Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiOS Release Notes

    Home FortiGate / FortiOS 6.4.11 FortiOS Release Notes
    6.4.11
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.14
    5.6.13
    5.6.12
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.13
    5.4.12
    5.4.11
    5.4.10
    5.4.9
    5.4.8
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.15
    5.2.14
    5.2.13
    5.2.12
    5.2.11
    5.2.10
    5.2.9
    5.2.8
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.14
    5.0.13
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2

    Known issues

    Known issues

    The following issues have been identified in version 6.4.11. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

    Firewall

    Bug ID

    Description

    719311

    On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

    Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

    770541

    Within the Policy & Objects menu, the firewall, DoS, and traffic shaping policy pages take around five seconds to load when the FortiGate cannot reach the FortiGuard DNS servers.

    Workaround: set the DNS server to the FortiGuard DNS server.

    843554

    If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

    This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

    Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

    config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

    FortiView

    Bug ID

    Description

    683654

    FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

    GUI

    Bug ID

    Description

    440197

    On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

    602397

    Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

    653952

    The web page cannot be found is displayed when a dashboard ID no longer exists.

    Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

    688016

    GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

    695163

    When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

    Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

    743477

    On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

    HA

    Bug ID

    Description

    771999

    Sessions not synchronized to HA secondary on an FGSP and FGCP combined setup.

    779180

    FGSP does not synchronize the helper-pmap expectation session.

    838541

    HA is out-of-sync due to certificate local in FGSP standalone cluster.

    Hyperscale

    Bug ID

    Description

    734305

    In the GUI, an FQDN or ISDB can be selected for a DoS policy, which is not supported (an error message appears). The CLI shows the correct options.

    760560

    The timestamp on the hyperscale SPU of a deny policy (policy id 0) is incorrect.

    796368

    Traffic shaping profile does not seem to have an effect on TCP/UDP traffic in hyperscale.

    802369

    Large client IP range makes fixed allocation usage relatively limited.

    Intrusion Prevention

    Bug ID

    Description

    763736

    IPS custom signature logging shows (even after being disabled) after upgrading to FortiOS 6.4.7.

    IPsec VPN

    Bug ID

    Description

    877161

    IPsec traffic failing from FortiGate with Failed to find IPsec Common error when dialup IPsec VPN tunnel has remote IP configured on the IPsec VPN interface.

    Log & Report

    Bug ID

    Description

    850642

    Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes.

    Proxy

    Bug ID

    Description

    604681

    WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

    Workaround: disable SoC SSL acceleration under the firewall SSL settings.

    799381

    WAD crash occurs when TLS 1.2 receives the client certificate and that server-facing SSL port has been closed due to the SSL bypass.

    REST API

    Bug ID

    Description

    759675

    Connection failed error occurs on FortiGate when an interface is created and updated using the API in quick succession.

    Routing

    Bug ID

    Description

    769100

    Policy routes order is changed after updating the source/destination of SD-WAN rules.

    Security Fabric

    Bug ID

    Description

    614691

    Slow GUI performance in large Fabric topology with over 50 downstream devices.

    SSL VPN

    Bug ID

    Description

    710657

    The dstaddr/dstaddr6 of an SSL VPN policy can be set to all when split tunnel mode is enabled and only the default portal is set.

    730416

    Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

    852566

    User peer feature for one group to match to multiple user peers in the authentication rules is broken.

    856316

    Browser displays an Error, Feature is not available message if a file larger than 1 MB is uploaded from FTP or SMB using a web bookmark, even though the file is uploaded successfully. There are no issues with downloading files.

    System

    Bug ID

    Description

    555616

    When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

    602141

    The extender daemon crashes on Low Encryption (LENC) FortiGates.

    648085

    Link status on peer device is not down when the admin port is down on the FG-500E.

    664856

    A VWP named .. can be created in the GUI, but it cannot be edited or deleted.

    666664

    Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

    669645

    VXLAN VNI interface cannot be used with a hardware switch.

    685674

    FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

    724085

    Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

    Workaround: set the auto-asic-offload option to disable in the firewall policy.

    751715

    Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

    847077

    Can't find xitem. Drop the response. error appears for DHCPOFFER packets in the DHCP relay debug.

    850430

    DHCP relay does not work properly with two DHCP relay servers configured.

    850683

    Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF.

    850688

    FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs.

    879769

    If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway.

    Upgrade

    Bug ID

    Description

    767808

    The asicdos option for enabling/disabling NP6XLite DoS offloading is missing after upgrading to 6.4.9. Affected platforms: NP6XLite.

    840921

    When upgrading from 6.0.15 to 6.4.11, an existing explicit flow-based web filter profile changes to proxy-based.

