The DHCP reservation widget incorrectly validates based on the subnet instead of individual IP addresses.

D-NAT functionality fails when using a Software Switch in explicit mode due to incorrect session matching during packet forwarding.

Traffic on WAN interface is dropped when policy-offload-level (under config system setting) is set to dos-offload.

USB GPIO and host function were not set up properly on 9xG and 12xG.

FortiGate unresponsive when default-qos-type is set to shaping.

Hardware limitation on the NP7 platform causes the following QTM related issues:

• Incorrect checksum for fragments after QTM. The workaround is to not parse Layer4 after QTM.

• Packets longer than 6000 bytes cause QTM unresponsiveness.

• Refresh issue causes QTM unresponsiveness. The workaround is to use one refresh list.

• MTU is not honored after QTM, so packets are not fragmented.

The FortiGate-120G SFP ports fail to establish connectivity when configured with 'set speed 1000full' due to improper auto-negotiation handling.

FG-4201F with NP7 network processors shows EIF0_IGR and EIF1_IGR usage stuck at 100% and host softirq stuck at 99% after running the iptunnel traffic.

FortiGate 3601E 25Gauto link not coming up using DAC cables.

The network interface settings page fails to load on certain FortiGate models when the admin profile does not have the System > Configuration > Read/Write permission.

Configuration loss on FGT-60F when FortiGate enters extreme conserve mode

On the Policy & Objects > Traffic Shaping page, when deleting or creating a shaper, the counters for the other shapers are cleared.

The By Sequence view in the Firewall policy list may incorrectly show a duplicate implicit deny policy in the middle of the list. This is purely a GUI display issue and does not impact policy operation.

The Interface Pair View and Sequence Grouping View do not have this issue.

Session counters are not updated when ASIC offload is enabled on firewall policy. FortiGate GUI displays incorrect information in the "Bytes" and "Last Used" columns.

If an interface on an NP7 platform has the set inbandwidth XXX, set outbandwidth XXX, and set egress-shaping-profile XX settings, the following issues may occur:

• Fragment packet checksum is incorrect.

• MTU is not honored when sending packets out.

• QTM hangs and blocks traffic when packet size is larger than 6000 bytes.

Workaround:

config system interface
    edit xxx
        unset egress-shaping-profile
    next
end

In the GUI, cannot filter Address objects correctly when using CIDR notation.

After a failover, ARP entries are removed from all slots when an ARP query of single slot does not respond.

FortiGate 7000E IPv6 routes may not be synchronized correctly among FIMs and FPMs.

High CPU usage by the node process occurs when loading 7000 policies due to fetching all statistics in one request.

After an HA failover, there is no IPsec route in the kernel.

Workaround: Bring down and bring up the tunnel.

On the FortiGate 7000F platform with virtual clustering enabled and syslog logging configured, when running the diagnose log test command from a primary vcluster VDOM, some FPMs may not send log messages to the configured syslog servers.

If the secondary reboots, after it rejoins the cluster SIP sessions are not resynchronized.

CSF is not working as expected.

FGCP HA session synchronization may stop working as expected on a FortiGate 7000F cluster managed by FortiManager. This happens if the HA configuration uses management interfaces as session synchronization interfaces by configuring the session-sync-dev option, for example:

config system ha
    set session-sync-dev 1-M1 1-M2
end

The problem occurs when FortiManager updates the configuration of the FortiGate 7000F devices in the cluster it incorrectly changes to the VDOM of the management interfaces added to the session-sync-dev command from mgmt-vdom to vsys_ha and the interfaces stop working as session sync interfaces.

You can work around the problem by re-configuring the session-sync-dev option on the FortiGate 7000F cluster (this resets the VDOM of the session sync interfaces to vsys_ha) and then retrieving the FortiGate configuration from FortiManager. This synchronizes the correct configuration to FortiManager.

When viewing entries in slide-out window of the Policy & Objects > Internet Service Database page, users cannot scroll down to the end if there are over 100000 entries.

Suggest showing the SFP status information on the faceplate of FGR-60F/60F-3G4G devices.

High Node.js memory usage when building FortiManager in Report Runner fails. Occurs when FortiManager has a slow connection, is unreachable from the FortiGate (because FMG is behind NAT), or the IP is incorrect.

