SSLVPN crashes on corporate FortiGate due to watchdog timeout when a single connection enters an infinite loop of read iterations and the worker process becomes unresponsive to new connections.

SSL VPN web mode missing several security headers in the HTTP response.

Performance degradation occurs in SSL-VPN due to connection/session timeout management issues.

Traffic could not go though SSL VPN tunnel when DTLS is enabled with a loopback interface as source address.

FortiGate sends out expired server certificate for a given SSL VPN realm, even when the certificate configured in virtual-host-server-cert has been updated.

FNBAMD session hangs after a massive authorization request.

SSL VPN authentication is triggered even with EMS SN check enabled.

Permission error occurs when local user enters new password that does not comply with password policy.

Insufficient session expiration in SSL VPN using SAML authentication.

SSL VPN web mode missing HTTP response headers.

Login failure occurs when 'warn days' are enabled in password policy for SSL VPN tunnel mode.

FortiClient 7.2.6 GA Azure auto login cannot connect after upgrade.

Log additional debug information to aid troubleshooting.

SAML metadata fails to generate when haproxy binds to the reserved SSL VPN source port 8900, preventing SAML authentication.

Error condition in sslvpnd occurs when generating a local signal handler within a chroot jail

Large file downloads take longer than expected due to a WAD process issue.

SMB traffic fails when the file server uses AES-256-GCM/CCM encryption with FortiOS.

In TP VDOM, the WAD creates the expectation session for FTP data connection if the firewall is in the proxy mode. This session does not have the outdev info.

Security Profiles > Antivirus: Creating a new antivirus profile on 2G models displays error notification Cannot read properties of undefined (reading 'entries') and fails.

Traffic fails to follow SD-WAN rules when SNAT is enabled and "snat-route-change" is activated due to session drops caused by SNAT check failures after route changes.

Support Encrypted Client Hello (ECH) in flow mode.

License expiration issue occurs when FortiGate has a valid FURL contract and connects to the StateRAMP SDNS server.

FortiGate in proxy mode sends the cached DNS response when it receives a DNS registration request.

Verification of EMS and upgrade of FGT with verified EMS should promote CA to fabric-ca.

Non-web ZTNA application configurations fail to sync with EMS after initial setup when FortiGate is connected to multiple EMS connectors.

Expired 'FCEM' contracts are loaded in FGVM when multiple account-level licenses exist under the same tag due to selection based on entry order rather than expiration date.

Verbose wad diag filter on source IP occurs when filtering with src/src6 filter.

SSL certificates are misapplied when FortiGate processes requests with deny actions in proxy policies.

Overflow occurs in WAD daemon when oversize-limit exceeds 4096 MiB during byte conversion.

Policy Test feature fails to function correctly when testing HTTP(S) server configurations due to missing source port initialization.

Expand the proxy-auth-timeout maximum value.

Deep scanning occurs when accessing subcategories of websites with category-based proxy policies despite disabling subcategory checks.

Policy & Objects > Multicast Policy: Mac type addresses are not listed in the Src/dst omniselect on the GUI.

Policy & Objects > Firewall Policy: The column filter for Secondary security posture Tag does not filter matching results when multiple tags are present on a policy.

Misleading logs with subtype="ztna" appear when only virtual-server in a firewall policy.

The By Sequence view in the Firewall policy list may incorrectly show a duplicate implicit deny policy in the middle of the list. This is purely a GUI display issue and does not impact policy operation.

The Interface Pair View and Sequence Grouping View do not have this issue.

Some customers observed memory usage increase and client session not disconnecting issues using virtual server

Policy enforcement fails for wildcard FQDN hosts as destination targets because the address records are not added to the wildcard entry when processing a server response for an FQDN's domain name.

Policy list refreshes entirely when right-clicking on hitcount or bytes columns to update statistics or clear counters.

Under heavy network traffic, the Netflow session cache for sampled traffic quickly reaches the hardcoded RAM limit, causing the sFlow daemon to shut down.

HTTP/2 post without content-length is not supported in half-ssl virtual server.

Denied sessions were bidirectional and caused all traffic to be blocked.

If an interface on an NP7 platform has the set inbandwidth XXX, set outbandwidth XXX, and set egress-shaping-profile XX settings, the following issues may occur:

• Fragment packet checksum is incorrect.

• MTU is not honored when sending packets out.

• QTM hangs and blocks traffic when packet size is larger than 6000 bytes.

Packet drops occur when high traffic causes nTurbo buffers to be reused without proper initialization under CPU-intensive conditions with ASIC offloading enabled.

ICMP Echo replies sent through local-in-policy with virtual-patch enabled are routed through incorrect interfaces during traffic handling.

Firewall policy filter does not work well on source and destination columns for "all" and "ems" addresses.

After FortiGate exits conserve mode, some policies failed to install into the kernel at the same time.

Trailing stray characters appear in Netflow App Info reports, causing warnings in analysis programs.

Unexpected traffic hit policy in forward traffic log.

Threat feeds used as source or destination addresses in security policies may not match correctly.

NAT is incorrectly applied to traffic when a single SYN packet is sent to a VIP without an acknowledgment or reset.

Shared memory files on entry-level platforms can't be removed upon restart due to being stored in a persistent directory instead of a temporary one.

Policy & Objects: local-in policy, central-snat map, DoS Policy, and multicast policy have SD-WAN member in omniselect list of interface, and choosing the member interface results in an error.

Central-snat map, DoS Policy, and multicast policy do not list the SD-WAN zone in omniselect list of interfaces.

Search in the Address group dialog box using a partial word match takes more than a minute.

