Performance issues occur when CMDB configuration is large.

Add customization support for the SSL-VPN header replacement message.

Intermittent connection disruption occurs when using SSL VPN web mode to SSH to Cisco routers with authentication banners.

Connection refused occurs when using custom landing page in agentless VPN portal on FortiGate.

Web traffic designated as blocked is allowed due to the config entry priority in the application control profile.

App categories fail to display in NGFW mode due to undefined object causing JavaScript TypeError during app category data access.

The IPS engine memory usage increases rapidly when a flow-based policy uses an external Threat Feed with over 1M domain entries, causing device unresponsiveness.

DNS service disruption occurs when FortiGate is deployed as a DNS proxy with DNS filtering enabled and an unreachable SDNS server is preferred.

Dynamic DNS updates are not forwarded to the DNS server according to transparent-dns-database when using a conditional DNS forwarder for the non-authoritative zone.

FortiGate does not connect to EMS cloud when EMS cloud license is expired on the global FortiCare account, even when the access keys are valid in other VDOMs.

EMS connector is getting disconnected when using a third-party certificate for verification, resulting in loss of tags and denied traffic.

Web application using SAML IDP authentication in POST method via SWG on FortiGate gets a 303 response and the payload in the post request gets discarded.

Traffic issue occurs when FortiGate authenticates machine account in the format of HOSTNAME$ using NTLM.

Intermittent 504 errors occur when an IPv6 HTTP request followed by an IPv4 request in the same pipeline goes through explicit proxy with outgoing-ip.

Authentication pop-up does not appear when accessing HTTPS websites through FortiGate with Explicit Proxy when authentication rules, webproxy-forward-server, and certificate-inspection are configured in proxy-policy.

Incorrect status display occurs when editing proxy policies for hard/software switches on some FortiGate models.

Machine account is treated as NULL user in Kerberos and fails to authenticate via Kerberos.

Download failure occurs when accessing https://7-zip.de for domain objects.githubusercontent.com.

An error condition in WAD occurs when auth rules are changed during policy matching in explicit proxy policies

Memory usage issue caused by improper internal state handling when using WebProxy.

An error condition in WAD is triggered by an edge case which causes the process to enter an error-handling path

WAD session freeze when using explicit proxy with HTTP2 enabled in VDOM UKT-Proxy.

A 400 Bad Request error occurs when accessing CP addresses during SAML authentication in session mode.

Session counters are not being updated when ASIC offload is enabled on firewall policy. FortiGate GUI is displaying incorrect information in the "Bytes" and "Last Used" columns.

On the Firewall Policy page, search results do not display in an expanded format.

Incorrect logs are displayed when viewing matching logs for an implicit deny policy due to an invalid filter operator.

In the GUI, cannot filter Address objects correctly when using CIDR notation.

A two to three minute delay occurs when enforcing policy changes to existing or new traffic due to linear duplicate address checks during iprope updates.

Traffic block occurs when creating 802.1ad type VLAN based on redundant interface

Traffic carrying VLAN info encounters forwarding mismatch after deleting a VLAN interface built upon an NPU VDOM link

With interface policy configured with IPS enabled, UDP port 4500 traffic is not offloaded due to incorrect session flag f02 after ICMP unreachable packet is received.

Internet service custom limit increase occurs when per VDOM limit is set to 512

Filtering by comments fails when quick-editing firewall policies in the Firewall Policy page.

Intermittent DCE/RPC session blocks occur when two session-sync-dev are connected to the same switch without VLAN separation.

Multicast traffic drops occur when sending large packets to remote tunnels over the x5 interface on FortiGate 400F.

Port-preserve option changes to disable when disabling NAT in policy.

Erroneous MAC address is used on SOC4 platforms when traffic offloads EMAC-VLAN to VLAN traffic to NPU

Source port translation was not permitted with traffic to UDP port 7001.

Traffic is blocked by DoS policy when npu offload is disabled under IPsec phase1-interface and DoS policy is configured with parent interface.

DNAT incorrectly in later FTP data packets and FTP data session gets reset when FTP server responds with public IP in PASV mode

Traffic is logged as accepted in Forward Traffic Log when FortiGate is configured as a DNS server and implicit deny policy is enabled.

High priority traffic drops when bursty traffic is present on low priority queues.

Traffic is blocked when UTM and Nturbo are enabled in firewall policy for np7lite platforms.

Inconsistent address group configuration occurs when using CLI's 'append' command with 'all' value.

Traffic shaping fails when type is set to queuing in the shaping-profile.

Expected session using its parent session's policy ID in the session list is confusing and makes policy match look wrong.

IPv6 traffic is blocked without sending RST packets when send-deny-packet is enabled for 4.19 kernel.

When non-TCP/UDP traffic passes through the Hyperscale VDOM, the selected SNAT IPPool can be wrong in NAT Source function call.

GTP tunnel deletion occurs when mobility handover happens with same PDN connections information.

