL VPN for unknown reason.

927475

SSL VPN tunnel down log message not generated when an IP address is disassociated before the old tunnel times out.

929001

An invalid user name entered in FortiClient could cause two factor PKI user login to crash sslvpnd after the client certificate checking passed.

930275

Firewall policy is not allowing the all destination address with a split-tunneling portal.

Switch Controller

Bug ID

Description

848632

Upon upgrade, the link to FortiSwitch stays down with QSFP.

861227

On the WiFi & Switch Controller > FortiSwitch Ports page, the Device Information column lists the same device multiple times.

893405

One discovery one transmit buffer was allocated and was not released on connection terminations.

902338

WiFi & Switch Controller > FortiSwitch Ports page does not show VLANs exported to another tenant VDOM, which results in the VLAN being removed if saved from the GUI.

904640

When a FortiSwitch port is reconfigured, the FortiGate may incorrectly retain old detected device data from the port that results in an unexpected number of detected device MACs for the port. Using diagnose switch-controller mac-cache show to check the device data can result in the Device Information column being blank on the WiFi & Switch Controller > FortiSwitch Ports page or in the Assets widget.

911232

Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.

920231

FortiGate loses QoS ip-dscp-map configuration after reboot.

936081

The vlan-optimization {enable | disable} and vlan-all-mode all configuration options disappear after upgrade or reboot.

System

Bug ID

Description

656138

GUI shows conflicts error message when configuring a secondary IP address after allow-subnet-overlap is enabled.

708964

CPU usage issue is observed caused by reloading the system when the system has cfg-save set to revert.

713951

Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

766834

High memory usage caused by downloading a large CRL list.

801481

Download speed issue through WAN configured with PPPoE on FortiGate.

802932

CPU usage issue caused by clearing BGP dampened prefixes.

816579

User loses GUI/SSH access on FG-1500D while running one-arm sniffer.

820559

When backing up the configuration to a USB disk, if the file name is the same as specified under System > Settings > Start Up Settings > USB auto-install, an Invalid file name error is displayed.

828557

FortiGate as DHCP relay is not showing a DHCP decline in the debugs when there is an IP conflict in the network.

836748

FG-100F fails to boot when FortiOS image binary is larger than 94 MB.

842159

FortiGate 200F interfaces stop passing traffic after some time.

845079

DAC cable support is unstable on the FortiGate 1101E.

855515

Hardware csum failure message keeps repeating on Azure 7.0.8.

855573

False alarm of the PSU2 occurs with only one installed.

866437

CPU usage issue caused by the new Linux kernel.

867663

The FEC configuration under the interface is not respected when port23 and port24 are members of an LACP and the connection is 100G. Affected platforms: FGT-340xE, FGT-360xE.

869726

When an IPsec tunnel is configured with a different VRF than the underlying physical interface, and traffic is offloaded, the session expires even when traffic is flowing through it.

873391

If the FortiGate is added to FortiManager using the IPv6 address and tunnel is down for some reason, the FortiGate will not reconnect to FortiManager since fmg under system central-management is not set properly.

879769

If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway.

881060

Host TX dropped counter incrementing and connections failing when throughput reaches 40 Gbps.

884023

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.

885057

Add 100G speed option on the FortiGate 1800F.

885823

Sensor showing temperature of 0.00 Celsius.

885837

Traffic dropped as the matching SessionID is being deleted from session table in 20 seconds.

887940

Status light is not showing on the FortiGate 60F or 100F after a cold and warm reboot.

893305

Interface could not be brought up if it was part of a virtual switch.

894202

Incorrect temperature calculation appears in sensor list on FG-8xF, FWF-8xF, FG-9xE, FG-10xE, FG-20xE, and FG-14xE.

895967

FortiGate 1801F in transparent mode cannot reply to an SNMP query.

897905

IPv6 addresses configured on EMAC VLAN interfaces showing FTP flag after upgrade.

900670

QSFP/QSFP+ port23/port24 are down after upgrading to 7.0.11 on FG-3401E.

903049

execute sensor list has blank lines in output.

903362

SNMP OID, fgFwPolLastUsed (1.3.6.1.4.1.12356.101.5.1.2.1.1.4), does not show the correct information about the last time a specific policy was used.

904414

Port speed 1000auto could not link up with a Cisco switch.

904485

The crashlog might show a Node.JS restarted error, Failed to fetch web-ui.node-exports: Error: connect ECONNREFUSED, if the HTTPSD is being killed during conserve mode, stuck in some API calls, or slow response during system super busy.

904486

The FortiGate may display a false alarm message and subsequently initiate a reboot.

907339

dnsproxy process aborts due to stack buffer overflow being detected upon function return.

909345

An error condition occurs caused by receiving ICMP redirect messages.

910269

Unexpected behavior caused by the Linux Out of Memory (OOM) killer when memory is very low.

910273

Last reboot reason: power cycle after rebooting due to a kernel panic is misleading.

910616

When a non-zero DSCP copied from ingress to egress packet for NAT64, the IP checksum is calculated incorrectly.

910677

Transparent mode FortiGate does not reply to SYN ACK when communicating with FortiManager.

911396

High system CPU and multiple daemons enter D state on the FortiGate 4401F.

911906

Enable auto-upgrade by default on the FortiGate 40F and 40G.

913732

Without any traffic, memory usage of FG-1800F keeps increasing slowly over time.

917029

DNS does not respond to short name queries.

917827

Delay sending LACPDU in kernel 4.19.

919901

For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates.

920085

CPU usage issue observed in dnsproxyd caused by unused wildcard FQDN.

922920

When performing factoryreset2, the IP addresses on "a" and "b" are set to default.

922965

CPU usage issue observed in hasync daemon when session count is large.

922982

FortiGate does not respond to ARP requests for the IP address on the WAN port when the interface is configured as EMAC.

923364

System goes into halt state with Error: Package validation failed... message in cases where there are no engine files in the FortiGate when the BIOS security level is set to 2.

923834

The DSL modem on the firewall does not work after the device starts.