On FortiGate G series models with dual WAN links, the Interface Bandwidth widget may show an incorrect incoming and outgoing bandwidth count where the actual traffic does not match the display numbers.

There is no setting for the type option on the GUI for npu_vlink interface.

Authorization of FEXT devices fails when using the FortiGate GUI.

When performing HA upgrade in the GUI, if the secondary unit takes several minutes to boot up, the GUI may show a misleading error message Image upgrade failed due to premature timeout.

This is just a GUI display issue and the HA upgrade can still complete without issue.

FortiGate in an HA setup has an unnecessary primary unit selection when a new member joins or reboots one member in the VC cluster when the VC has more than 2 units.

The secondary FortiGate with an HA Reserved Management Interface cannot be accessed using HTTPS after upgrading from version 7.4.3.

When HA members are not registered under the same FortiCare account, the HA cluster cannot obtain contract info of all members from FortiGuard servers.

vSN support was added in 7.2.9, 7.4.6, and 7.6.1. FG-100F/101F do not yet support vSN and logical-sn.

No workaround until the devices support vSN.

When Hyperscale logging is enabled with multicast log, the log is not sent to servers that are configured to receive multicast logs.

Traffic over GRE tunnel over IPsec tunnel, or traffic over IPsec tunnel with GRE encapsulation is not offloaded on NP7-based units.

GRE over IPsec does not work in transport mode.

FortiGate 6K and 7K models do not support IPsec VPN over vdom-link/npu-vlink.

IPsec VPN traffic is dropped after upgrading to version 7.4.3.

IPsec SA offloading stops on some FortiGate models when handling more than 50,000 concurrent secure associations.

FortiGate prompts error Fetching data from Disk is taking longer than expected. Suggest trying a different log source or check the availability of Disk. when viewing logs for the last 7 days from disk or FortiAnalyzer.

The firewall policy works with proxy-based inspection mode on FortiGate models with 2GB RAM after an upgrade.

Workaround: After an upgrade, reboot the FortiGate.

The diagnose ip rtcache list command is no longer supported in the FortiOS 4.19 kernel.

Physical and logical topology is slow to load when there are a lot of managed FortiAP devices (over 50). This issue does not impact FortiAP management and operation.

FortiGate experiences a CPU usage issue in the node process when there multiple administrator sessions running simultaneously on the GUI in a Security Fabric with multiple downstream devices. This may result in slow loading times for multiple GUI pages.

In some cases, the Security Fabric topology does not load properly and displays a Failed to load Topology Results error.

Security profile names containing two forward slashes (//) cause the webpage to become unresponsive when attempting to edit.

Security Fabric Asset Identity Center shows "Failed to load user device store data".

The GUI becomes slow or unresponsive when transceiver-related API requests fail.

FortiSwitch port configurations fail to update and GUI display issues occur when user-info process overloads system resources with excessive connections.

config sync error on managed FSW after upgrade when "Name" field and port exported are configured on the same FSW.

On the NP7 platform, setting the interface configuration using set inbandwidth <x> or set outbandwidth <x> commands stops traffic flow.

Workaround: Change the NP7 default-qos-type setting from shaping to policing. This requires a restart of the device for the configuration to take effect:

config system npu
   set default-qos-type policing
end

Traffic interrupted when traffic shaping is enabled on 9xG and 12xG.

The le-switch member list does not update when the role of an interface is changed in a lan-extension environment.

After shutting down a SOC4 FortiGate (FGT-40F/FGT-61F/FGT-81F/FGT-100F) using the "execute shutdown" command, the system automatically boots up again.

On FortiGate, the snmp daemon does not work as expected resulting in the SNMP queries timing out.

A FortiGuard update can cause the system to not operate as expected if the FortiGate is already in conserve mode. Users may need to reboot the FortiGate.

If the DHCP offer contains padding when DHCP relay is used, the DHCP relay deletes the padding before relaying the packet.

The FortiFirewall 2600F model may become stuck after a fresh image burn. Upgrading from a previous version stills works.

Workaround: power cycle the unit.

The time change in FOS is restored after reboot. The RTC node is not created correctly so the time change cannot be kept in RTC.

