Fortinet black logo

Known Issues

Known Issues

The following issues have been identified in 7.0.3. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

708100

AP Manager cannot show Channels when 160 MHz channel width is set.

749820

AP Manager > SSID > Advanced Options may not list objects under the settings "address-group".

770234

5GHz DFS channels on AP Profile were not supported for FAP U231F.

772213

FortiManager may try to delete default wtp 11ac-only profile on FortiWiFi-60F causing install to fail.

781561

User may not be able to access AP Manager with custom read only admin profile.

785471

FortiManager was deleting wireless-controller wtp and the objects referenced by wtp during the first installation after the upgrade.

Device Manager

Bug ID

Description

545239

After added FortiAnalzyer fabric ADOM to FortiManager, Device Manager's log status, Log Rate, or Device Storage column cannot get data from FortiAnalyzer.

587404

FortiManager sets incorrect captive-portal-port value when installing v6.0 PolicyPackage to v6.2 devices.

651560

SD-WAN monitor may stuck loading when admin user belongs to device group.

677836

The Client Address Range setting should allow users to configure assign-IPs from firewall address or group.

704106

Certificate Enrollment fails using SCEP on Microsoft server with sub-ca certificate chains.

705212

When editing device in HA cluster, admin password change is not applied to secondary unit.

725334

Importing policy package shows ngfw-mode policy-based with the inspection-mode set to proxy.

729413

FortiManager is missing peer options with dial up user configuration with VPN IPSec Phase 1.

743102

Device & Groups > VPN Phase1/Phase2 does not show the proposal column when using FGT-VM type "FGVMIB".

748578

Retrieve FortiGate configuration may fail due to FSSO connector.

751427

Provisioning Template with empty name cannot be deleted or edited.

752443

Vertical scroll bar is missing in SD-WAN configuration.

759255

User may not be able to click on the check box to import configuration with 6.2 ADOM.

759708

The provisioning template 's status on Summary Dashboard always displays "Modified".

763907

Certificates CN information may be invalid when FortiGate is registered by Zero-Touch-Provisioning.

764369

FortiManager tries to install Security Fabric trusted list to all downstream FGs when a new one is added.

764841

FortiManager is unable to use secondary IP as source IP in DNS database.

765762

FortiManager is unable to install the Switch controller > VLAN interface configuration during the ZTP process.

767185

Unable to create route map rule using 'match-interface' when using the BGP Templates under the Provisioning Templates.

770567

When a device uses IPsec Tunnel Provisioning template with enable value for aggregate member, FortiManager may create a new system interface with the same name which is not expected behavior.

770600

Comma between IP address and subnet causes saving problem on Prefix List Rule under BGP Templates.

773336

FortiToken provision button is greyed out in Device Manager while it is enabled on FortiGate with the same token.

776605

Editing provisioning CLI template without any modification may cause device status changed to Modified.

779836

FortiManager cannot install TCP-connect using Random port for SD-WAN.

779900

Administrative user GUI-dashboard information should be deleted upon VDOM deletion.

780833

FortiManager cannot use space to set location under SNMP configuration.

783517

Input-Device under CLI Configuration > System > SD-WAN > Service displays loading forever.

791117

Unable to create simultaneous static routes with named address objects.

791274

When optional meta fields are being used users cannot edit the devices.

793941

Unable to install VPN psk with special characters through CLI template.

794368

Removing the objects from Device Level DB did not delete the objects' reference from ADOM Level DB.

795913

Error Probe Failure has been observed when adding FortiAnalyzer to FortiManager.

799259

Duplicate CSF groups for 7.0 FortiGates (7.0.2+) due to syntax returning upstream-ip instead of upstream.

Global ADOM

Bug ID Description

691562

Threat feeds global objects are not installed to destination ADOM when using the assign all object option.

740942

"srcintf" selector in Traffic Shaping Header or Footer Policy may not work in Global ADOM.

743734

Cannot remove objects from Global Database.

752328

Global database may be locked when viewing Workflow Session Diff.