924395

IPv6 local-in ping6 to management interface failed when newly configured.

925657

After a manual system administrator password change, the updated password-expire is not received by the FortiManager auto-update.

925966

Running diagnose sniffer filter with blank or empty quotation marks ("" or " ") is not working.

926035

On D-series FortiGates, a false alarm during system integrity check failure causes the firewall to reboot.

926817

Review the temperature sensor for the SoC4 system.

928858

Traffic over vpn-id-ipip tunnel is blocked when npu-offload is disabled in the VPN phase1 interface and the policy has UTM enabled.

929135

Interactive CLI commands, like purge, cannot be cut and pasted into the console and exits the script. The purge command in a console puTTy session stops and waits for a y confirmation.

929821

An error condition occurred in httpsd and newcli when trying to generate a TAC report from the GUI and CLI, respectively.

931167

IPv6 suffixes configured on an interface are not reflected after a reboot.

933277

The npu-vdom-link cannot forward the traffic after the first two packets.

934708

The cmdbsvr could not secure the var_zone lock due to another process holding it indefinitely.

935562

NAT port is out of range, causing the PBA index to be out of range.

938981

The virtual server http-host algorithm is redirecting requests to an unexpected server.

940571

Memory usage issue caused by excessive log files.

943033

Enabling vdom-dns causes the VDOM DNS certificate to be blank instead of the default value.

944581

Checksum on FortiOS is different from md5sum.txt file on the InfoSite when upgrading from previous GA build.

Upgrade

Bug ID

Description

939011

All transparent VDOMs cannot synchronize because of switch-controller.auto-config.policy.

User & Authentication

Bug ID

Description

738846

FAS ends up in an endless loop while synching with LDAP due to special character (,) as part of the username.

868481

When the Guest User Print Template is customized in a VDOM, printing the guest user credentials from User & Authentication > Guest Management still uses the default Guest User Print Template.

872814

The SAML assertion is truncated in samld when the payload size is huge.

891068

Guest administration management does not show all groups for multiple VDOMs assigned to a guest administrator account.

896739

SSO administrator configuration breaks with Azure Cloud due to config system saml having a trailing slash in the metadata link.

899852

FortiGate is sending Class(25) AVP with wrong length in RADIUS accounting when using 2FA with PUSH or external tokens.

900591

When generating guest users according to the settings in the guest group, the expiration time of guest users will automatically add an extra two hours.

915192

Device detection sometimes does not identify the correct IP addresses of devices.

922133

Unable to view authorization page on FortiGate pop-up when the pre-login and post-login banner are set on FortiGate while using OAuth authorization.

922345

CA bundle (CRDB) to support DigiCert second-generation (G2) full CA and intermediate CA chain.

923164

EAP proxy daemon may keep reloading after updating the certificate bundle.

929112

RADUIS server dialog in the GUI incorrectly changes the custom RADUIS port to 0.

933622

The FortiGate does not send the user's IP address to the TACACS+ server during an authorization request.

VM

Bug ID

Description

901920

AWS external account list supports regional endpoints.

902816

An error condition occurs after a failover on the HA cluster deployed on an FG-VM64-AZURE.

903798

When send-deny-packet enabled or ident-accept disabled, sending out responding packets (such as TCP RST or ICMP) triggers a restart.

912184

An error condition is observed after deploying an FG-VM64-AZURE in Standard_DS4_v2 size.

913696

In the periodic status check of the OCI VM status, too many API calls caused a lot of 429 errors.

916027

Copy of files between a physical server and Windows Server is slow.

918818

Traffic drops in FortiGate HA A-A, AutoScale in Azure.

921168

Restore operation overwrite passive configuration in AZURE A-P deployment based on SDN connector.

923061

IPsec tunnels on AWS have TX errors incremented every 30 seconds.

924689

FortiGate VMs in an HA cluster deployed on the Hyper-V platform may get into an unresponsive state where multiple services are impacted: GUI management, CLI commands, SSL VPN sessions, DHCP assignment, traffic throughput, and reboot function.

927323

Event log alert Write Permission Violation to read-only file on VMware after taking snapshot.

928952

VPN errors after upgrade: Malformed Packets, AUTHENTICATION_FAILED messages, and INVALID_KE_PAYLOAD.

930981

FortiGate VM heartbeat authentication failed during the upgrade to 7.2.4 or 7.2.5 when HA authentication and encryption is enabled.

933003

FortiGate-VM KVM with MLX5 not responding to ARP in RHEL environment.

935086

VLAN interface is not reachable on FortiGate-VM running on KVM with SR-IOV interface.

Web Filter

Bug ID

Description

873086

On the Policy & Objects > Security Policy page for a policy-based VDOM, adding an external threat feed category to the URL Category field does not apply the changes.

885222

HTTP session is logged as HTTPS in web filter when VIP is used.

915879

Add web filter categories for artificial intelligence technology (category 100) and Cryptocurrency (category 101).

916140

An error condition occurs in WAD caused by the mismatch between the SNI host and CNAME.

941045

Local rating chooses the wrong category if the URL path falsely matches to a longer local rating URL.

WiFi Controller

Bug ID

Description

873273

The Automatically connect to nearest saved network option does not work as expected when FWF-60E client-mode local radio loses connection.

877609

RADIUS CoA does not work in some cases.

896128

Some 5 GHz weather channels should not be allowed in certain countries.

904349

Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.

905406

In auth-logon and auth-logout logs, Wi-Fi users with random public IP addresses are observed.

905789

FortiAP 431G is unable to join AC due to no response to cfg_request.

920189

Intermittent behavior in Hostapd caused by enabling/disabling fast-bss-transition.

921456

FAP-431F is deauthenticating clients after roaming when DHCP enforcement is enabled on the SSID, even when the client gets IP from DHCP.

922838

Usage of the cw_acds process increases and drops the FortiAP connection, which forces the FortiAP to restart in an FSM state when FortiAP settings are changed.

923530

Add support for 6 GHz band for DARRP, wlac -c rf-analysis, and BG scan period.