No response occurs when FortiGate receives a packet with low TTL and a deny-all policy is set.

Packet loss occurs when traffic shaping rule is enabled with no limits on per-ip-shaper and the pre-defined max limit is overflow

IPv6 packets are dropped when block-land-attack is disabled and source and destination addresses are the same.

SLBC does not function as expected with IPsec over TCP enabled.

Ports fail to establish or exhibit CRC/input errors when 100G QSFP28 LR transceivers are used with FIM-7920E and Cisco ASR in specific setups.

Intermittent traffic disruption occurs when using Fortinet_Factory on FortiGate-200G.

100G SFPs are experiencing compatibility issues with the 7060E at Turkcell.

Intermittent interface disruption occurs after power cycle.

VLAN interface accounting issue occurs when vlif reaches its maximum.

Firewall policy statistics reset after reboot on FGT-6k devices caused by improper persistence of aggregated data.

Unexpected behavior in the bcm.user process after a factory reset can sometimes prevent the FPMs from booting up.

SSL VPN load balance settings remain active in FortiOS configurations where SSL VPN tunnel mode has been removed.

The PSU status incorrectly shows as "Critically High" on the GUI dashboard widget.

Traffic blockage occurs when creating VLAN over redundant interface on SOC5 platform.

Traffic stats aggregation issue occurs when using M ports in FGSP setup.

Duplicated interface entries occur in FortiGate HA configuration merges when the same interface is processed across multiple cycles without successful resolution, causing persistent sync failures and redundant log entries.

BGP flapping occurs when concurrent IP address management causes unexpected source IP usage on outbound connections during FortiGate VDOM migrations.

Counter values fail to match totals and may overflow during continuous clearing in certain FortiGate models.

CLI allows assigning VLAN interface of M port LAG interface to data VDOMs when configuring VLAN interface on top of M port LAG

Unexpected behavior observed on certain FortiGate models when configuration changes follow enabling "cfg-save revert" due to unresolved netdevice references in the np7 driver.

An error condition occurs in the APACER NVME controller during hardware testing on FortiGate-201G.

RADIUS authentication fails when connecting to Secondary Chassis Slot 2 to 4.

SSH login attempts via special ports fail for VDOM admin users with access to 'mgmt-vdom' on SLBC FortiController models.

In some cases, after a FortiGate 7000F chassis restart, an FPM may hang while logging in, resulting in the FPM being out of synch with the chassis. This happens because confsynchbd becomes stuck after receiving a management heartbeat from the primary FIM.

The issue can occur any time the chassis restarts, including after a firmware upgrade.

Blades go to dead status when upgrading due to a cross FIM issue.

SDN dynamic address synchronization flaps or fails when SDN connectors are frequently enabled and disabled.

Traffic loss occurs when FIM on standby unit is rebooted in HA A-P setup on 7KE model.

CPU usage issues observed during IPsec tunnel formation over PPPoE interfaces.

ICMP packet offload failure occurs when passing through VPN over aggregate interface.

Subnet filtering fails for firewall users due to partial API support.

Read-only profile admin user tries to change FortiView source time range , and it is logged as edit by system admin in system events.

The Quarantine widget experiences delays when loading the complete IP list.

When a firewall user logs in via the GUI using RADIUS with FortiToken, no accounting request is generated.

When viewing entries in slide-out window of the Policy & Objects > Internet Service Database page, users cannot scroll down to the end if there are over 100K entries.

Network > Interfaces: When there is an IPsec tunnel bound to an interface, Interface Integrate for that interface fails.

Incorrect 'Cancel Fabric Upgrade' button display occurs when full fabric upgrade failed or complete.

Login failure messages appear in the GUI when administrators log in within an air-gap environment.

An error condition in httpsd occurs when using JSON array sort compare.

Authentication enhancements and optimizations using HTTP Admin Auth Daemon

Hostname pop-up window shows "failed to retrieve info" error in System > HA page.

Timezone offsets are displayed in UTC when a timezone is set.

Unexpected behavior occurs when attempting to save L2TP dialup tunnel configurations using SD-WAN members on some FortiGate models.

The FortiConverter window reappears after closing even when Don't show again is selected.

Some bandwidth interface widget not show historical information.

Failed to open CLI console from downstream FGT GUI with error "Connection lost." with SAML SSO admin login.

Can't open CLI console when logging in with SSO account.

Cannot rename authorized FortiSwitch.

FAP/FSW registration status appears vacant on Firmware & Registration page.

User/groups objects disappear after editing firewall policy.

Multicast traffic dropped when add/remove interface bandwidth widget on dashboard.

When editing an SSL VPN policy in the GUI after creating the policy in the CLI, user/group is not requested.

Failed to update prompt occurs when moving interface using Interface Integrate feature.

Exported FSW ports to tenant VDOM are not displayed on the GUI when the tenant VDOM has a FortiLink, causing virtual switches to be filtered out due to the lack of a fsw-wan1-peer attribute.