795327

When adding an ADOM to Global Database, the message "Double global assignment exists" keeps showing up.

Others

Bug ID

Description

703585

FortiManager may return 'Connection aborted' error with JSON API request.

707911

FortiManager should be able to assign VLAN interface to FortiExtender.

729175

FortiManager should highlight device consisting of specific IP address under Fabric View.

747716

JSON API does not return gateway for IPSec route.

774872

FortiManager should support more than 88 characters for password when backing up all settings.

775574

There is a Criteria Latency field which is different between FGT & FMG when creating the manual interface option for SDWAN rules.

776342

System NPU values may be different between FortiManager and FortiGate-1801F.

776413

FortiManager Lock/commit operation is very slow when FortiManager HA is enabled.

781642

FortiManager displays "failed to copy BRANCH_BGP_Recommended" error when performing the "check adom-integrity" test.

781831

FortiManager should be able to retrieve EMS tags using hostname of FortiClient EMS Server if its able to resolve the hostname.

783226

Fabric View may keep loading.

786281

During the installation, FortiManager displays Policy Consistency Check failure without any clear reason.

792887

Verification fail for default dnsfilter profile due to wrongly install "set category 0".

Policy & Objects

Bug ID

Description

701750

The App Control set to Monitor in FortiManager causes the App to disappear from FortiGate.

713692

Web Filter Profile install may fail when using pre-defined URL filter.

725427

Policy package install skips the policy where destination interface is set as SD-WAN zone and policy is IPSEC policy.

731037

There may be File Filter file type mismatch between FortiGate and FortiManager.

751767

Export to excel when filters are applied for a policy package does not work.

758494

Searching members inside an address group does not work.

758680

Unable to complete the Cisco pxGrid fabric connector's configuration on FortiManager.

767255

FortiManager fails to install the custom signature because it is too long.

770210

Where used may not reporting used objects properly.

770256

FortiManager displays error when using "push to install" for objects utilized by policy blocks.

771165

Removing the objects from Device Level DB did not delete the object's reference from ADOM Level DB.

771941

FortiManager is unable to import or create virtual server with real servers using the same IP but different "http-host".

773249

FortiManager may not display the correct number of firewall address objects while adding the objects to DoS policy.

773333

For User, the configurations for two-factor-authentication and two-factor-notification should not lead to installation failure.

773403

FortiManager may now differentiate between the ISDB objects "Predefined Internet Services" and "IP Reputation Database".

774058

Rule list order may not be saved under File Filter Profile.

774111

FortiManager does not support Dynamic firewall address with sub-type Switch Controller NAC Policy TAG.

774435

Right-click menu to add object may return an error: "cgn-resource-quote:out of range".

775128

Unable to create more than 20 SAML users in policy package object.

776361

Policy lookup may not work if the managed devices are in Transparent mode.

777017

FortiManager purges the "arrp-profile" when installing the v6.2 policy packages to v6.4 FortiGates.

777554

There may be slowness when using Find Duplicate Objects with Merge tools.

777879

Copy fail error due to external-resource used in webfilter profile.

778111

Removing the objects from Device Level DB did not delete the object's reference from ADOM Level DB.

779853

When creating a Central DNAT policy in FortiManager, more services may not be added to policy with error: can't assign to property "from" on NaN: not an object.

779947

Address group changes for per-device mapping does not apply to FortiGate when Address group is used in policy route.

779965

Users may not be able to export firewall Header and Footer policies to Excel.

781118

6.4 version ADOM policy package failed to enable policy NAT from GUI

781118

ADOM version 6.4 policy package failed to enable policy NAT from GUI.

782435

Moving a policy by dragging may not work properly.

783899

There may not be empty lines in "IPS Signature and Filters".

785341

Consolidated policy NAT is always disabled on the GUI.

786684

Installation fails because the virtual-wan-link did not exist.

786740

FortiManager displays Install failure due to adding "g-" prefix to the external-resource objects.