926676

Enable DFS channels on wtp-profile for FortiAP 431G and FortiAP 433G in region A/S/N(No-Brazil).

926999

An error condition occurred for the EAP proxy while sending the RADIUS Access-Request.

930130

MPSK keys are not loaded completely in the wpad daemon after applying a VAP with an MPSK profile selected on a FortiAP.

931592

CAPWAP offloading does not work with more than 12,000 VAP entries.

937826

An error case occurs in CAPWAP when the SSID interface, which has a VLAN interface over it, is deleted.

938525

Wi-Fi clients failed roaming from one FortiAP to another on the bridge SSID with dynamic VLAN assignment by RADIUS-based MAC authentication.

ZTNA

Bug ID

Description

828433

FortiAuthenticator Cloud zero trust tunnel (ZTNA connection) fails when EMS Fabric connector is configured.

889994

After client device information is updated, the session is closed even though all information from the session still matches the policy.

923804

ZTNA logs are showing the log message Denied: failed to match a proxy-policy when client device information matches the policy.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

911617

FortiOS 7.4.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-37935

918991

FortiOS 7.4.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-36639

919392

FortiOS 7.4.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-36641

Resolved issues

The following issues have been fixed in version 7.4.1. To inquire about a particular bug, please contact Customer Service & Support.

Anti Spam

Bug ID

Description

857718

Return Email DNS Check in the email filter profile is case sensitive.

870052

Error condition in scanunitd occurs when email filter profile and proxy inspection are applied to a firewall policy.

Anti Virus

Bug ID

Description

908706

On the Security Profiles > AntiVirus page, a VDOM administrator with a custom administrator profile cannot create or modify an antivirus profile belonging to the VDOM.

911332

When UTM status is enabled and the AV profile has no configuration, all SLL traffic is dropped and there is no WAD output.

923883

The FortiGate may display an error log in the crash log due to AV delta update. In case of failure, a full successful AV update is done.

Application Control

Bug ID

Description

913529

The firewall policy dialog should show the no-inspection profile and the warning should be consistent with the policy list.

939565

can not query meta rules list seen on graceful/non-graceful upgrade.

Data Loss Prevention

Bug ID

Description

911291

The FortiGate does not parse the entries of the sensor from DLP signature package properly, and therefore cannot block files matching a sensor as expected.

914533

The DLP sensor does not block EXE files.

DNS Filter

Bug ID

Description

907365

DNS proxy caches DNS responses with only one CNAME record.

931998

DNS filter flow external domain AAAA query can still check the default category but not the remote category.

Endpoint Control

Bug ID

Description

808737

FortiOS should pull new avatar API from EMS and handle the avatar status on the FortiGate.

933819

Two FortiGates deregistered from EMS on special build 8844.

Explicit Proxy

Bug ID

Description

817582

When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality.

859693

Sessions between the explicit proxy and server stay in SYN_SENT state when using IP pools in the explicit proxy policy for source NAT, even though the sessions have established. Traffic is not impacted.

866316

Explicit web proxy fails to forward HTTPS request to a Squid forward server when certificate inspection is applied.

889300

Wrong source IP address used for packets through explicit proxy routed to a member of SD-WAN interface.

890776

The GUI-explicit-proxy setting on the System > Feature Visibility page is not retained after a FortiGate reboot or upgrade.

908989

The Enabled On should display the listening interfaces rather than None in explicit proxy policy on the GUI.

909328

Forward matching is applied to check the group name for SAML Authentication with Proxy Policy.

923302

Cannot send picture through web explicit proxy.

Firewall

Bug ID

Description

708229

ACL feature is incorrectly dropping fragmented UDP packets.

843554

If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

847715

A VIP group having members of the FQDN and static NAT VIP types cannot be created using the GUI (Policy & Objects > Virtual IPs page).

861981

Traffic drops between two back-to-back EMAC VLAN interfaces.

872312

Unable to add more MAC addresses once the MAC address group object for a VWP policy referenced.

895946

Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode.

898938

NAT64 does not recover when the interface changes.

907763

The diffserv-copy option in the config firewall policy command cannot be configured.

909763

Wrong TOS field value in NetFlow report when there is no traffic.

910068

On the Policy & Objects > Firewall Policy page, if any of the interface names contain a space, the page does not load when Interface Pair View is selected.

912089

Optimize CPU usage caused by a rare error condition which leads to no data being sent to the collector.

912740

On a FortiGate managed by FortiManager, after upgrading to 7.4.0, the Firewall Policy list may show separate sequence grouping for each policy because the global-label is updated to be unique for each policy.

914939

UDP fragments dropped due to DF being set. Only the set honor-df global option.

917495

When editing a VLAN ID, the FortiGate deletes firewall policies but does not recreate them again if the interface is in a zone.

919418

On the Policy & Objects > Firewall Policy page, when the interface name used in a virtual wire pair is a substring of interfaces used in a firewall policy, such policies are not displayed. For example, if a virtual wire pair consists of interfaces port1 and port2, firewall policies with port10, port11, port21, port22 are not displayed.

926029

New sessions are created and evaluated after a certain number of UDP packets, even if set block-session-timer 300 is set.

928896

set fixedport enable in a firewall policy does not preserve the source port for SNAT with IP pool.

929138

The Edit Address page does not load if the address name contains has special characters ([ ]).

935034

The clock skew tolerance is not reflected.

FortiGate 6000 and 7000 platforms

Bug ID

Description

758078

After system synchronization, primary blades' reboot command did not take effect on the secondaries.

888310

The FortiGate 6000 or 7000 front panel does not appear on the Network > Interfaces and System > HA GUI pages.

888447

In some cases, the FortiGate 7000F platform cannot correctly reassemble fragmented packets.

888873, 909160

The FortiGate 7000E and 7000F platforms do not support GTP and PFCP load balancing.

891430

The FortiGate 6000 and 7000 System Information dashboard widget incorrectly displays the management board or primary FIM serial number instead of the chassis serial number. Use get system status to view the chassis serial number.