An error condition in httpsd occurs when fetching data from cmdbsvr fails.

Node.js encounters an error when attempting to read the property from a null value, causing unintended behavior on some FortiGate models.

Default Super Admin creation notification is not triggered when logging in through the GUI with accprofile-override enabled

Unable to connect to FortiSwitch CLI via Diagnostics and Tools.

The DHCP reservation widget incorrectly validates based on the subnet instead of individual IP addresses.

FEXT dataplan display issues occur in FortiGate GUI when controlled by FEXT-101G

When device-identification is enabled, an incorrect IP address is observed when a device gets updated with no IP address

Connection loss occurs when accessing FortiGate Cloud remote access.

Custom HTML content does not render correctly on login pages when configured through the FortiGate web interface or CLI.

GUI page times out when never timeout option is enabled for the admin profile.

Console prints error when logging in to the GUI with dns ssl-certificate set to Fortinet_Factory.

Proxy policy GUI page keeps loading when using user.certificate in ZTNA proxy-policy.

Read permission occurs when logging in with read-write accprofile if FortiGate is managed by FortiManager.

FortiSwitches not showing in alphabetical order in GUI occurs when viewing FortiSwitch Ports.

An error condition occurs in the GUI sniffer when using advanced syntax.

Failed to load value occurs when viewing PoE devices on FortiOS GUI.

An error condition in Apache occurs when the ACME renewal thread interacts with the main thread.

GUI access issues occur when upgrading from B3561.

Filtering services become unavailable when Anycast is enabled.

After performing a search in the policy list, sections cannot be collapsed, causing delays in operations.

Administrative-access option FMG-Access is not available on the GUI when FIPS-CC mode is enabledj.

The secondary unit in an HA cluster would display messages indicating that external resources were not in sync, despite the resources being correctly synchronized.

Session synchronization fails when encryption is enabled in FGSP with IPsec VPN setup.

A WAD processing issue causes the SNMP to not respond in a HA cluster.

HA synchronization fails after configuration changes on FortiGate devices due to improper handling of a hasync flag in the fgfmd daemon.

An error condition in the daemon occurs when upgrading an HA cluster with standalone-mgmt-vdom enabled.

VDOM is created unexpectedly when changing VRRP priorities on multiple interfaces if standalone-config-sync is enabled.

HA cluster fails to form when FIPS-CC is enabled.

When link monitor fail, initial HA cluster failover doesn't happen immediately until pingserver-flip-timeout expires.

HA state may become out of sync due to a race condition caused by missing local-in ipropes.

High CPU usage occurs when FortiGate secondary unit is started in Azure vWAN SD-WAN NGFW with Dynamic rerouting.

Federated upgrade failure occurs when upgrading in an HA cluster

Downtime occurs when upgrading HA cluster with HA encryption or authentication enabled due to HA communication being sent through IKE tunnel when tunnel is not ready

The heartbeat interface default route is lost and HA fails to sync when changing the interface mtu-override option.

LDAP authentication fails when ha-direct is enabled due to confusing logic between which interface takes priority when interface-selection is also used

Interface bandwidth widget doesn't display HB and Managed port.

Traffic forwarding issues occur when FGSP failover happens.

FFDB version sync issue occurs when updating on-demand ffdb in HA environment.

Split brain occurs when renaming IPsec phase1-interface in a HA cluster with a lot of VDOMs.

An error condition in FortiMQ occurs when HA AA is configured and malware-stream scan is enabled on primary FortiGate.

Mgmt interface is lost when joining a device to a cluster with system dedicated-mgmt enabled.

Device synchronization issues occur when removing a device from FortiManager

HA not synced after modifying onetime schedule when cfg-save is manual.

An error condition occurs in FortiGate when running the diag sys ha nonhaconf command on the secondary node in an HA cluster.

VLAN HB link monitor stops working when HA Group-ID is set above 255.

FortiGate failed to load the private keys for factory certificates to fgfmd due to incorrect classification

Intermittent connectivity loss occurs to HA secondary management IP after upgrade to v7.4.8.

With FG-480xF/FFW-480xF using npu-group other than "0" with log2host with around ~1M CPS could result in NP chip getting stuck.

After HA failover, syslog packets not sent out from new HA master when using NAT46/NAT64 policies.

Both HW log(ps) rate and log(pm) rate show in dia sys npu-session stat when set log-mode per-nat-mapping is enabled.

For previous versions of hyperscale FortiOS, FGCP HA clustering with hardware session synchronization with config vcluster-status disabled allowed you to monitor hw-session-sync-dev interfaces. FortiOS 7.6.3 changed this behavior, and you can no longer monitor hw-session-sync-dev interfaces.

When upgrading to FortiOS 7.6.3 if your HA configuration includes monitoring hw-session-sync-dev interfaces, the upgrade will fail.