Traffic shaping statistic issues caused by QTM when using NP7.

Policy & Objects > Firewall Policy: Policy lookup for UDP protocol with FQDN does not work.

Workaround: Use the command line for policy lookup.

tcpsock command missing PID/process name for sessions in established state.

Traffic shaping statistics are not provided when using QTM on NP7.

Leaving the apn field empty in a GTP APN traffic shaping policy means that the policy will not match any traffic. Consequently, APN traffic shaping can only be applied to specific APNs.

To configure GTP APN traffic shaping:

config gtp apn-shaper
    edit <policy-id>
        set apn [<apn-name> <apngrp-name> ...]
        set rate-limit <limit>
        set action {drop | reject}
        set back-off-time <time>
    next
end

If session is in SYN_SENT or SYN_RECV state, and FortiGate receives a second SYN with different ISN, it will drop the second SYN.

A firewall policy allows traffic from client to server, but no policy exists for server to client. When traffic is not matched from server to client, a block session forms that blocks traffic in both directions.

Traffic fails to pass FortiGate when firewall policies are applied in TP VDOM due to flag checks treating packets as local instead of forwarding them.

An error condition occurs when disabling the outbound shaping-profile on the interface edit page.

Policies are deleted and replaced with "implicit" when exporting CSV from the Interface Pair View in Firewall Policy GUI.

The local-in-policy session TTL does not follow the service session-ttl.

VIP with set ldb-method http-host sends incorrect FQDN in ClientHello to second realserver when using HTTP2.

After a failover, ARP entries are removed from all slots when an ARP query of single slot does not respond.

High CPU usage by the node process occurs when loading 7000 policies due to fetching all statistics in one request.

When doing a GUI-packet capture on FortiGate, the through-traffic packets are not captured.

GTP-U traffic fails when offloaded to NP7 with monitor-mode enabled.

SNMP query returns an error when there is a large number of BGP routes.

High cmdbsvr CPU usage and FTP hang issues occur during scheduled automation backup executions due to automated backups appending device serial numbers to file names.

Fewer sensor entries appear when executing 'chassis-sensor list' after system bootup due to delayed sensor initialization on SMM.

GUI unreachable due to certificates and private keys mismatches in a HA setup.

The Security Profile menu does not appear in the GUI for Global VDOM on FortiGate 6K/7K devices despite being accessible through CLI.

Session count for VDOMs incorrect in FortiGate 6K/7K devices.

Local-in remote access issues due to incorrect destination address.

FortiGate FPM hangs after upgrade when confsynchbd fails to release a lock due to file permission issue.

The command execute load-balance slot manage X fails on FortiGate 6K/7K devices when admin-telnet is disabled and then re-enabled.

Unexpected behavior observed in the confsyncd daemon due to an erroneous memory allocation.

New SNMP MIB table for chassis sensor.

Graceful upgrades fail when hatalk daemon restarts, disrupting slbha state synchronization during FortiOS version transitions.

SFF-8472 diagnostic support was not recognized on SFP transceivers in FG-7941F systems.

On the FortiGate 7000F platform, after upgrading from FortiOS 7.4.7 to 7.6.2, cmdbsvr CPU usage can be at 99% on one or more FPMs for several minutes. During high CPU usage, FortiGuard packets cannot be synchronized to the affected FPM(s).

FG-6K session filter by source interface doesn't set correct interface index.

Graceful upgrade of a FortiGate 7000E chassis to FortiOS 7.6.2 may fail for some configurations.

On a FortiGate 7000E FGCP cluster, after using the execute ha disconnect command to disconnect a chassis from the cluster, you can't use the special management ports to connect to the FIM in slot 2 or to any of the FPMs of either chassis. You can still connect to the FIM in slot 1.

Confsyncd crashes occur when syncing ha-mgmt-intf to a newly joined HA slave due to invalid pointer attributes.

Traffic drop occurs on 7KF-FGT devices when traffic shaping is enabled during or after migration, causing intermittent internet connectivity loss.

Policies fail when Security Posture Tags are configured on SLBC platforms due to dynamic address sync issues outside HA mode.

In a 7121F chassis HA system with 7000F image, the secondary chassis GTP-C tunnels were not synced with the primary chassis GTP-C tunnels.

Network > Interfaces: When an IPsec tunnel is bound to an interface, the "Interface Integrate" option for the interface fails.

High Node.js memory usage when building FortiManager in Report Runner fails. Occurs when FortiManager has a slow connection, is unreachable from the FortiGate (because FMG is behind NAT), or the IP is incorrect.

Offline license file cannot be uploaded to FGT by GUI.

On FortiGate G series with dual WAN links, Interface bandwidth widget may show incorrect incoming and outgoing bandwidth count, where the actual traffic does not match the display numbers.

Inappropriate Security Rating Insights items occur when registering to EMS and syncing tags.

NodeJS errors when event log socket is closed.

The config system fortiguard > fortiguard-anycast setting was changed to automatically disable when the FortiGuard page is shown on GUI.

Patch schedule minutes are ignored when set through the GUI for automatic upgrades.

The FortiOS GUI fails to load topology-related pages when temporary files generated during Security Rating operations are mistakenly read by the REST API.

IPsec monitor widget: IPsec phase2 tunnel details are not displayed in the tooltip when hovering over the phase2 selector.

VDOM search function does not work properly if VDOM has uppercase letters.

Interface faceplate appending occurs when switching between fabric devices.

Admin can log in to GUI (HTTPS) with password, even when admin-https-pki-required is enabled.