896333

The diagnose span-sniffer packet CLI command does not work on SLBC platforms.

897629

The FortiGate 6000 and 7000 platforms do not support EMAC VLANs.

899905

Adding a FortiAnalyzer to a FortiGate 6000 or 7000 Security Fabric configuration from the FortiOS GUI is not supported.

902545

Unable to select a management interface LAG to be the direct SLBC logging interface.

905692

On a FortiGate 6000 or 7000, the active worker count returned by the output of diagnose sys ha dump-by group can be incorrect after an FPC or FPM goes down.

905788

Unable to select a management interface LAG to be the FGSP session synchronization interface.

906481

FortiGate 6000 GUI becomes unresponsive, and may work sometimes after a reboot.

908576

On a FortiGate 7000F, after a new FPM becomes the primary FPM, IPsec VPN dynamic routes are not synchronized to the new primary FPM.

908674

Sessions for IPsec dialup tunnels that are configured to be handled by a specific FPC or FPM may be incorrectly sent to a different FPC or FPM, resulting in traffic being blocked.

910095

FGCP session synchronization may not synchronize all sessions on FortiGate 6000 and 7000 models.

913040

Multiple IP pools in SSL VPN is not supported.

918795

An uncertified warning appears only on the secondary chassis' FIM02 and FPMs.

921452

After an SNMP HA failover, the SNMP trap continues to work.

933541

IPV4 DNS/ICMP fragment traffic testing issues even when ip-reassembly diabled on the NPU.

FortiView

Bug ID

Description

808384

Real-time FortiView Traffic Shaping monitor shows 0 bandwidth for active FTP traffic.

894957

On FortiView Websites, the real time view is always empty if disk logging is disabled.

920241

GUI shows Failed to retrieve FortiView data while accessing FortiView Sources and FortiView Destination.

GUI

Bug ID

Description

562570

System > FortiGuard page's License Information table does not show the updated IPS engine version.

825598

The FortiGate may display a false alarm message TypeError [ERR_INVALID_URL]: Invalid URL in the crashlog for the node process. This error does not affect the operation of the GUI.

857464

The CPU and Sessions widgets report the current numbers at the wrong places for most time periods.

863126

In an environment where the Security Fabric is enabled and there are more than 100 firewall object conflicts between the root and downstream FortiGates, the Firewall Object Synchronization pane does not list the details.

892364

Incorrect interface is being selected in the SD-WAN Rules GUI page, but the correct one is displayed in the CLI.

894499

The FortiGate GUI displays only the most recent 100 entries on CRL view.

897004

On rare occasions, the GUI may display blank pages when the user navigates from one menu to another if there is a managed FortiSwitch present.

898386

Browser returns a blank page after logging in to the GUI with an IPv6 address.

898902

In the System > Administrators dialog, when there are a lot of VDOMs (over 200), the dialog can take more than one minute to load the Two-factor Authentication toggle. This issue does not affect configuring other settings in the dialog.

903856

When using configuration save mode with VDOMs, the GUI still shows unsaved changes after another administrator commits their changes with SSH.

905200

When logged in to the GUI of a non-management VDOM and trying to complete the Migrate Config with FortiConverter step in the startup menu, the page does not update and the loading spinner is stuck.

905795

Random FortiSwitch is shown as offline on the GUI when it is actually online.

914176

GUI should allow user to skip the Migration Config with FortiConverter step without having to wait for a server connection.

920881

Improve the policy list performance.

930960

GUI pages that use the security rating fail to load on an iPhone.

HA

Bug ID

Description

703614

HA secondary synchronization fails and keeps rebooting when the primary has a split port configuration.

771316

Platforms in an HA environment get stuck in a reboot loop while attempting to synchronize configurations that differ in split ports.

858683

FortiGate in A-P HA mode with admin-restrict-local enabled allows the local administrator to log in to the passive host, even if LDAP is available.

893041

Cannot access out-of-band IPv6 address on HA secondary unit.

901292

When entering the psksecret under config system standalone-cluster, no verifications are done against the password policy IPsec preshared key.

904318

FortiGate sent ARP request with loopback IP address as the source address.

906036

Secondary blade hostname and mgmt1 IP were changed after a restored configuration on the primary blade.

906367

When upgrading a cluster of four FortiGate 2200E devices, each secondary forms a cluster with the primary only and causes an outage.

908062

FortiGate VM Azure HA cluster goes out-of-sync due to dynamic firewall address type.

912665

FGCP primary-secondary cluster only uses one session-sync-dev, in spite of having multiple session-sync-dev.

916216

When adding a new interface, some other interfaces have the wrong virtual MAC address.

916286

The execute ha failover set <vcluster number> command only support two vclusters, even when mutiple vclusters exist.

916903, 919982, 922867

When an HA management interface is configured, the GUI may not show the last interface entry in config system interface on several pages, such as the interface list, policy list, address list, and DNS servers page. This is a GUI-only display issue and does not impact the underlying operation of the affected interface.

919005

Heartbeat packet loss issue at random times.

920233

The System > HA page is missing from the GUI on 5K models.

922435

Interfaces for the root VDOM are displayed in the GUI when different VDOM is selected on the HA secondary.

929486

When Configuration save mode is set to Manual, any firewall policy change will make the cluster out-of-sync.

931724

HA events not synchronizing between members, leading to unexpected HA status.

931965

Do not automatically enable LLDP transmission on an HA management port with LLDP reception enabled.

935448

Hardware session synchronization is showing as out-of-sync on primary and secondary.

Hyperscale

Bug ID

Description

832924

Timeouts occur when accessing the Migros Bank e-banking application and https://www.gs***.ch/ when the session is offloaded.

854933

The IPv6 neighbor cache configuration is missing after executing a reboot or flush command.

915796

With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic.

919977

First-time HA failover after upgrading causes long service interruption to NAT44.

920405

Problem with synchronizing a high amount of routes to NP7 for hyperscale firewall.

924196

Device is rebooting randomly when driver processes exception packets.