Cannot push config sfp-dsl enable and vectoring under interface.

Packets are dropped when using auto-asic-offload with 802.1AD over LACP on FortiGate due to missing MAC address assignment on QinQ lag interfaces.

FortiGate Cloud remote login triggers 2 admin login events (1 successful and 1 unsuccessful for PKI admin).

CPU spikes and management access issues occur on certain FortiGate models post-upgrade when IPsec Phase 1 NPU-offload is enabled during maintenance.

Upgrading an FGCP HA cluster of FortiGates with NP7 processors from 7.2.8, 7.2.9, or 7.2.10 to FortiOS 7.4.4, 7.4.5, 7.4.6, or 7.4.7 may cause the cluster to experience an infinite reboot loop. This issue has been resolved by FortiOS 7.4.8.

You can work around this problem by either disconnecting the FortiGates from the cluster, upgrading them individually, and then reforming the cluster, or by upgrading the cluster from 7.2.x to 7.2.10 and then to 7.4.8.

In 7.4.6 and 7.4.7, if a local-in policy or local-in-policy6 is used in an interface in version 7.4.5, or any previous GA version that was part of the SD-WAN zone, the policies are deleted or show empty values after upgrading to version 7.4.6 or 7.4.7.

Workaround: After upgrading to 7.4.6 or 7.4.7, users must manually recreate these policies and assign them to the appropriate SD-WAN zone.

NTLM authentication does not work with Chrome.

RADIUS group usage not displayed correctly in GUI when used for firewall admin authentication.

For FortiGate (versions 7.2.10 and 7.4.5 and later) and FortiNAC (versions 9.2.8 and 9.4.6 and prior) integration, when testing connectivity/user credentials against FortiNAC that acts as a RADIUS server, the FortiGate GUI and CLI returns an invalid secret for the server error.

This error is expected when the FortiGate acts as the direct RADIUS client to the FortiNAC RADIUS server due to a change in how FortiGate handles RADIUS protocol in these versions. However, the end-to-end integration for the clients behind the FortiGate and FortiNAC is not impacted.

Workaround: confirm the connectivity between the end clients and FortiNAC by checking if the clients can still be authorized against the FortiNAC as normal.

When performing LDAP user searches from the GUI against LDAP servers with a large number of users (more than 100000), FortiGate may experience a performance issue and not operate as expected due to the HTTPSD process consuming too much memory. User may need to stop the HTTPSD process or perform a reboot to recover.

Workaround: Perform an LDAP user search using the CLI.

When RADIUS server has the require-message-authenticator setting disabled, the GUI RADIUS server dialogs Test connectivity and Test user credentials still check for the message-authenticator value and incorrectly fail the test with missing authenticator error message.

config user radius
    edit <radius server>
        set require-message-authenticator disable
    next
end

This is only a GUI display issue and the end-to-end integration with RADIUS server should still work.

Workaround: user can confirm if the connection to RADIUS server via CLI command

diagnose test authserver radius <server> <method> <user> <password>.

In FTP passive mode with GWLB setup, Geneve header VNI lengths are zero in syn-ack packets, leading to retransmission issues.

VLAN traffic fails to pass through E810-XXV NIC with SFP28 transceiver and 25G speed after enabling DPDK.

When there are extra large number of managed FortiAP devices (over 500) and large number of WiFi clients (over 5000), the Managed FortiAPs page and FortiAP Status widget can take a long time to load. This issue does not impact FortiAP operation.

Intermittent traffic disruption observed in cw_acd caused by a rare error condition.

The FortiGate fails to generate debug/sniffer logs for a user when connecting to a specific SSID despite showing station logs with radius requests and challenges, while other SSIDs function correctly.

On the WiFi & Switch Controller > Managed FortiAPs page, when upgrading more than 30 managed FortiAPs at the same time using the Managed FortiAP page, the GUI may become slow and unresponsive when selecting the firmware.

Workaround: Upgrade the FortiAPs in smaller batches of up to 20 devices to avoid performance impacts.

High memory usage may occur due to offline station entries not being automatically cleaned up over time.

Mapped drives become inaccessible after laptop reboots when using FortiGate ZTNA access proxy with FQDN destinations.