GUI shows LAN interfaces that have an IP address in the network ranges 172.31.0.0/16 or 192.168.0.0/16 to be managed by IPAM, even though the feature is globally disabled.

When launching the GUI console using Jet Stream theme, the character spacing appears wider than usual.

SD-WAN zone is not selectable as an interface in GUI for certain policies.

No log output when running debug flow on GUI.

Duplicated logs occur during Node.js health-check operations when internal communication between daemons is exposed through HTTP requests, as the traffic is captured in logs and packet captures.

System > FortiGuard: FortiCare elite contract is not displayed accurately under Licensing information.

Asset Identity Center: Tooltip on IoT/OT Vulnerabilities says OT license is inactive even with full license.

An error condition occurs during upgrade to FortiOS 7.6.3 B3485.

After changing the status to down on the ha1 and ha2 ports, setting the status back to up does not bring up the ports.

Console prints error message when delete vdom in HA setup.

Console prints error message when delete vdom in HA setup

PBA logs missing during HA failover.

In HA cluster, when a FortiToken is aggregated or revoked from a local.user, cluster is out of SYNC.

Firewall policy page takes a long time to load on the HA Primary unit due to a loop condition between BGP and NSM when other protocols' same route is redistributed to BGP.

Firmware upgrade/downgrade is stuck at "Preparing for upload" with "*.js results in a network error" for FetchEvent when using Selenium auto test under Chrome Incognito window.

HA secondary unit experiences high CPU usage when frequent changes are made to CMDB on the HA primary unit.

Duplicated logs occur in FAZ during sniffer mode operation in HA active-passive setups because both active and passive FortiGates forward L2 packets to the IPS engine, causing duplicate entries.

Switches observe MAC address flapping in HA A-A setups when both FortiGates use identical virtual MACs on their primary VLANs.

SDN connector limits the API traffic flow through root VDOM or HA management VDOM.

Traffic interruption occurs when performing a manual HA failback after an initial failover in VWP setups.

Joining a FortiGate with RAID enabled in an existing cluster causes the primary to shut down due to differing RAID statuses.

Connection issues occur when FortiGate secondary uses primary's certificate to connect to FMG instead of its own.

In an FGSP setup, on asymmetric TCP flow during SYN/ACK packet on the other member, the TCP MSS value is not adjusted according to the firewall policy.

In a HA setup, the aggregate interface status remains up after configuring 'status down' in FortiOS due to a race condition.

Multiple SCTP expectation sessions are created during resynchronization due to a flag allowing duplication.

Duplicate IP detected messages are seen from the Secondary Fortigate in a cluster.

"Detected Tx Unit Hang" error occurrs on the HA secondary, causing it to become out-of-sync.

The secondary FortiGate with an HA Reserved Management Interface cannot be accessed using HTTPS after upgrading from version 7.4.3.

In an FGSP cluster, enabling and disabling standalone-config-sync results in the local dev_base being deleted and synchronized with the peer, which leads to the absence of the dev_base.

In an FGSP cluster, enabling and disabling standalone-config-sync results in the local dev_base being deleted and synchronized with the peer, which leads to the absence of the dev_base.

Cluster experiences split-brain when EMAC interfaces are disabled within a zone.

Add IPv6 destination support under HA management interface configuration.

Admin socket creation error occurs when upgrading FortiOS in an HA A-P cluster.

New LACP interface is not shown under diagnose sys ha standalone-peers on both FGSP members.

The SNMP value of fgVWLHealthCheckLinkState on the secondary unit should always be set to dead(1).

HA synchronization fails due to checksum mismatches on CA certificates across all VDOMs when adding or modifying certificates sourced from a bundle.

When two HA clusters are on the same subnet, the L2 session-sync packets could be received by each other, even if they are from two different HA clusters.

Unexpected behavior occurs when ippool PBA index is out of range.

The sessionsync daemon experiences high CPU usage when syncing expectation sessions under heavy SCTP traffic and FGSP enablement due to inefficiencies in the dump API.

HA second unit cannot sync firewall ZTNA dynamic address with HA primary unit after primary disables EMS server.

vSN support added in 7.2.9, 7.4.6, and 7.6.1. FG-100F/101F do not yet support vSN and logical-sn.

Unexpected behavior observed in NPD when the threat feed object attempted to update manually in the HA pair.

Add ipv4/v6-session-quota back for software sessions in hyperscale VDOM.

SNAT session drops occur when kernel sessions become dirty in hyperscale VDOM environments due to inconsistent NAT resource allocation between software and hardware sessions.

Using fixed-allocation IP Pools may cause NP7 NSS/PRP modules to become stuck, potentially disrupting traffic. Other PBA IP pools do not have this issue.

The diag sys npu-session list-brief command now includes additional values for timeout, duration, and policy-id and an improved filter that includes EIF sessions to enhance its functionality and filtering capabilities.

HA configurations are lost if hw-sess-sync-dev is configured with more interfaces than expected. (The expectation is two times the number of NP7 chips.)

The get sys ha status command does not offer detailed interface statistics for hardware session sync devices.

When handling very high traffic loads (150M 250M concurrent sessions), the system sometimes fails to free up memory, even after all sessions have been cleared and traffic has stopped.

Client could not get DHCP IP address with policy-offload-level set to full-offload.

FortiGate encounters CPU usage issue due to IPSEngine utilization when using an app-ctrl utm profile.

Traffic is dropped silently when IPv6 traffic is sent with UTM and nTurbo enabled on FortiGate-121G.

IPS does not pass channel ID/category ID from the first video in a YouTube playlist to WAD.

Sniffer logs are not generated when using VLANs.