932317

Hyperscale firewall creates a separate session and uses a different source port for IP fragment packets.

933063

LPM daemon is being killed.

Intrusion Prevention

Bug ID

Description

810783

The number of IPS sessions is higher than kernel sessions, which causes the FortiGate to enter conserve mode.

823583

Failover on clustered web application using keepalived daemon does not work seamlessly.

860315

Unexpected behavior in IPS engine when executing diagnose test application ipsmonitor 44.

862830

[?Q?ci_" sekret=] causes the parser to create a new field, "sekret=".

874877

IPS engines do not release memory after stopping traffic more than one hour.

882593

HTTPS traffic slows when IPS with NTurbo is used over a virtual wire pair.

886685

IPS daemon usage issue when notifying device vulnerability information to WAD.

892302

Constant reloading of the external domain table is causing high CPU due to lock contention when reloading the table.

923393

IPS logs show incorrect source and destination IP addresses and policy IDs, and the ports are zeros.

926639

Constant reloading of the shared memory external domain table is causing high CPU usage due to lock contention when reloading the table.

IPsec VPN

Bug ID

Description

664828

L2TP VPN not working when offloading is enabled.

780297

IKE debug log filtering functionality exhibits inaccuracies, resulting in the possibility of displaying unmatched logs when filters are set.

803010

The vpn-id-ipip encapsulated IPsec tunnel with npu-offload cannot be reached with IPv6.

872769

Proxy ARP stops working for a client connected to a dialup IPsec when the previous VPN was established and is deleted.

883138

VM running FIPS cipher mode does not show AES-CBC ciphers when configuring IPsec in the GUI.

885333

Forwarded broadcast traffic on ADVPN shortcut tunnel interface dropped.

898757

Support IKEv2 split DNS mode-cfg (RFC 8598).

898872

IPsec performance drops after upgrade on AWS.

898961

diagnose traffictest issues with dynamic IP addresses and loopback interfaces.

920725

IPsec tunnels that have external DHCP services for IP assignment have an extra selector added after upgrading.

921691

In FGSP, IKE routes are not removed from the kernel when secondary-add-ipsec-routes is disabled.

926048

Traffic through a shortcut got dropped after an HA failover.

Log & Report

Bug ID

Description

831441

The forward traffic log show exabytes of data being sent and received from external to external IP addresses in multiple VDOMs.

839934

Destination interface in traffic log does not match the SD-WAN quality description in the log details.

860822

When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries.

881262

When a session starts on one interface and refreshes after a policy or routing change to use a new interface, information displayed in the logs is not updated properly.

902797

IPS alert email not being sent when IPS attack event has triggered.

906888

Free-style filter not working as defined under config fortianalyzer override-filter.

908856

Traffic log can show exabytes of data sent and received when generating log task is triggered from userspace.

929269

After disabling an event under the event filter, the system events summary page still shows event logs for that event.

929338

Secondary FortiGate log cannot be viewed from primary FortiGate in HA.

932817

Forward traffic log has unexpected symbols in the end for some logs.

Proxy

Bug ID

Description

733258

Support HTTP3 for web proxy and ZTNA web service.

783549, 902613, 921247

An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled.

820096

CPU usage issue in proxyd caused by the absence of TCP teardown.

863132

Proxy mode inspection is slow when testing a single TCP stream from fast.com, which causes bandwidth slowness on FG-100F and FG-200F devices.

897347

Memory usage issue caused by the WAD user info process while authenticating the LDAP users.

899358

Proxy-based deep inspection connection issue occurs.

904386

Unable to upload file to the application server in server-load-balance setup.

912116

Website (li***.cz) is not working in proxy inspection mode with deep inspection and web filter applied.

922286

WAD traffic to globalvideoquery.fortinet.net does not follow the FortiGuard interface-select-mode.

932487

Memory usage issue caused by the WAD while using the access proxy.

934547

FortiGate is not sending the certificate chain in proxy-based firewall policy mode.

REST API

Bug ID

Description

886012

The MTU value on an interface cannot be set using the interface REST API.

920260

SD-WAN interfaces should be denoted in the interface statistics API.

Routing

Bug ID

Description

775752

link-down-failover does not bring the BGP peering down.

808190

When ip-fragmentation is set to pre-encapsulation, the VPNv4's VRF information cannot pass fragment traffic.

849988

The Network > SD-WAN > SD-WAN Rules page does not show a red exclamation mark for addresses that have dst-negate enabled. This is cosmetic; users can use the CLI to confirm that the address has dst-negate enabled.

888210

On the Network > SD-WAN page, the Performance SLAs tab is slow to load when there is a large number (~4000) of VPN tunnels, and shortcut tunnels created by ADVPN.

890954

The change of an IPv6 route does not mark sessions as dirty nor trigger a route change.

892704

SD-WAN performance SLA statistics on secondary unit's GUI section are not synchronized with the primary and has stale data.

896090

SD-WAN members can be out-of-sla after some retrieve times.

896891

With ICMP asymmetric routing enabled, ICMP local-in/local-out reply packets will still only return through the original path, in order to maintain the ping SLA.

897666

Issue with SD-WAN rule for FortiGuard.

899827

Speed test result is not accurate.

900226

High CPU due to PIMD/NSM and multicast session not being offloaded.

900770

DHCP relay fails after a period of time with SD-WAN.

900941

config redistribute routing subsections cannot be configured when in workspace mode.

907386

BGP neighbor group configured with password is not working as expected.

909835

Search broken on SD-WAN Rules tab's Source/Destination omniselect.

910656

Router information in the BGP summary still shows removed BGP neighbor/peer configuration.

913338

FortiGate removing SD-WAN routes when network address is specified as the gateway of an SD-WAN member.

914497

SD-WAN rules list in the GUI should show the interface members in priority order instead of alphabetical order.

914815

FortiGate 40F-3G4G not adding LTE dynamic route to route table.

922491

Static routes are installed on hub FortiGate with add-route disabled in ADVPN scenario.