Unintended session deletion may occur after FGSP failover due to a dirty Rsession.

With host logging (log2host) enabled, session counts may begin to rise after a few days of operation. This rise in session count can reduce throughput and CPS performance.

Memory usage issues caused by configuration changes or rule loading.

Fatal errors occur when the IPS engine sends requests with zero-length data segments to IPSA.

This issue only affects physical FortiGate models with the following IPS engine versions:

• IPS Engine version: 7.550 - 7.567

• IPS Engine version: 7.1019 - 7.1039

To determine the IPS Engine versions, use the command:

get sys fortiguard-service status | grep 'IPS/FlowAV Engine'

Internal diagnostic commands fail or delay when ipsmonitor processes each request sequentially due to sequential forwarding to IPS daemon processes.

Inline-IPS fails to match sensor locations for the "Web.Server.Password.File.Access" signature because it incorrectly reverses traffic direction definitions.

Packet drops and lower CPU utilization on FPC blades when using IPv6 traffic with np-accel-mode enabled and auto-asic-offload.

Accounting information is not sent to RADIUS when EAP and 2FA authentication are enabled.

Changes to IPsec phase1 fragmentation settings do not take effect immediately when made on dynamic configurations.

VPN tunnels exhibit instability following an upgrade, with processes stuck during NP7 debugging due to improper prioritization of certain packets.

IPv6 traffic is blocked on new configured IPsec VPN over loopback interface, need reboot to fix it.

Incorrect MTU settings prevent fragmented packets from being properly offloaded in IPsec tunnels, causing high CPU usage on FortiGate models.

High CPU usage occurs when using IPsec tunnel with fragmented packets and UDP frame size of 1600B.

SOC4 platform IPSec traffic may stop in specific corner cases due to the IPSec outbound process becoming unresponsive.

Abnormal spikes in VPN traffic sent bytes occur when counters roll back due to race conditions.

Traffic disruption occurs when IPSec engine is offloaded.

BGP peering fails to establish when a race condition occurs between FortiGate OS and NPU driver during IPsec SA updates for dynamic hub-to-static spoke VPNs.

Tunnel establishment fails for multiple FortiGate clients when using DHCP-over-IPSec dial-up VPNs during high concurrent connection attempts.

Static route towards remote side of IPsec tunnel becomes inactive when tunnel IP address is configured.

IPsec tunnels become stuck on spoke np6xlite, causing ESP packet drops after extended operation due to improper vifid formation during multiple rekey operations.

Decrypt counters do not update when SA is offloaded.

IPsec tunnels drop unexpectedly during rekeying when using certificate authentication with multiple dialup gateways and peer-initiated SA_INIT requests.

IPsec VPN tunnel fails to establish when QKD is required due to failure to complete SSL handshake with the QKD server

Changing the ip-fragmentation setting on dynamic IPsec phase1 does not take effect immediately after modification due to an issue with the change handler function in certain FortiOS builds.

VPN traffic halts unexpectedly on the spoke when FEC is disabled during connection cleanup after failed phase 1 negotiations, affecting dynamic tunnel handling.

Fragmented packets are not sent out on vpn-id-ipip IPsec tunnel when npu-offloading is enabled.

Unable to select policy-based IPsec tunnel in the firewall policy for SD-WAN member while configuring in GUI.

Intermittent disruption occurs on ipv6 route lookup when configuring IPsec with FIPS-CC enabled.

Authentication error occurs when IPSEC-IKEv2 tunnel is configured with FortiToken Cloud.

DNS suffix search issues occur when using IKEv2 phase1 dialup gateways with mode-cfg enabled.

Shaping parameter is not shared during ADVPN spoke to spoke negotiation.

Secondary IPsec tunnel cannot come up after primary tunnel is down and config change when "set monitor" is configured under phase1.

An error condition in the system occurs when creating more than 75 VPN tunnels with Egress Traffic shaping enabled.

Multicast traffic above 1350 bytes does not flow through the IPsec aggregate tunnel when using pre-encapsulation.

IPsec negotiations fail when auth-keepalive is enabled with SAML authentication.

Certificate validation issues occur when mandatory-ca-verify is disabled in IPsec VPN configuration.

Packets with payload larger than 10K and smaller than 15K are dropped when using IPsec tunnel as egress interface with nTurbo enabled.

IPv6 routing entries remain after iked restarts.

L2TP connections fail when L2TPD experiences internal errors while attempting to create tunnels for clients.

An error condition in IKE occurs when using TCP transport.

Returning packets take a different path when TCP transport is used with multiple default routes in the routing table.

During modeconfig setup, an IPSec IKEv2 dialup tunnel may install a default route when no IP address can be allocated from the pool.

Intermittent IPSec tunnel disruption occurs when upgrading to FortiOS 7.4.8 with FIPS enabled in HA mode.