Child process that loads IPS database does not have CMDB permission to write to IPS table.

When IPS generates traffic log for tunnel traffic, traffic log should include outer packet details.

When spoke re-authauthorization is enabled, shortcut tunnel rekey fails and goes down when SA expires. Shortcut tunnel flaps while it re-establishes again.

Packet drops occur when FortiOS CPUs are overwhelmed by high traffic bursts while IPsec acceleration is enabled, leading to CP queue overflows despite prior optimizations.

IPsec performance issue on Intel-based platforms occurs due to FortiOS not enabling all available IPsec drivers.

Incrementing TX and RX errors on VPN interface occur when NPU offload is disabled, busy CPU cores, or high burst traffic cause packet drops due to full queues on SoC3/Soc4 platforms.

Dialup and loopback-asymroute disable with multiple paths for IKE/IPsec traffic are configured. When the incoming ESP traffic changes path because of a routing change, reply traffic still egresses on the old interface, and traffic is dropped.

IPsec does not work as expected when the traffic path is from spoke dial-up to hub1, and then from hub1 to another site through a site-to-site tunnel.

Throughput is limited in Site to Site VPN connections between the FW1kF and the FWVM Google Cloud platform.

Egress shaper fails to enforce bandwidth limits on VPN ID with IPIP encapsulation IPsec interfaces due to incorrect handling of traffic forwarding across multiple network processing units.

L2TP/IPsec connections fail due to interface changes from break-before-make rekeys and Windows rejecting selectors during FGT-initiated QM rekeys.

Unexpected behavior observed in the IKED during HA split-brain events when IPsec tunnels are configured to use DHCP.

Authentication fails when using FortiClient with IPsec IKEv2 after waiting more than 60 seconds to enter the 2FA token, caused by a fixed 60-second RADIUS timeout.

transport-mode IPsec phase2 cannot set non-zero protocol successfully.

IPsec phase2 interface with encapsulation set to transport-mode cannot successfully set non-zero protocol.

Unexpected behavior observed in the IKED after configuration changes when the phase1 monitor feature is used.

NP7 tunnel offloading failure recovery issue may cause use-after-free memory corruption when there are many concurrent IPSec tunnels, which leads to high CPU usage and kernel panic.

Kernel crash caused by memory corruption due to a use-after-free issue, resulting in a system hang. This issue occurs with a large number of IPsec tunnels.

ADVPN IPsec traffic over shortcuts drops during IPsec tunnel rekey.

Failed HTTP sessions occur when passing through nTurbo due to improper handling of fragmented packets.

Transparent mode, policy-based IPsec VPN, local-out traffic automatically enters VPN.

With set peertype one, the FortiGate will not accept ID_IPV4_Address as peer ID for dynamic IPsec IKEv2.

IPsec VPN match-security-posture-tag feature won't work when FortiClient is behind NAT.

IPsec SA offloading stops on some FortiGate models when handling more than 50,000 concurrent secure associations.

Static routes are marked inactive when an old IPSec tunnel is deleted during an INITIAL-CONTACT message in IKEv1, mistakenly deactivating the new tunnel's status in the kernel.

Group list is truncated because of fixed-size buffers.

Juniper device unable to establish IKEv1 tunnel with FGT.

FGT fails to negotiate encryption algorithm CHACHA20_POLY1305 against third- party client.

iked spikes to 99.9% if client sends FIN after ike tcp session is established.

FortiGate presents certificate information when accessed using IPsec VPN listening interface.

Gateway switching fails during IKE session resumption when moving from a FortiGate model without Azure AD auto-connect enabled to one with it due to missing mode communication.

For ADVPN 2.0 shortcut negotiation, UDP hole punching for spoke behind NAT uses source port 500 instead of 4500.

Traffic is dropped by anti-spoof check when passing traffic through phase2 transport mode with GRE encap.

VPN authentication fails on FortiSASE when a large number of RADIUS groups are configured.

Unauthenticated User mismatch with User in logs.

Log & Report > Reports: When reports are renamed, the scheduled reports page does not load and the unable to fetch reports error notification is displayed.

FGT-VM64 has no crash log record and event logs for license status change from Valid to Warning.

Erroneous memory allocation results in intermittent HTTPSD disruption caused by a corrupted traffic log file.

Firewall logs show Object Object in GUI and dstintf="unknown-0" in raw logs.

Page loading issues occur when loading a high number of logs.

Missing poluuid and policyname fields occur in Forward Traffic logs when HA failover happens in FGCP clusters.

Forward Traffic log fetched from FortiGate Cloud takes a long time to load on GUI.

Some WiFi Log descriptions are inaccurate.

Observed Device vulnerability lookup on FortiGuard in high frequency under the system event log.

Temporary log files persist in /var/log after successful FTP uploads, leading to increased disk usage.

Secondary device fails to generate reports at the set time.

Log & report > Forward Traffic: The Security tab for security event logs does not load.

Syslog traffic uses the correct exit interface after a change in source interface but fails to update the source IP.

The body is partially missing from emails sent by alert mail.

Packets captured by IPS indicates HTTP/1.1 in case of HTTP/2 request.

On FortiGate 61E and 81E models, a daemon WAD issue causes high memory usage.

Proxyd always selects the first certificate in the list when multiple server certificates are configured, regardless of SNI.

After an upgrade on a 2GB FortiGate device, the firewall policy does not switch from Proxy-based to Flow-based in the Inspection mode field.

Strict SNI certificate checks skip IP destination validation under strict mode.

HTTP/2 large file transfers are slow when IPS, APP, or SSL inspect-all is enabled due to excessive buffering during traffic forwarding.