924940

When there are a lot of policies (several thousands), the interface member selection for the SD-WAN Zone dialog may take up to a minute to load.

930749

IPv6 traffic was no longer forwarded according to route list and neighbor-cache list after upgrading from 7.2.4 to 7.2.5.

934803

Synchronized kernel VPNv4 routes are not used in an HA failover.

Security Fabric

Bug ID

Description

862424

On a FortiGate that has large tables (over 1000 firewall policies, address, or other tables), security rating reports may cause the FortiGate to go into conserve mode.

874822

In a configuration with a connected FortiAP-U, the FortiAP & FortiAP-S & FortiAP-W2 & FortiAP-U Command Injection in CLI security rating test fails and suggests an upgrade to 7.0.4, even though the FortiAP is on the latest version (7.0.0).

876422

After adding a 20 MB blocklist file, a FortiGate with 2 GB RAM goes to conserve mode when viewing the Security Fabric > External Connectors page.

876588

External Connectors can cause a FortiGate internal error when the configuration name has invalid characters.

907172

Automation stitch with FortiDeceptor Fabric connector event trigger cannot be triggered.

907819

Advanced GCP connector does not resolve if one element does not exists.

912592

Allow comments and IP addresses to be on the same line for external IP address threat feeds.

912917

Send Fabric API calls with pagination filter.

917024

Unexpected behavior in Security Fabric daemon (CSFD) caused by triggering HA failover while using Security Fabric.

918230

Threat feeds with name starting with "g-" are not allowed on non-VDOM FortiGate.

922896

Azure SDN connector always uses HA management port for DNS resolve. This might not work on premises where the HA management port does not have a public IP address assigned.

926202

Unable to authorize downstream FortiGate with the Security Fabric after upgrade.

935846

Adding a real device to autolink to a serial number model device results in an error.

SSL VPN

Bug ID

Description

719740

The No SSL-VPN policies exist warning is displayed when an SSL VPN zone having an SSL VPN tunnel interface is used in a policy. The warning can be ignored; it does not affect the SSL VPN functionality.

822657

Internal resource pages and menus are not showing correctly in web mode.

830068

SSL VPN stops listening on IPv6 interface after a reboot.

833934

SSL VPN fails to connect to graph.microsoft.com when doing Azure auto-login.

835014

Webpage keeps loading when customer accesses an internal webpage in the SSL VPN web portal.

843756

Customer bookmark (*.tr***.pt) is not accessible when using SSL VPN web mode.

845817

Jira application is not loading properly when connecting through SSL VPN web mode.

851976

PC cannot get IP from DHCP server due to find duplicate ip and causes the dialup SSL VPN to fail.

854607

In SSL VPN web mode, the page keeps loading after logging in.

859275

Issues with accessing an internal site using SSL VPN web mode and bookmark.

878833

Decrease in download speeds observed for SSL VPN users when over 2000 users are connected.

879329

Destination address of SSL VPN firewall policy may be lost after upgrading when dstaddr is set to all and at least one authentication rule has a portal with split tunneling enabled.

881268

Disconnecting from SSL VPN using the SSL-VPN widget does not disconnect the SSL VPN tunnel.

883903

FortiGate does not identify users on SSL VPN as 2FA users if the user and token are put together in the same field (concatenated).

884869

Web mode bookmark showing blank page due to JS rewrite.

885978

Some buttons in URL are not working in SSL VPN web mode.

887345

When a user needs to enter credentials through a pop-up window, the key events for modification key detected by SDL were ignored.

887674

FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs.

889736

The HPE iLO 5 web server is not able to load properly from the SSL VPN portal.

894704

FortiOS check would block iOS and Android mobile devices from connecting to the SSL VPN tunnel.

895120

SSL VPN web portal not loading internal web page.

896396

SSL VPN web portal HTTP bookmark forwarded site throws Java error.

896492

When using RDP bookmarks in SSL web mode, some keys stopped working,

897385

Internal website keeps asking for credential with SSL VPN web mode.

897665

The external DHCP server is not receiving hostnames in SSL VPN and DHCP relay.

904919

DHCP option 12 hostname needed for SSL VPN with external DHCP servers.

906756

Update SSL VPN host check logic for unsupported OS.

922446

SSL VPN service over PPPoE interface does not work as expected if the PPPoE interface is configured with config system pppoe-interface.

config system pppoe-interface
    edit <name>
        set device <string> 
        set username <string>
        set password <password>
    next
end

config vpn ssl settings
    set source-interface <PPPoE_interface_name>
end

This issue is also observed on VNE tunnel configurations.

926612

The SSL VPN log shows users having been disconnected from SSL VPN for unknown reason.

927475

SSL VPN tunnel down log message not generated when an IP address is disassociated before the old tunnel times out.

929001

An invalid user name entered in FortiClient could cause two factor PKI user login to crash sslvpnd after the client certificate checking passed.

930275

Firewall policy is not allowing the all destination address with a split-tunneling portal.

Switch Controller

Bug ID

Description

848632

Upon upgrade, the link to FortiSwitch stays down with QSFP.

861227

On the WiFi & Switch Controller > FortiSwitch Ports page, the Device Information column lists the same device multiple times.

893405

One discovery one transmit buffer was allocated and was not released on connection terminations.

902338

WiFi & Switch Controller > FortiSwitch Ports page does not show VLANs exported to another tenant VDOM, which results in the VLAN being removed if saved from the GUI.

904640

When a FortiSwitch port is reconfigured, the FortiGate may incorrectly retain old detected device data from the port that results in an unexpected number of detected device MACs for the port. Using diagnose switch-controller mac-cache show to check the device data can result in the Device Information column being blank on the WiFi & Switch Controller > FortiSwitch Ports page or in the Assets widget.

911232

Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches.

920231

FortiGate loses QoS ip-dscp-map configuration after reboot.

936081

The vlan-optimization {enable | disable} and vlan-all-mode all configuration options disappear after upgrade or reboot.