On FortiOS, the Log & Report > Forward Traffic page does not completely load the entire log when the log exceeds 200MB.

Unmatched custom service name appears in traffic log when source port range is defined in custom service.

Only last 24 hours of Forward traffic log are been downloaded while trying to download logs from the last 7 days.

Page loading issues occur when loading a high number of logs.

The "Resolve Unknown Applications" feature in the GUI Log Viewer is not functioning as intended.

FortiGate prompts error "Fetching data from Disk is taking longer than expected. Suggest trying a different log source or check the availability of Disk." when viewing logs for the last 7 days from disk or FortiAnalyzer.

Intra-zone Local logs are missing when intrazone allow is enabled.

Export option fails when 500+ logs are present

Unnecessary log generated when disabling an interface.

Security Rating summary log displays incorrect counts when triggering a security rating check.

FortiGate device enabled with FIPS-CC mode sends an incorrect build number (0523) to FortiGate Cloud.

Traffic interruptions occur when revisiting the forward traffic log page during searches with applied filters.

Broadcast traffic is no longer logged when local-in-deny-broadcast setting is disabled.

Inaccurate Netflow reports occur when ICMP long live sessions exceed the active timeout value.

Logs fail to appear in FortiAnalyzer, and FortiView sources are missing from the Dashboard.

Logs are not displayed in FortiGate CLI when using free-style filter with timestamp and FortiAnalyzer as data source.

Syslog packets are not sent when log server IP is not configured.

WAD encounters an error condition when configuration changes affect certificate verification processes with Crypto KXP enabled.

An error condition occurs in WAD during stress testing.

An error condition occurs in WAD during high HTTP traffic.

Slow website loading occurs when using certificate inspection with proxy inspection-mode in HA active-active mode.

Connection issues for Kentik application using http2 gRPC occur with proxy and deep inspection.

An error condition occurs in WAD when wad-restart-mode is set to time and wad-restart-start-time / wad-restart-end-time are configured.

Timeout occurs when server certificate is expired.

Memory usage issues caused by WAD leaking SMB2 session objects when clients close connections with a Kerberos status of KRB_AP_ERR_MODIFIED.

Certificate inspection profiles differ across VDOMs when importing policy packages from FMG, caused by inconsistent default values for unsupported-ssl-version in certificate-inspection profiles between different FOS releases.

TLS handshake fails when Client Hello is split across two packets in proxy-mode, and the packet length is less than 256 bytes.

With proxy inline-ips, a memory leak occurs on the WAD daemon, leading to conserve mode.

Memory usage increases unexpectedly during high load when processing WAD-related tasks.

RD Gateway fails behind HTTPS Virtual Server when using WebSocket upgrade.

Expired server certificates are issued when Deep Inspection is enabled due to improper handling of certificate cache renewals.

An error condition in proxyd occurs when migrating from 500E to 901G.

Memory usage issues caused by missing certificate memory free operations during stress testing.

BFD for BGP takes interface BFD config instead of multi-hop config when BFD is enabled on both OSPF and BGP.

IPv6 traffic may be sent to the wrong destination interface or route, causing connectivity issues.

Console print out "/bin/cmdbsvr...node=system.health-check-fortiguard.name" error messages when restore a config.

An error message appears in FortiGate when attempting to add the ssl.root interface to a route-map via the GUI.

High CPU usage occurs when link monitor daemon fetches session counts on every interface during REST API calls.

Slow performance and network issues when surfing to Internet from GRE tunnels.

The IPoE tunnel interface cannot be selected in the Interface Bandwidth widget.

Spokes using remote-as-filter with 4-byte ASN cannot establish BGP neighborship.

PIM error when receiving PIM Assert with SSM enabled during HA failover.

IPv6 route issues occur when set delegated-prefix-route enable.

The behaviour of the command diagnose ip router bgp <module> <enable | disable> is incorrect. Turning on debugging for one of the modules turns on debugging for all modules.

VRRP version 2 failure occurs when adv-interval is configured in milliseconds Workaround: Configure the adv-interval at 1025.

Shortcut can't be triggered in certain cases due to the error "found duplicate in ike_check_update_addr_key".

Traffic forwards to the unexpected egress interface when duplicate SD-WAN rules exist in the proute list in the case that priority-zone in sdwan service has only one sdwan member

Encapsulated traffic of GRE tunnel interface over VNE tunnel egressed wrong interface after reboot

Event log used wrong reason that packetloss over the threshold when SLA fails due to consecutive probes failed

SD-WAN Service events are not logged in SD-WAN Events when using SD-WAN rules in standalone mode.

Hash-mode remains visible when SD-WAN service mode is changed to priority.

New shortcuts fail to trigger when existing shortcuts experience high packet loss in priority mode.

Health check status change behavior occurs when recovery time is set to 240 and interval is set to 500ms.

Downtime occurs when using OSPF with LAN during shortcut establishment and tunnel failover.