Accessing certain websites through HTTPS fails when using inspect-all deep-inspection in proxy mode firewall policy.

An error case observed in the WAD, affecting some VIP traffic, caused by erroneous memory allocation.

FortiGate encounters a WAD memory usage issue when using a secure explicit web proxy with WAD user authentication to visit some websites.

Add a limit on the memory used by user-device-store as a percentage of the total system memory

An error condition in WAD occurs during shutdown after factory-reset on 32-bit ARM platforms.

Large file downloads through proxy HTTP2 are slow when IPS/APP/SSL inspect-all enabled.

When VDOM configuration file is restored, it changes the no-inspection profile under ssl-ssh-profile to deep-inspection.

WAD fails to handle deep-inspection traffic under FIPS mode.

When creating a VPN remote certificate with the API, the "remote" key fails to be set, resulting in incomplete configuration.

The available interfaces list is slow in configurations with many IPsec tunnel connections.

External Account Binding support occurs when using ACME RFC8555.

Adding ipv6-trusthost under api-user will override ipv4-trusthost setting and allow all IPv4 source IP addresses.

The system fib version does not match VDOM fib version in 1801F when queried due to a misalignment in how genid is reported by the Linux kernel to user space.

The speed-test result files are not deleted after test runs. The new test ID may collide with a previous result. In this case, the GUI may read a previously failed result and report errors.

Routing monitor: The Routing widget becomes unresponsive when using route lookup on a configuration that has a large number of routes.

The load-balance mode in SD-WAN rules only considers up to 8 paths as active when more than 8 are configured.

BGP flaps occur when high L2P TPE drops are detected under heavy IPsec traffic conditions.

IPv6 prefix delegation does not add IPv6 route automatically.

The loopback interface does not appear as an outgoing option for BGP peer connections when configuring through the GUI.

When adding new static route and prefix-list using CLI, 0.0.0.0/0 takes effect, in spite of invalid format of dst and prefix.

Inactive IPv6 routes occur when dual stack BFD is configured without assigning the correct interface for IPv6, causing it to default to an IPv4 interface instead.

The BGP router-id fails to reset after editing the neighbor group settings because the dialog doesn't properly handle the reset functionality.

Users can create a BGP neighbor without configuring remote-as using CLI, and after completing BGP neighbor configuration, neighbor will remain in admin down state.

Network > SD-WAN > SD-WAN Rules: Filtering on members with alias names does not display matching results.

FortiGate uses link-local IPv6 address as nexthop in VLAN network, instead of global address.

BGP Stale route not working as expected.

Application "cmdbsvr" crashes when processing a configuration from OaaS controller. This issue occurs when adding another ISP to the test spokes and applying the change.

Network > Routing Objects: BGP AS number with asdot/asdot+ format will drop the trailing 0s on "set set-aspath" router-map config.

IPv6 traffic can't match the correct firewall policy in certain SD-WAN cases.

CPU usage issues observed during auto BMRK operations.

Restore image from FTP server failed using SD-WAN.

SD-WAN Default_DNS performance SLA shows all participants of Default_DNS are down.

Incorrect priorities are applied during remote health-checks when iked restarts because lnkmtd retains stale tunnel cache entries.

auto-asic-offload disabled under vne-interface after upgrading from 7.4.6 to 7.6.1.

Incorrect SDWAN rule is matched. fib-best-match is configured under zone.

The snmpd cache update takes longer when querying SD-WAN health-check data due to delays in retrieving bandwidth statistics.

In SD-WAN, when detect mode Prefer Passive is used, routing table is not updated in time

ADVPN shortcut is established between different transport-groups.

Inadvertent behavior observed in BGPD due to erroneous memory freeing when applying route-maps.

FortiGate disregards SD-WAN members for path selection even when they are in SLA.

Traffic fails with Fabric Overlay Orchestrator using automatic policy creation with system zones.

When FortiAnalyzer setting interface-select-method is sdwan, FortiAnalyzer connection is closed and restarted, even though SD-WAN interface doesn't change.

IPv6 routes are stuck on kernel routing table.

Failed to sniffer the VNE tunnel interface.

Session marked dirty by mistake when unrelated route changes in different VRF.

The link-monitor daemon truncates hostnames exceeding 63 characters when used in SDWAN health-check configurations, causing DNS resolution failures and impacting service availability.

Traffic routing issues occur when service-sla-tie-break is set to fib-best-match.

An error condition in vwl occurs when changing IPsec phase1-interface settings

Speed test failure occurs when using BGP over loopback design

ADVPN shortcut establishment issues occur when responder replies are delayed due to heavy load.

Link-monitor issues occur when a large number of ADVPN shortcuts are established.

Physical and logical topology is slow to load when there are a lot of managed FortiAP devices (over 50). This issue does not impact FortiAP management and operation.

In case of failure during a federated upgrade process, the system does not report granular failure details for individual devices.

FortiGate experiences a CPU usage issue in the Node.js daemon when there multiple administrator sessions running simultaneously.

In an HA configuration, when the primary FortiGate unit fails over to a downstream unit, the previous primary unit displays as being permanently disconnected.

In some cases, the Security Fabric topology cannot load properly and displays a Failed to load Topology Results error.

Error messages from netxd API calls are not displayed when running as a daemon because they are printed to stderr instead of the CLI.

Azure SDN Connector failure occurs when service tags API returns empty results with Resource Group scope permissions.

Scheduled triggers do not include eventtime in log entries, causing automation scripts using %%log.eventtime%% to fail and generate filenames with missing or incorrect timestamps.