789957

Created time doesn't indicate AM or PM on the Tools > Find Unused Policies.

792980

Installation fails when trying to install SAML user configuration.

793240

FortiManager fails to retrieve FortiGate's configuration when external-resource objects include a "g-" prefix.

There are two workarounds; use the approach that works best for your environment. If it is possible, create a new backup of your FMG and FGT(s) before making any changes:

First workaround approach:

  1. Re-create all threat feeds locally in VDOM configuration and update policies and security profiles that reference them to the local threat feed vs. the global feed.

  2. Delete the global threat feed objects.

Second workaround approach:

  1. Perform policy reinstallation. FMG adds original threat feed objects within the VDOM configuration without the 'g' prefix.

  2. FMG reports 'install OK/verify FAIL' at the end of the policy installation.

  3. Run scripts to delete the global threat feed objects (objects with the 'g' prefix) from the FGT.

  4. Retrieve the FGT configuration from FMG.

  5. Perform another policy installation to update the configuration synchronization status between the FGT and FMG. No commands are pushed during this stage according to the install wizard.

797091

"Synchronize Firewall Addresses" under the FortiClient EMS Connector does not automatically create and synchronize addresses for all EMS tags.

801876

Installation failed due to "Copy global shared objects" failure.

805783

After the 6.0 ADOM upgrade, installing the same v6.0 policy package got "unset webfilter-profile" in wanopt proxy policy.

Revision History

Bug ID Description

496870

Fabric SDN connector is installed on FortiGate, even if it is not in use.

729148

Install fails when new transparent mode VDOM is added directly via FortiGate CLI and imported into FortiManager.

774115

After upgrade, install may fail for FSSO password when private-data-encryption is enabled.

775577

AutoUpdate may purge firewall shaping-profile.

Script

Bug ID

Description

766019

Failed to run the Post-Run CLI Template due to the "datasrc invalid" error.

767577 Installing a script to device database fails if switch-interface member contains VXLAN interface.

780604

When creating a new phase1 interface, dpd=on-idle settings may not be saved.

787113

TCL scripts fails to run if the admin's password is longer than 36 characters.

793407

Installation fails if one of the BGP network prefix entry is a supernet.

Services

Bug ID Description

798979

FortiManager cannot download the latest IPS DB.

System Settings

Bug ID Description

728972

"fmDeviceEntSupportState" OID returns incorrect value for some devices.

752916

FortiManager should be able to set desired permissions for Extender Manager in administrator profile settings.

753690

SNMPv3 security option configuration has discrepancy between GUI and CLI.

762663

FortiManager should have the CA Identifier as configurable for SCEP server request.

768636

Password cannot be longer than 63 characters for configuration auto backup.

768682

Setting a Cluster ID for a model HA cluster results in an invalid group ID under config system HA.

775091

Two factor authentication fails when special characters are used in CN.

777726

FortiManager may not generate event logs for meta field changes.

778405

Script Groups should be copied with their members when cloning an ADOM.

782345

FortiManager may not be able to upgrade ADOM from 6.2 to 6.4: err=-2,Policy ippool (ippool6) name cannot be empty.

783066

The number of FortiGate devices registered is in the upper limit of the license count may causes HA becomes asynchronized.

787588

Webfiltering HTTPS 8888 is not working after FMG upgraded from 6.4.7 to 7.0.4.

790409

idle_timeout under admin's setting is not converted properly after performing the upgrade.

VPN Manager

Bug ID Description

615890

IPSec VPN Authusergrp option "Inherit from Policy" is missing when setting xauthtype as auto server.

699759

When installing a policy package, per device mapped objects used in SSL VPN cannot be installed.

773710

When editing an existing SSL VPN settings, the Banned-cipher and cipersuite may be keep changing.

774040

Keyboard-layout configuration in VPN SSL web portal predefined RDP bookmark generates incorrect commands.

779498

VPN monitor may not display correct information when FortiManager is in advanced ADOM mode.

780154

Policy package should be pushed to VPN hubs without error, "interface IP is 0".