System

Bug ID

Description

656138

GUI shows conflicts error message when configuring a secondary IP address after allow-subnet-overlap is enabled.

708964

CPU usage issue is observed caused by reloading the system when the system has cfg-save set to revert.

713951

Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E.

724085

Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

766834

High memory usage caused by downloading a large CRL list.

801481

Download speed issue through WAN configured with PPPoE on FortiGate.

802932

CPU usage issue caused by clearing BGP dampened prefixes.

816579

User loses GUI/SSH access on FG-1500D while running one-arm sniffer.

820559

When backing up the configuration to a USB disk, if the file name is the same as specified under System > Settings > Start Up Settings > USB auto-install, an Invalid file name error is displayed.

828557

FortiGate as DHCP relay is not showing a DHCP decline in the debugs when there is an IP conflict in the network.

836748

FG-100F fails to boot when FortiOS image binary is larger than 94 MB.

842159

FortiGate 200F interfaces stop passing traffic after some time.

845079

DAC cable support is unstable on the FortiGate 1101E.

855515

Hardware csum failure message keeps repeating on Azure 7.0.8.

855573

False alarm of the PSU2 occurs with only one installed.

866437

CPU usage issue caused by the new Linux kernel.

867663

The FEC configuration under the interface is not respected when port23 and port24 are members of an LACP and the connection is 100G. Affected platforms: FGT-340xE, FGT-360xE.

869726

When an IPsec tunnel is configured with a different VRF than the underlying physical interface, and traffic is offloaded, the session expires even when traffic is flowing through it.

873391

If the FortiGate is added to FortiManager using the IPv6 address and tunnel is down for some reason, the FortiGate will not reconnect to FortiManager since fmg under system central-management is not set properly.

879769

If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway.

881060

Host TX dropped counter incrementing and connections failing when throughput reaches 40 Gbps.

884023

When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out.

885057

Add 100G speed option on the FortiGate 1800F.

885823

Sensor showing temperature of 0.00 Celsius.

885837

Traffic dropped as the matching SessionID is being deleted from session table in 20 seconds.

887940

Status light is not showing on the FortiGate 60F or 100F after a cold and warm reboot.

893305

Interface could not be brought up if it was part of a virtual switch.

894202

Incorrect temperature calculation appears in sensor list on FG-8xF, FWF-8xF, FG-9xE, FG-10xE, FG-20xE, and FG-14xE.

895967

FortiGate 1801F in transparent mode cannot reply to an SNMP query.

897905

IPv6 addresses configured on EMAC VLAN interfaces showing FTP flag after upgrade.

900670

QSFP/QSFP+ port23/port24 are down after upgrading to 7.0.11 on FG-3401E.

903049

execute sensor list has blank lines in output.

903362

SNMP OID, fgFwPolLastUsed (1.3.6.1.4.1.12356.101.5.1.2.1.1.4), does not show the correct information about the last time a specific policy was used.

904414

Port speed 1000auto could not link up with a Cisco switch.

904485

The crashlog might show a Node.JS restarted error, Failed to fetch web-ui.node-exports: Error: connect ECONNREFUSED, if the HTTPSD is being killed during conserve mode, stuck in some API calls, or slow response during system super busy.

904486

The FortiGate may display a false alarm message and subsequently initiate a reboot.

907339

dnsproxy process aborts due to stack buffer overflow being detected upon function return.

909345

An error condition occurs caused by receiving ICMP redirect messages.

910269

Unexpected behavior caused by the Linux Out of Memory (OOM) killer when memory is very low.

910273

Last reboot reason: power cycle after rebooting due to a kernel panic is misleading.

910616

When a non-zero DSCP copied from ingress to egress packet for NAT64, the IP checksum is calculated incorrectly.

910677

Transparent mode FortiGate does not reply to SYN ACK when communicating with FortiManager.

911396

High system CPU and multiple daemons enter D state on the FortiGate 4401F.

911906

Enable auto-upgrade by default on the FortiGate 40F and 40G.

913732

Without any traffic, memory usage of FG-1800F keeps increasing slowly over time.

917029

DNS does not respond to short name queries.

917827

Delay sending LACPDU in kernel 4.19.

919901

For FIPS-CC mode, the strict check for basic constraints should be removed for end entity certificates.

920085

CPU usage issue observed in dnsproxyd caused by unused wildcard FQDN.

922920

When performing factoryreset2, the IP addresses on "a" and "b" are set to default.

922965

CPU usage issue observed in hasync daemon when session count is large.

922982

FortiGate does not respond to ARP requests for the IP address on the WAN port when the interface is configured as EMAC.

923364

System goes into halt state with Error: Package validation failed... message in cases where there are no engine files in the FortiGate when the BIOS security level is set to 2.

923834

The DSL modem on the firewall does not work after the device starts.

924395

IPv6 local-in ping6 to management interface failed when newly configured.

925657

After a manual system administrator password change, the updated password-expire is not received by the FortiManager auto-update.

925966

Running diagnose sniffer filter with blank or empty quotation marks ("" or " ") is not working.

926035

On D-series FortiGates, a false alarm during system integrity check failure causes the firewall to reboot.

926817

Review the temperature sensor for the SoC4 system.

928858

Traffic over vpn-id-ipip tunnel is blocked when npu-offload is disabled in the VPN phase1 interface and the policy has UTM enabled.

929135

Interactive CLI commands, like purge, cannot be cut and pasted into the console and exits the script. The purge command in a console puTTy session stops and waits for a y confirmation.

929821

An error condition occurred in httpsd and newcli when trying to generate a TAC report from the GUI and CLI, respectively.

931167

IPv6 suffixes configured on an interface are not reflected after a reboot.

933277

The npu-vdom-link cannot forward the traffic after the first two packets.

934708

The cmdbsvr could not secure the var_zone lock due to another process holding it indefinitely.

935562

NAT port is out of range, causing the PBA index to be out of range.

938981

The virtual server http-host algorithm is redirecting requests to an unexpected server.

940571

Memory usage issue caused by excessive log files.