Incorrect outbandwidth calculation occurs when IPsec tunnel interfaces are used in SDWAN configuration.

All participants of SLA name become unavailable when the check interval is set to 15 seconds.

Incorrect data type occurs when using OID fgVWLHealthCheckLinkBandwidthBi.

FortiGate encounters CPU and memory usage issue when loading 20 large external threat feeds (100K entries each).

Security Fabric issues occur when running FortiOS 7.4 or 7.6 with 200G.

Scheduled automation incorrectly triggers reschedule after reboot when using specific time zones and NTP configurations.

An error condition occurs when enabling CSF root on 50G series devices.

Automation stitch fails to shut down a specific port on the secondary FortiGate during HA failover due to incorrect script environment settings.

Security Fabric > Physical Topology: FortiLink Tier 2 switch shows directly connected to FortiGate on Security Fabric > Physical Topology page.

The correct topology can be seen on the WiFi & Switch Controller > Managed FortiSwitches > Topology view.

Security profile names containing two forward slashes (//) cause the webpage to become unresponsive when attempting to edit.

Topology page load failure occurs when CSF is disabled.

When using the OCI SDN connector, dynamic IP addresses are not fetched correctly if the target compartment contains more than 100 VNICs.

Threat feed connections fail during SSL handshakes when server-identity-check is enabled for HTTPS downloads in FortiOS.

An interface in FortiLink is flapping with an MCLAG FortiSwitch using DAC on an OPSFPP-T-05-PAB transceiver.

Upgrade or restart of FSW fails when FortiLink is in HTTPS mode

Aggregate FortiLink went down, need to manually down/up the interface.

The GUI becomes slow or unresponsive when transceiver-related API requests fail.

VLAN configuration mismatch occurs when configuring LAN Extension and VLANs locally on FEX.

Health status becomes unknown after renaming a switch in the switch controller on some FortiGate models.

In the WiFi & Switch Controller > Managed FortiSwitches page, the Topology view shows the link between FortiSwitch units with a dotted line instead of a solid line.

Extension device registration fails through GUI when FortiCare agreement acknowledgment flag is reset after updates.

FortiSwitch port configurations fail to update and GUI display issues occur when user-info process overloads system resources with excessive connections.

Increase managed-switch.switch-id to more than 16 characters

Sync errors occur when renaming a FortiLink switch with special characters.

Local MAC addresses are filtered out from being added to user device list when mab-entry-as dynamic mode is enabled on Fortiswitch.

The fnbamd service may terminate unexpectedly due to erroneous memory handling during certificate authentication, if DNS responses include both IPv4 and IPv6 addresses and one (for example, IPv6) is unreachable.

LLDP packets not received on management interface when LLDP is enabled on certain FortiGate models.

LACPDU packet drops occur when FortiGate fails to reliably send required packets due to incorrect npu_tc assignment for hi-priority traffic.

Traffic interrupted when traffic shaping is enabled on 9xG and 12xG.

Automatic firmware update email alerts triggered after each reboot on FortiGate.

sflowd error condition occurs when sflow sampling is enabled without a collector configured.

The FortiGate Internet Service Database (ISDB) update mechanism fails on a 100E FortiGate model due to insufficient memory allocation.

Disabling GRE auto-asic-offload on a FortiGate model causes traffic to be dropped due to unrecognized GRE tunnels, likely because the kernel fails to process them without proper configuration post-disabling.

SCTP CRC check option is not available on NP7lite platform like 91G/121G.

Ping reply packets are dropped after two successful requests when using VXLAN over IPsec on FortiGate.

Aggregate link down occurs when speed is set to 10000auto after upgrade to v7.4.5.

FortiGate reboots immediately after changing ull-port-mode to 25G without a confirmation prompt.

Error "Fail to del default npu-vlink setup" is shown when changing the hostname.

Warn user when restoring config from a different firmware version.

High CPU usage occurs when making configuration changes with a large number of policies.

NP7 drops encrypted GRE packets that have Checksum bit set (1) due to invalid checksum.

Communication over VXLAN is lost after upgrade on NP7 platform.

Packets are dropped when using auto-asic-offload with 802.1AD over LACP on FortiGate due to missing MAC address assignment on QinQ lag interfaces.

An error condition occurs in the simulator during stress testing.

FortiGate Cloud remote login triggers 2 admin login events (1 successful and 1 unsuccessful for PKI admin).

CPU spikes and management access issues occur on certain FortiGate models post-upgrade when IPsec Phase 1 NPU-offload is enabled during maintenance.

Memory leak in slab causes the system to enter memory conserve mode. The issue occurs due to out-of-order log packets and incomplete session scrubbing, resulting in residual entries in the log2host table.

Enabling "device-identification" also gets endpoint information even though intermediate router exists on FG and endpoints.

Two duplicate FGFM sessions could be triggered when connecting to FortiGate cloud. And the first FGFM session that enters in GET_IP state kills the other FGFM session which will schedule a FGFM session restart two minutes later.