Known Issues

The following issues have been identified in 7.0.3. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

AP Manager

Bug ID

Description

708100

AP Manager cannot show Channels when 160 MHz channel width is set.

749820

AP Manager > SSID > Advanced Options may not list objects under the settings "address-group".

770234

5GHz DFS channels on AP Profile were not supported for FAP U231F.

772213

FortiManager may try to delete default wtp 11ac-only profile on FortiWiFi-60F causing install to fail.

781561

User may not be able to access AP Manager with custom read only admin profile.

785471

FortiManager was deleting wireless-controller wtp and the objects referenced by wtp during the first installation after the upgrade.

Device Manager

Bug ID

Description

545239

After added FortiAnalzyer fabric ADOM to FortiManager, Device Manager's log status, Log Rate, or Device Storage column cannot get data from FortiAnalyzer.

587404

FortiManager sets incorrect captive-portal-port value when installing v6.0 PolicyPackage to v6.2 devices.

651560

SD-WAN monitor may stuck loading when admin user belongs to device group.

677836

The Client Address Range setting should allow users to configure assign-IPs from firewall address or group.

704106

Certificate Enrollment fails using SCEP on Microsoft server with sub-ca certificate chains.

705212

When editing device in HA cluster, admin password change is not applied to secondary unit.

725334

Importing policy package shows ngfw-mode policy-based with the inspection-mode set to proxy.

729413

FortiManager is missing peer options with dial up user configuration with VPN IPSec Phase 1.

743102

Device & Groups > VPN Phase1/Phase2 does not show the proposal column when using FGT-VM type "FGVMIB".

748578

Retrieve FortiGate configuration may fail due to FSSO connector.

751427

Provisioning Template with empty name cannot be deleted or edited.

752443

Vertical scroll bar is missing in SD-WAN configuration.

759255

User may not be able to click on the check box to import configuration with 6.2 ADOM.

759708

The provisioning template 's status on Summary Dashboard always displays "Modified".

763907

Certificates CN information may be invalid when FortiGate is registered by Zero-Touch-Provisioning.

764369

FortiManager tries to install Security Fabric trusted list to all downstream FGs when a new one is added.

764841

FortiManager is unable to use secondary IP as source IP in DNS database.

765762

FortiManager is unable to install the Switch controller > VLAN interface configuration during the ZTP process.

767185

Unable to create route map rule using 'match-interface' when using the BGP Templates under the Provisioning Templates.

770567

When a device uses IPsec Tunnel Provisioning template with enable value for aggregate member, FortiManager may create a new system interface with the same name which is not expected behavior.

770600

Comma between IP address and subnet causes saving problem on Prefix List Rule under BGP Templates.

773336

FortiToken provision button is greyed out in Device Manager while it is enabled on FortiGate with the same token.

776605

Editing provisioning CLI template without any modification may cause device status changed to Modified.

779836

FortiManager cannot install TCP-connect using Random port for SD-WAN.

779900

Administrative user GUI-dashboard information should be deleted upon VDOM deletion.

780833

FortiManager cannot use space to set location under SNMP configuration.

783517

Input-Device under CLI Configuration > System > SD-WAN > Service displays loading forever.

791117

Unable to create simultaneous static routes with named address objects.

791274

When optional meta fields are being used users cannot edit the devices.

793941

Unable to install VPN psk with special characters through CLI template.

794368

Removing the objects from Device Level DB did not delete the objects' reference from ADOM Level DB.

795913

Error Probe Failure has been observed when adding FortiAnalyzer to FortiManager.

799259

Duplicate CSF groups for 7.0 FortiGates (7.0.2+) due to syntax returning upstream-ip instead of upstream.

Global ADOM

Bug ID Description

691562

Threat feeds global objects are not installed to destination ADOM when using the assign all object option.

740942

"srcintf" selector in Traffic Shaping Header or Footer Policy may not work in Global ADOM.

743734

Cannot remove objects from Global Database.

752328

Global database may be locked when viewing Workflow Session Diff.