943033

Enabling vdom-dns causes the VDOM DNS certificate to be blank instead of the default value.

944581

Checksum on FortiOS is different from md5sum.txt file on the InfoSite when upgrading from previous GA build.

Upgrade

Bug ID

Description

939011

All transparent VDOMs cannot synchronize because of switch-controller.auto-config.policy.

User & Authentication

Bug ID

Description

738846

FAS ends up in an endless loop while synching with LDAP due to special character (,) as part of the username.

868481

When the Guest User Print Template is customized in a VDOM, printing the guest user credentials from User & Authentication > Guest Management still uses the default Guest User Print Template.

872814

The SAML assertion is truncated in samld when the payload size is huge.

891068

Guest administration management does not show all groups for multiple VDOMs assigned to a guest administrator account.

896739

SSO administrator configuration breaks with Azure Cloud due to config system saml having a trailing slash in the metadata link.

899852

FortiGate is sending Class(25) AVP with wrong length in RADIUS accounting when using 2FA with PUSH or external tokens.

900591

When generating guest users according to the settings in the guest group, the expiration time of guest users will automatically add an extra two hours.

915192

Device detection sometimes does not identify the correct IP addresses of devices.

922133

Unable to view authorization page on FortiGate pop-up when the pre-login and post-login banner are set on FortiGate while using OAuth authorization.

922345

CA bundle (CRDB) to support DigiCert second-generation (G2) full CA and intermediate CA chain.

923164

EAP proxy daemon may keep reloading after updating the certificate bundle.

929112

RADUIS server dialog in the GUI incorrectly changes the custom RADUIS port to 0.

933622

The FortiGate does not send the user's IP address to the TACACS+ server during an authorization request.

VM

Bug ID

Description

901920

AWS external account list supports regional endpoints.

902816

An error condition occurs after a failover on the HA cluster deployed on an FG-VM64-AZURE.

903798

When send-deny-packet enabled or ident-accept disabled, sending out responding packets (such as TCP RST or ICMP) triggers a restart.

912184

An error condition is observed after deploying an FG-VM64-AZURE in Standard_DS4_v2 size.

913696

In the periodic status check of the OCI VM status, too many API calls caused a lot of 429 errors.

916027

Copy of files between a physical server and Windows Server is slow.

918818

Traffic drops in FortiGate HA A-A, AutoScale in Azure.

921168

Restore operation overwrite passive configuration in AZURE A-P deployment based on SDN connector.

923061

IPsec tunnels on AWS have TX errors incremented every 30 seconds.

924689

FortiGate VMs in an HA cluster deployed on the Hyper-V platform may get into an unresponsive state where multiple services are impacted: GUI management, CLI commands, SSL VPN sessions, DHCP assignment, traffic throughput, and reboot function.

927323

Event log alert Write Permission Violation to read-only file on VMware after taking snapshot.

928952

VPN errors after upgrade: Malformed Packets, AUTHENTICATION_FAILED messages, and INVALID_KE_PAYLOAD.

930981

FortiGate VM heartbeat authentication failed during the upgrade to 7.2.4 or 7.2.5 when HA authentication and encryption is enabled.

933003

FortiGate-VM KVM with MLX5 not responding to ARP in RHEL environment.

935086

VLAN interface is not reachable on FortiGate-VM running on KVM with SR-IOV interface.

Web Filter

Bug ID

Description

873086

On the Policy & Objects > Security Policy page for a policy-based VDOM, adding an external threat feed category to the URL Category field does not apply the changes.

885222

HTTP session is logged as HTTPS in web filter when VIP is used.

915879

Add web filter categories for artificial intelligence technology (category 100) and Cryptocurrency (category 101).

916140

An error condition occurs in WAD caused by the mismatch between the SNI host and CNAME.

941045

Local rating chooses the wrong category if the URL path falsely matches to a longer local rating URL.

WiFi Controller

Bug ID

Description

873273

The Automatically connect to nearest saved network option does not work as expected when FWF-60E client-mode local radio loses connection.

877609

RADIUS CoA does not work in some cases.

896128

Some 5 GHz weather channels should not be allowed in certain countries.

904349

Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models.

905406

In auth-logon and auth-logout logs, Wi-Fi users with random public IP addresses are observed.

905789

FortiAP 431G is unable to join AC due to no response to cfg_request.

920189

Intermittent behavior in Hostapd caused by enabling/disabling fast-bss-transition.

921456

FAP-431F is deauthenticating clients after roaming when DHCP enforcement is enabled on the SSID, even when the client gets IP from DHCP.

922838

Usage of the cw_acds process increases and drops the FortiAP connection, which forces the FortiAP to restart in an FSM state when FortiAP settings are changed.

923530

Add support for 6 GHz band for DARRP, wlac -c rf-analysis, and BG scan period.

926676

Enable DFS channels on wtp-profile for FortiAP 431G and FortiAP 433G in region A/S/N(No-Brazil).

926999

An error condition occurred for the EAP proxy while sending the RADIUS Access-Request.

930130

MPSK keys are not loaded completely in the wpad daemon after applying a VAP with an MPSK profile selected on a FortiAP.

931592

CAPWAP offloading does not work with more than 12,000 VAP entries.

937826

An error case occurs in CAPWAP when the SSID interface, which has a VLAN interface over it, is deleted.

938525

Wi-Fi clients failed roaming from one FortiAP to another on the bridge SSID with dynamic VLAN assignment by RADIUS-based MAC authentication.

ZTNA

Bug ID

Description

828433

FortiAuthenticator Cloud zero trust tunnel (ZTNA connection) fails when EMS Fabric connector is configured.

889994

After client device information is updated, the session is closed even though all information from the session still matches the policy.

923804

ZTNA logs are showing the log message Denied: failed to match a proxy-policy when client device information matches the policy.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Bug ID

CVE references

911617

FortiOS 7.4.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-37935

918991

FortiOS 7.4.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-36639

919392

FortiOS 7.4.1 is no longer vulnerable to the following CVE Reference:

  • CVE-2023-36641