Failed to trigger Security Rating Summary event automation stitch due to issue with log field ID.

The replacemsg-group in automation-action gets unset when system reboots.

FortiGate Azure connector fails to retrieve AKS information on AKS 1.29.5.

Externally maintained threat feed contains both resource FQDNs and IP address ranges/subnets. Entry such as <addr>/0x1 then matches half of all possible IPv4 address and causes network disruption.

Fabric topology with two devices on different VDOMs but behind the same router shows wrong VDOM data on tooltip.

WiFi & Switch Controller > FortiLink Interface: When a FortiLink interface is down and the Lockdown ISL toggle is set to 'disable' on the GUI, the setting is not retained.

In an HA environment with FortiSwitches connected, the lockdown ISL setting on FortiLink gets enabled during HA failover.

Device fails to get IP address when moved between NAC ports on the same switch.

Sync errors occur when incomplete transaction flags related to dhcp-snooping-static-client replay past configuration changes during sync attempts.

VLAN configurations intermittently fail to assign on FSW ports when devices matching DPP policy come online, which is caused by a race condition during FSW initialization.

DPP mac classification issue occurs when DPP policy with vlan-policy and 802.1x is configured together.

Only the last SNMP community configuration is pushed from FGT to FSW during bulk processing.

drop-overlapped-fragment {enable | disable} does not work on NP7 platforms.

Connection issue between SOC4 platform and third-party switches, for example Hirschmann GRS 105 or Cisco switch, since SOC4 doesn't support certain carrier extension signals.

Invalid YAML files are generated when exporting configurations containing multi-value attributes or long strings with newline characters.

Traffic interrupt when traffic shaping is enabled on 9xG and 12xG

GUI interface bandwidth shows Tetrabyte spike for Gigabyte interface.

Affected platforms: FGT-220xE and FGT-330xE

Password change occurs when admin's password is unset after burn image

NPD skips config parsing when policy-offload-level set to disable.

Traffic using VXLAN VTEP with a loopback over an IPsec VPN is dropped when VXLAN and IPsec are configured in different VDOMs due to incorrect tunnel creation success indicators.

After shutting down a SOC4 FortiGate (FGT-40F/FGT-61F/FGT-81F/FGT-100F) using the "execute shutdown" command, the system automatically boots up again.

VLAN switch is not working on 120G/121G.

After updating to the latest unsigned version of an object, update daemon will not download a new signed version of that object if the versions are the same.

If the DHCP offer contains padding when DHCP relay is used, the DHCP relay deletes the padding before relaying the packet.

Member interfaces of VWP appear in packet capture creation dialog despite being ineligible.

When the top application bandwidth feature is disabled, the GUI process still performs the initial check for application bandwidth, which may cause FortiCron to experience high CPU usage.

Hardware egress shaping doesn't work on SOC5 when NPU offload is enabled.

Traffic is intermittently interrupted on virtual-vlan-switch on Soc5 based platforms when a multicast or broadcast packet is received.

When FortiManager adds FortiGate via serial number and is behind NAT, FortiGate cannot initiate requests to FortiManager, causing the GUI to fail in retrieving the certificate CN/SAN and resulting in an error.

HA1/HA2 ports remain down after setting status to up. Rebooting fixes the issue.

FortiGate unresponsive when default-qos-type is set to shaping.

VXLAN interface cannot be created if its underlying interface is DHCP.

NP drops traffic when VXLAN is a member of software switch in implicit mode.

Unexpected traffic increase over the FortiGate 6000 base backplane.

The time change in FOS is restored after reboot. The RTC node is not created correctly so the time change can't be kept in RTC.

The inability to view or click the "+" sign occurs when a user is assigned an admin profile with only read access, restricting actions that require write privileges.

Access profile entries exceed global limit when built-in profiles consume table size slots.

VLAN statistics on LAGs are not displayed correctly when asic-offload is enabled due to incorrect OID usage.

Hardware limitation on the NP7 platform causes the following QTM related issues:

• Incorrect checksum for fragments after QTM.

• Packets longer than 6000 bytes cause QTM unresponsiveness.

• Refresh issue causes QTM unresponsiveness.

• MTU is not honored after QTM, so packets are not fragmented.

State of peer ports of FGT ports(negotiated speed, 1G) is down after upgrade on specific FGT

When FortiGate is managed by FortiManager, which has a slow connection or is unreachable, memory consumption of node process keeps increasing.

EXPIRE dates cannot be displayed properly when displaying the output of get sys fortiguard-service status.

DNS cache flushing occurs too frequently due to unnecessary interface-reload events triggered by DHCP6 packets and SLAAC updates.

NP7 drops encrypted GRE packets that have checksum bit set (1) due to invalid checksum.

Administrators can execute the command diagnose sys ha reset-uptime when the permissions of Admin Profile is set to Read.

FortiGate encounters a CPU usage issue for cmdbsvr process

Cannot push config sfp-dsl enable and vectoring under interface.

GTP tunnels are deleted even if there are still associated requests.

The problem occurred when multiple Create Session Request from different source IPs create the same GTP tunnel, and the first Create Session Response with an authentication failed cause leads to the deletion of the half-open tunnel and all associated requests.

Duplicated RADIUS packets are captured by the sniffer when performing firewall authentication with a RADIUS server.

FG901G gen1/2 boxes "diag hardw test asic" got FAILED

Kernel panic occurs when pushing 'Device Setting' from FortiManager to NP7 platforms with Broadcom switch, causing the device to become unresponsive and requiring a reboot.

The FortiGate-120G SFP ports fail to establish connectivity when configured with set speed 1000full due to improper auto-negotiation handling.