795327

When adding an ADOM to Global Database, the message "Double global assignment exists" keeps showing up.

Others

Bug ID

Description

703585

FortiManager may return 'Connection aborted' error with JSON API request.

707911

FortiManager should be able to assign VLAN interface to FortiExtender.

729175

FortiManager should highlight device consisting of specific IP address under Fabric View.

747716

JSON API does not return gateway for IPSec route.

774872

FortiManager should support more than 88 characters for password when backing up all settings.

775574

There is a Criteria Latency field which is different between FGT & FMG when creating the manual interface option for SDWAN rules.

776342

System NPU values may be different between FortiManager and FortiGate-1801F.

776413

FortiManager Lock/commit operation is very slow when FortiManager HA is enabled.

781642

FortiManager displays "failed to copy BRANCH_BGP_Recommended" error when performing the "check adom-integrity" test.

781831

FortiManager should be able to retrieve EMS tags using hostname of FortiClient EMS Server if its able to resolve the hostname.

783226

Fabric View may keep loading.

786281

During the installation, FortiManager displays Policy Consistency Check failure without any clear reason.

792887

Verification fail for default dnsfilter profile due to wrongly install "set category 0".

Policy & Objects

Bug ID

Description

701750

The App Control set to Monitor in FortiManager causes the App to disappear from FortiGate.

713692

Web Filter Profile install may fail when using pre-defined URL filter.

725427

Policy package install skips the policy where destination interface is set as SD-WAN zone and policy is IPSEC policy.

731037

There may be File Filter file type mismatch between FortiGate and FortiManager.

751767

Export to excel when filters are applied for a policy package does not work.

758494

Searching members inside an address group does not work.

758680

Unable to complete the Cisco pxGrid fabric connector's configuration on FortiManager.

767255

FortiManager fails to install the custom signature because it is too long.

770210

Where used may not reporting used objects properly.

770256

FortiManager displays error when using "push to install" for objects utilized by policy blocks.

771165

Removing the objects from Device Level DB did not delete the object's reference from ADOM Level DB.

771941

FortiManager is unable to import or create virtual server with real servers using the same IP but different "http-host".

773249

FortiManager may not display the correct number of firewall address objects while adding the objects to DoS policy.

773333

For User, the configurations for two-factor-authentication and two-factor-notification should not lead to installation failure.

773403

FortiManager may now differentiate between the ISDB objects "Predefined Internet Services" and "IP Reputation Database".

774058

Rule list order may not be saved under File Filter Profile.

774111

FortiManager does not support Dynamic firewall address with sub-type Switch Controller NAC Policy TAG.

774435

Right-click menu to add object may return an error: "cgn-resource-quote:out of range".

775128

Unable to create more than 20 SAML users in policy package object.

776361

Policy lookup may not work if the managed devices are in Transparent mode.

777017

FortiManager purges the "arrp-profile" when installing the v6.2 policy packages to v6.4 FortiGates.

777554

There may be slowness when using Find Duplicate Objects with Merge tools.

777879

Copy fail error due to external-resource used in webfilter profile.

778111

Removing the objects from Device Level DB did not delete the object's reference from ADOM Level DB.

779853

When creating a Central DNAT policy in FortiManager, more services may not be added to policy with error: can't assign to property "from" on NaN: not an object.

779947

Address group changes for per-device mapping does not apply to FortiGate when Address group is used in policy route.

779965

Users may not be able to export firewall Header and Footer policies to Excel.

781118

6.4 version ADOM policy package failed to enable policy NAT from GUI

781118

ADOM version 6.4 policy package failed to enable policy NAT from GUI.

782435

Moving a policy by dragging may not work properly.

783899

There may not be empty lines in "IPS Signature and Filters".

785341

Consolidated policy NAT is always disabled on the GUI.

786684

Installation fails because the virtual-wan-link did not exist.

786740

FortiManager displays Install failure due to adding "g-" prefix to the external-resource objects.