Port13-20 speed setting changes to 1000full after FortiGate 10xF reboot.

CRC error count reset issue occurs when using the diag netlink interface clear command.

When connecting port5-14 on 3201F with third-party switches using optical transceivers, the 1gig link is down.

The 100M speed option is not available for wan1 and wan2 interfaces during configuration in certain FortiGate models.

Unexpected behavior occurs when changing interface mode or static route through an IPSEC-Tunnel when emac vlan interface based on npu-vlink is used

VXLAN traffic uses primary IP address instead of secondary IP address when configured vxlan remote-ip with secondary IP.

DNS (TCP853) fails until idle timeout when link monitor failover occurs in dual internet connection.

When attempting to delete a software switch interface, it becomes permanently hidden due to an unreverted temporary flag.

Interface inbound/outbound information is not displayed on the bandwidth widget and CLI when using VLAN interfaces with NP6 platform.

Unexpected behavior occurs when deleting IPv6 reflect session.

Unexpected behavior occurs when high load IP fragment traffic is sent through an IPsec tunnel with vpn-id-ipip encapsulation and offloading enabled.

GRE tunnel traffic is limited when sessions share same local/remote IPs, causing them to be assigned to single CPU core.

False SNMP alerts occur when a non-installed power supply unit is detected

Cannot set source IP for FortiGuard when a non-root VDOM is set.

The network interface settings page fails to load on certain FortiGate models when the admin profile does not have the System > Configuration > Read/Write permission.

Unstable LTE 4G connection occurs when using IPv6.

WAN interface goes down when share-port medium type changes to 'copper' after upgrading FortiGate-80F-DSL

An error condition in WAD occurs when executing log messages with invalid node pointers.

On NP7 models, gtp tunnel list counters don't increase when restoring configuration file with "gtp-enhanced-mode enable".

Device information is not detected when device-detection is enabled in ARM based models

FGT still sends reset packet when drops TCP SYN packets with ident-accept enable on wwan interface after reboot.

APN profile not updating when configuring Verizon APN.

Concurrent sessions drop significantly when low-end FortiGate models have low free memory.

Registration status remains unknown when re-adding Fortimanager IP after it was lost.

DHCP issue occurs when configuring hardware switch interface in A-P HA mode.

High memory consumption occurs when Node.js encounters catastrophic failures and creates excessive logs.

NP7lite platforms might encounter high softirq issue and stop processing traffic after running for one month.

Device recognition issues occur when device-detection is enabled for some Apple devices.

Temperature is out of range with unreasonably high value.

FortiGate does not establish VNE tunnel caused by a failure to commit DNS servers to the CMDB after receiving a DHCPv6 information request.

Unused power supply log appears in diagnose alertconsole list when a redundant power supply is not used

An error condition occurs in snmpd on FortiGate-VM64-AZURE approximately every 1.5 hours.

The SFP WAN1 and WAN2 ports on the FGT-80F device remain down after a reboot when the speed is set to 100M.

VDOM expansion issues occur when upgrading license on FortiGate-201G.

Memory usage issues occur when newcli processes are not deleted after their parent sshd process died.

Configuration loss on FGT-60F when FortiGate enters extreme conserve mode

SFP+ direct attach cables are shown as "compliance is unspecified" by the "get system interface transceiver" command.

Unexpected behavior in system occurs when executing factory reset on FortiGate-70F.

CPU usage issues caused by receipt of packets longer than 65535 octets.

TCP packet drop occurs when sending traffic over VLAN+redundant port

Unexpected behavior occurs when loading build B3553 on FortiGate-101F.

High CPU usage occurs in the linkmtd daemon when large traffic is present.

100G ports turn up after reboot when administratively down on platforms with Marvell switch, such as FortiGate 480xF.

Network detection issues occur when the LED is on during diagnose hardware tests.

WWAN interface fails to get IP address when 'auto-connect' feature is enabled.

Memory usage issues caused by low memory availability on FortiGate-51G

FortiGate does not autoupdate router objects in full such as key-chain, route-map, and prefix list, causing FMG to purge the config during installation.

"Partition ImageEXT4-fs (sda2): couldn't mount as ext3 due to feature incompatibilities" when running "diagnose sys flash list"

System events are not generated when FortiGate acts as a DHCP client.

10G Copper interface fails to come up when directly connected after a fresh setup

SNMPD access issues occur when increasing VM memory.

DHCP relay strips DHCP END Option (255) when relaying DHCP packets.

An error condition in Newcli occurs when executing the get system fortiguard-service status command.

DDOS policy not properly installed in kernel on FortiGate 120G and 121G.

Incompatibility occurs when using 8G eMMC on 3XG/5XG/7XG/9XG models

Memory usage issues caused by renaming VPN IPsec phase1-interface during config change.

Obsolete system.autoupdate.tunneling is removed when configuring system fortiguard.