SNMP fgDiskCount.0 OID not returning disk count value

System global configuration lost due to port collision.

The switch MTU doesn't set correctly on 100m speed.

When visiting the GUI login page, FortiGate prompts user for certificate when no PKI admin is set.

FortiGate did not update password-expire time on the start or end of daylight savings time.

Fortiguard sends IP addresses to proxy instead of FQDNs

Unexpected behavior observed in the newcli daemon due to inconsistencies in node registration between cmdbsvr and other daemons.

Packets not forwarded due to improper handling of specific flags in the bridging code, which incorrectly treats them as local instead of resolving their destination MAC address and forwarding.

Virtual switch interface drops LLDP packets.

FortiGate 3601E 25Gauto link not coming up using DAC cables.

FortiGate encounters a memory usage issue if too many ports have LLDP reception enabled.

Add SNMP new OIDs fgAdminLoggedInTable for get sys admin list.

VXLAN interface should be brought down when underlay interface is down.

URLfilter fails to track DNS TTLs and update the IPs of FQDN addresses after they have been changed.

No SNMP trap at power failure for DC PSU.

High traffic load on a particular interface causes packet loss on other interfaces of the FortiGate.

Typo in log-controller-update request.

Unexpected behavior occurs in FEXT201E when cfg-revert is triggered

Incorrect traffic class (TC) settings and shaper class ID handling cause improper Quality of Service (QoS) application and session offloading failures for VLANs configured over Link Aggregation Groups (LAG) and hardware switches on FortiOS devices using SOC5 hardware.

When set append-index disable in system.snmp.sysinfo, querying per-VDOM BGPPeerTable might get incorrect results because of no updates.

FortiGate encounters parsing errors and potential system halts when configuration strings contain un-escaped single quotation marks, especially in password fields.

FortiGate encounters a memory usage issue due to usage by HTTSD

Expired user passwords are stored as plaintext in configuration files when password history is enabled.

The SNMP query for fgSwPortSwitchSerialNum gives switch name as the output instead of SN.

Update built-in CRDB bundle to version 1.56.

Packets are dropped during VLAN over VXLAN traffic due to incorrect handling of VLAN tags and session keys.

In new version of RDP client, FortiGate drops some RDP sessions due to IPv6 extended headers.

Inbandwidth settings are not enforced for traffic with multiple class IDs in a FortiOS shaping profile, resulting in reduced available bandwidth beyond 12 classes.

Packet dropped with 'DCE_IVS_IGR_DIR_DROP' over hardware switch.

SNMP query failure occurs when rpc aggregation is enabled for slave blades on FortiGate 6000F.

Policing improvement for QTM by limiting buffer size or switching to TPE (shaping-profile mode of config).

Upgrading the firmware for a large number (100+) of FortiSwitch or FortiAP devices at the same time may cause performance issues with the GUI and some devices may not upgrade.

Fabric upgrade from 7.2.9 to 7.4.5 failed.

SLBC FortiGate 5001E primary blade failed to install image, even though graceful-upgrade was disabled.

In 7.6.1 and 7.6.2, if a local-in policy, local-in-policy6, DoS policy, interface policy, multicast policy, TTL policy, or central SNAT map is used in an interface in version 7.4.5, 7.6.0, or any previous GA version that was part of the SD-WAN zone, these policies will be deleted or show empty values after upgrading to version 7.6.1 or 7.6.2.

See Policies that use an interface show missing or empty values after an upgrade for more information.

Upgrade from 7.4.6 GA to 7.6.1 GA results in an incomplete WAD device memory list table and triggers WAD error.

The image file transfer between FortiManager and FortiGate may not work as expected when transferred by the FGFM tunnel.

Egress-shaping-profile setting lost on interface after upgrade.

When upgrading FortiGate from earlier than 7.4.1 to 7.4.1 or later, system.replacemsg.webproxy configuration is lost.

FortiGuard updates are automatically enabled during upgrades from versions where they were previously disabled, bypassing user acknowledgment.

Memory usage by fsso_ldap daemon increases continuously when the LDAP server responds with "LDAP_UNWILLING_TO_PERFORM" due to an unhandled memory allocation issue.

Use new keys for certificate renewal through EST server.

Wildcard admin remote authorization password change in system GUI does not work.

Low-end FortiGate models with 2GB memory can enter conserve mode when processing large amounts (over 5000 user records) of stored user store data, when each record has a large amount of IoT vulnerability data. For example, the Users and Devices page or FortiNAC request can trigger the following API call that causes httpsd process to spike in CPU and memory:

GET request /api/v2/monitor/user/device/query

Password encryption changes occur when editing config vpn certificate local without actual certificate changes.

Errors may occur in the FNBAMD due to the presence of two wildcard-enabled remote administrators in separate VDOMs.

No SNMP trap available to detect FSSO external connected status change.

When importing local certificate, GUI displays an error, even when certificate is correctly imported.

In SAML config, after enabling "AD FS claim" (Active Directory Federated Services and rebooting, the "Attribute used to identify users" and "Attribute used to identify groups" fields are blank.

FortiGate admin user authentication with token+RADIUS fails when wildcard user is configured.

FGT uses global DNS when attempting to provision a certificate through SCEP or EST.

An error condition in fnbamd occurs during stress testing with certificate parsing.

Guest users are not removed after their configured expiry time on certain FortiGate models.

Unable to view local certificate in GUI or CLI after certificate import.

Source-ip setting issue occurs when configuring scep enroll settings per VDOM in non-management VDOM.