789957

Created time doesn't indicate AM or PM on the Tools > Find Unused Policies.

792980

Installation fails when trying to install SAML user configuration.

793240

FortiManager fails to retrieve FortiGate's configuration when external-resource objects include a "g-" prefix.

There are two workarounds; use the approach that works best for your environment. If it is possible, create a new backup of your FMG and FGT(s) before making any changes:

First workaround approach:

  1. Re-create all threat feeds locally in VDOM configuration and update policies and security profiles that reference them to the local threat feed vs. the global feed.

  2. Delete the global threat feed objects.

Second workaround approach:

  1. Perform policy reinstallation. FMG adds original threat feed objects within the VDOM configuration without the 'g' prefix.

  2. FMG reports 'install OK/verify FAIL' at the end of the policy installation.

  3. Run scripts to delete the global threat feed objects (objects with the 'g' prefix) from the FGT.

  4. Retrieve the FGT configuration from FMG.

  5. Perform another policy installation to update the configuration synchronization status between the FGT and FMG. No commands are pushed during this stage according to the install wizard.

797091

"Synchronize Firewall Addresses" under the FortiClient EMS Connector does not automatically create and synchronize addresses for all EMS tags.

801876

Installation failed due to "Copy global shared objects" failure.

805783

After the 6.0 ADOM upgrade, installing the same v6.0 policy package got "unset webfilter-profile" in wanopt proxy policy.

Revision History

Bug ID Description

496870

Fabric SDN connector is installed on FortiGate, even if it is not in use.

729148

Install fails when new transparent mode VDOM is added directly via FortiGate CLI and imported into FortiManager.

774115

After upgrade, install may fail for FSSO password when private-data-encryption is enabled.

775577

AutoUpdate may purge firewall shaping-profile.

Script

Bug ID

Description

766019

Failed to run the Post-Run CLI Template due to the "datasrc invalid" error.

767577 Installing a script to device database fails if switch-interface member contains VXLAN interface.

780604

When creating a new phase1 interface, dpd=on-idle settings may not be saved.

787113

TCL scripts fails to run if the admin's password is longer than 36 characters.

793407

Installation fails if one of the BGP network prefix entry is a supernet.

Services

Bug ID Description

798979

FortiManager cannot download the latest IPS DB.

System Settings

Bug ID Description

728972

"fmDeviceEntSupportState" OID returns incorrect value for some devices.

752916

FortiManager should be able to set desired permissions for Extender Manager in administrator profile settings.

753690

SNMPv3 security option configuration has discrepancy between GUI and CLI.

762663

FortiManager should have the CA Identifier as configurable for SCEP server request.

768636

Password cannot be longer than 63 characters for configuration auto backup.

768682

Setting a Cluster ID for a model HA cluster results in an invalid group ID under config system HA.

775091

Two factor authentication fails when special characters are used in CN.

777726

FortiManager may not generate event logs for meta field changes.

778405

Script Groups should be copied with their members when cloning an ADOM.

782345

FortiManager may not be able to upgrade ADOM from 6.2 to 6.4: err=-2,Policy ippool (ippool6) name cannot be empty.

783066

The number of FortiGate devices registered is in the upper limit of the license count may causes HA becomes asynchronized.

787588

Webfiltering HTTPS 8888 is not working after FMG upgraded from 6.4.7 to 7.0.4.

790409

idle_timeout under admin's setting is not converted properly after performing the upgrade.

VPN Manager

Bug ID Description

615890

IPSec VPN Authusergrp option "Inherit from Policy" is missing when setting xauthtype as auto server.

699759

When installing a policy package, per device mapped objects used in SSL VPN cannot be installed.

773710

When editing an existing SSL VPN settings, the Banned-cipher and cipersuite may be keep changing.

774040

Keyboard-layout configuration in VPN SSL web portal predefined RDP bookmark generates incorrect commands.

779498

VPN monitor may not display correct information when FortiManager is in advanced ADOM mode.

780154

Policy package should be pushed to VPN hubs without error, "interface IP is 0".