License validation issues occur when system.autoupdate.tunneling is not migrated to system.fortiguard after upgrading.

Manual patch upgrade not allowed when system has invalid upgrade license

Password history settings are lost during upgrade from 2731 to 2794.

System halt occurs when upgrading from v7.4.8 GA b2795 to v7.6.4 b3563

CPU usage issues observed during certificate authentication with multiple DNS replies.

Captive portal authentication fails after FortiToken push notification approval during radius authentication with FAC for remote groups.

Custom NAS-ID not sent to RADIUS server when testing connectivity via GUI.

Guest user sessions persist in the FortiGate authentication list despite manual expiry, enabling continued network access.

LDAP server becoming unreachable 'set mfa-mode subject-identity' is configured under the user peer settings, or ha-direct enabled with source-ip.

Delays in SSH login verification occur on some FortiGate models when hashing passwords, and immediate failure messages are returned for invalid usernames.

Fnbamd issue during certificate authentication when multiple DNS replies contain both IPv4 and IPv6 parts.

Device hostname is not displayed when device identification is enabled and mDNS includes the device UUID.

CLI authentication test fails when RADIUS server has require-message-authenticator setting disabled.

User deletion occurs when upgrading with invalid password-history characters.

RADIUS stops working on secondary unit when HA secondary connects to a RADIUS server using UDP.

The "set distance" option under interface configured as DHCP client doesn't work on VM.

AWS bootstrap is unable to parse IAM role profile properly due to the length.

IfLinkUpDown SNMP trap is not triggered on FGT_VM64_KVM using the virtio driver when an interface is brought up or down.

Incorrect system time occurs when FortiGate-VM64-GCP boots up on GCP.

License becomes invalid when system time is incorrect on FortiGate VM64-GCP devices.

URL filter exemption fails when adding regex entries to URL filter if newly added regex entry contains invalid perl style regex.

Threat feed URLs are not blocked since Sandbox block list file version check always fails and aborts loading other types of URL lists, including external-resource category URL list.

Web filter settings category name, block screen category name, and log category name are translated into different Japanese when using web filter profile on FortiGate.

Add optional antenna support for K-series models 443K and 243K.

Clients on local-bridging SSIDs appear offline despite having active traffic when acd-process-count is 2, caused by the AP failing to report client IPs to the controller.

Empty SN values occur in AP DTLS session timeout messages.

When WiFi client enables VPN endpoint, VPN traffic cannot pass through NP6Xlite FGT models.

The iPhone 16 fails to connect to a WPA3-SAE SSID on FWF-61F due to incorrect ordering of RSN and RSNXE parameters during the authentication handshake.

In non-root VDOM, device fails to authenticate when MPSK is used with an external RADIUS server.

Connection fails for Samsung S22 devices when using WPA3-SAE from local-radio on certain FortiGate models.

FortiAPs may go offline when memory pool of WiFi daemon cw_acd is fully occupied and not released properly. cw_acd debug constantly show ERR: NO MEM for USER_LOCAL_MSG

Groups of Wi-Fi clients are lost after roaming to a different AP, causing unintended behavior in network policies.

The client fails to authenticate and gets disconnected from the access point when initiating Fast BSS transition (FT) roaming with MAC authentication enabled.

An error condition in WAD occurs when adding a ztna-ems-tag to a proxy policy with an active ZTNA session

Memory usage issues caused by accessing multiple websites through WAD

Traffic bottleneck occurs when syncing 120K FCT endpoints from EMS to FortiGate.

WAD cannot re-verify new ems-tag after an ems-tag update for HTTPS access proxy, causing existing sessions to remain active despite matching a deny policy.

CLI error occurs when configuring SAML server in api-gateway with access-proxy6 and vip6 configured.

Internal resources are inaccessible via IP or FQDN when using agentless ZTNA Access proxy-portal with apptype web on FortiGate.

ZTNA agentless not working on FG-90G devices.

FortiOS 7.6.4 is no longer vulnerable to the following CVE Reference:

• CVE-2025-25255

FortiOS 7.6.4 is no longer vulnerable to the following CVE Reference:

• CVE-2025-25249

FortiOS 7.6.4 is no longer vulnerable to the following CVE Reference:

• CVE-2025-31514

FortiOS 7.6.4 is no longer vulnerable to the following CVE Reference:

• CVE-2025-58413

FortiOS 7.6.4 is no longer vulnerable to the following CVE:

• CVE-2025-25249

FortiOS 7.6.4 is no longer vulnerable to the following CVE Reference:

• CVE-2025-53843

FortiOS 7.6.4 is no longer vulnerable to the following CVE Reference:

• CVE-2025-53844

FortiOS 7.6.4 is no longer vulnerable to the following CVE Reference:

• CVE-2025-54821

FortiOS 7.6.4 is no longer vulnerable to the following CVE Reference:

• CVE-2025-59718