Firewall user widget: Tooltip for FSSO users on the 'user group' column displays overlapping text.

This is cosmetic and does not affect functionality.

Azure fails to honor seamless live migration.

In most cases, the public IP to private IP NAT fails to forward traffic from/to SD-WAN.

When unicast HA setup has a large number of interfaces, FGT Hyper-V takes a long time to boot up.

The virtual-wire pair fails to create during FortiOS initialization on cloud platforms when the underlying interface uses DHCP and hasn't acquired an IP address yet, preventing VXLAN configuration from completing successfully.

HA failover actions are triggered even when the Azure SDN connector is in a "disabled" state, causing increased downtime during failover.

Configuring VRF on hbdev causes FGT VM HA not to sync.

samld stops working when certificate set to Fortinet_Factory in user SAML.

The FortiGate device uses a single CPU core for GRE decapsulation tasks when running on AWS with ena NIC drivers because L4 hash functionality is not enabled, preventing RPS from distributing traffic efficiently.

Dynamic addresses are removed/added every few seconds when the OCI SDN connector fetches only the first page of API results.

Azd daemon on Azure NVA keeps consuming memory until FortiGate enters conserve mode.

FGT-VM64-AZURE cannot establish connection with other FGTs in the Security Fabric tree.

Azure SDN connector does not properly catch AKS cluster state.

Due to continuous disk logging, slab memory for dentry continuously increases in FortiGate VM.

Configuration fails to fully apply during bootstrap when the reboot function does not trigger an immediate reboot, causing cloudinit to re-run with insufficient tablespace.

License validation issues occur when connecting to FDS via a web proxy.

SMB traffic fails when the file server uses AES-256-GCM/CCM encryption with FortiOS.

Security Profiles > Webfilter: When a new webfilter is created and the action on the FortiGuard category-based filter is set to 'allow' and saved, the action is saved as 'monitor' on commit.

Output of diagnose webfilter fortiguard cache dump command shows the message "Cache is not enabled".

FG-120G webfilter.profile tablesize is incorrect.

Add an option to control webfilter.urlfilter simple-type entries match subdomains.

The value for x-forwarded-for is not properly displayed in the log on AWS environment.

Email addresses collected through captive portal fail to display under WiFi clients when using guest SSID configurations.

The FortiGate Hostapd does not support IPv6 address of RADIUS server.

Unexpected behavior observed in the CAPWAP daemon when managing multiple APs and clients through dynamic VAP changes.

On FortiGate's in an HA pair, the npd process do not work as expected when trying to manually update the threat feed.

Client traffic is blocked after a failure when connecting through SSID using radius-mac-auth and radius-mac-auth-usergroup because the secondary FortiGate in HA does not receive necessary client details during failover.

Erroneous memory allocation observed in the CAPWAP function on NP6 and NP6XLite platforms due to a rare error case.

High memory usage may occur due to offline station entries not being automatically cleaned up over time.

In an HA environment with FortiAPs managed by primary FortiGate, the secondary FortiGate GUI Managed FortiAP page may show the FortiAP status as offline if the FortiAP traffic is not routed through the secondary FortiGate.

This is only a GUI issue and does not impact FortiAP operation.

An error condition in CAPWAP occurred due to a rare case.

FAPs remain offline post-upgrade when using image stored on FortiGate.

VLAN pooling assigns incorrect VLAN IDs when FortiOS is upgraded, causing clients on AP groups to receive IPs from the optional VLAN instead of the pool.

The "AP image receive success" log (id 43618) does not generate when upgrading FAP from FMG.

Enable 5GHz channels 52-64, 108, 116-128 for FAP-231G-P, 431G-P Uzbekistan. (Uzbekistan has no DFS certification process.)

COA disconnect is not functional for MPSK profiles when using external FortiGuest.

FortiAP go offline when the cw_acd process becomes stuck at 99% CPU usage. This issue is caused by the FortiAP sending corrupt data in certain scenarios, leading to the process hanging.

When the configuration contains a large number of vlan-pool entries, deleting or adding a few entries can cause the cw_acd crash.

FortiAPs periodically lose connectivity with FortiGate (acting as WLC) due to an error case.

WSSO firewall authentication sessions fail to establish when FortiGate processes multiple group attributes with the initial group missing.

Packets are incorrectly routed when FAP management interface uses clear-text dtls-policy in a software switch with explicit intra-switch-policy.

Support legal firewall policy when SD-WAN/zone member interface manages FAP with dtls-policy set to ipsec-vpn.

Management connection fails for FAP-231F when using PPPoE interface on FGT-120G.

WiFi & Switch controller > Managed FortiAPs: When a channel override on a 5GHz channel is enabled is edited on a managed AP, the channel selection is unset.

The FAP remains offline after the FortiGate reboots or wireless-controller restart-acd due to the controller sending an empty country string to the access point.

FortiClient gets a blank page when doing SAML authentication due to the use of a stale user node.

Should be unable to select geography object in ZTNA proxy-policy.

Unable to configure more than eight mapped ports for access proxy realservers when the limit is 16.

ZTNA policy matching failed due to an accidental deletion of firewall.policy with ZTNA tags when the firewall.policy is updated.

Authentication loops occur during ZTNA connections requiring SAML when FortiClient uses multiple sessions with inconsistent cookies.

FortiOS 7.6.3 is no longer vulnerable to the following CVE Reference:

• CVE-2025-24471

FortiOS 7.6.3 is no longer vulnerable to the following CVE Reference:

• CVE-2025-25248

FortiOS 7.6.3 is no longer vulnerable to the following CVE Reference:

• CVE-2025-22254