    User & Authentication

    Bug ID

    Description

    778521

    SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

    823884

    When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to.

    853793

    FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

    VM

    Bug ID

    Description

    596742

    Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

    617046

    FG-VMX manager not showing all the nodes deployed.

    639258

    Autoscale GCP health check is not successful (port 8443 HTTPS).

    668625

    During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

    764392

    Incorrect VMDK file size in the OVF file for hw13 and hw15.

    Workaround: manually correct the hw13 and hw15 OVF file's ovf:size value.

    WiFi Controller

    Bug ID

    Description

    662714

    The security-redirect-url setting is missing when the portal-type is auth-mac.
    Previous
    Next

    Known issues

    Known issues

    The following issues have been identified in version 6.4.11. To inquire about a particular bug or report a bug, please contact Customer Service & Support.

    Firewall

    Bug ID

    Description

    719311

    On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic.

    Workaround: rename the custom section to unique name between IPv4 and IPv6 policies.

    770541

    Within the Policy & Objects menu, the firewall, DoS, and traffic shaping policy pages take around five seconds to load when the FortiGate cannot reach the FortiGuard DNS servers.

    Workaround: set the DNS server to the FortiGuard DNS server.

    843554

    If the first firewall service object in the service list (based on the order in the command line table) has a protocol type of IP, the GUI may incorrectly modify its protocol number whenever a new firewall service of the same protocol type IP is created in the GUI.

    This silent misconfiguration can result in unexpected behavior of firewall policies that use the impacted service. For example, some 6K and 7K platforms have firewall service ALL (protocol type IP) as the first service, and this can cause the ALL service to be modified unexpectedly.

    Workaround: create a new service in the CLI, or move a non-IP type services to the top of the firewall service list. For example, if ALL is the first firewall service in the list:

    config firewall service custom
    edit "unused"
        set tcp-portrange 1
    next
    move "unused" before "ALL"
end

    FortiView

    Bug ID

    Description

    683654

    FortiView pages with FortiAnalyzer source incorrectly display a Failed to retrieve data error on all VDOM views when there is a newly created VDOM that is not yet registered to FortiAnalyzer. The error should only show on the new VDOM view.

    GUI

    Bug ID

    Description

    440197

    On the System > FortiGuard page, the override FortiGuard server for AntiVirus & IPS Updates shows an Unknown status, even if the server is working correctly. This is a display issue only; the override feature is working properly.

    602397

    Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches.

    653952

    The web page cannot be found is displayed when a dashboard ID no longer exists.

    Workaround: load another page in the navigation pane. Once loaded, load the original dashboard page (that displayed the error) again.

    688016

    GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

    695163

    When there are a lot of historical logs from FortiAnalyzer, the FortiGate GUI Forward Traffic log page can take time to load if there is no specific filter for the time range.

    Workaround: provide a specific time range filter, or use the FortiAnalyzer GUI to view the logs.

    743477

    On the Log & Report > Forward Traffic page, filtering by the Source or Destination column with negation on the IP range does not work.

    HA

    Bug ID

    Description

    771999

    Sessions not synchronized to HA secondary on an FGSP and FGCP combined setup.

    779180

    FGSP does not synchronize the helper-pmap expectation session.

    838541

    HA is out-of-sync due to certificate local in FGSP standalone cluster.

    Hyperscale

    Bug ID

    Description

    734305

    In the GUI, an FQDN or ISDB can be selected for a DoS policy, which is not supported (an error message appears). The CLI shows the correct options.

    760560

    The timestamp on the hyperscale SPU of a deny policy (policy id 0) is incorrect.

    796368

    Traffic shaping profile does not seem to have an effect on TCP/UDP traffic in hyperscale.

    802369

    Large client IP range makes fixed allocation usage relatively limited.

    Intrusion Prevention

    Bug ID

    Description

    763736

    IPS custom signature logging shows (even after being disabled) after upgrading to FortiOS 6.4.7.

    IPsec VPN

    Bug ID

    Description

    877161

    IPsec traffic failing from FortiGate with Failed to find IPsec Common error when dialup IPsec VPN tunnel has remote IP configured on the IPsec VPN interface.

    Log & Report

    Bug ID

    Description

    850642

    Logs are not seen for traffic passing through the firewall caused by numerous simultaneous configuration changes.

    Proxy

    Bug ID

    Description

    604681

    WAD process with SoC SSL acceleration enabled consumes more memory usage over time, which may lead to conserve mode.

    Workaround: disable SoC SSL acceleration under the firewall SSL settings.

    799381

    WAD crash occurs when TLS 1.2 receives the client certificate and that server-facing SSL port has been closed due to the SSL bypass.

    REST API

    Bug ID

    Description

    759675

    Connection failed error occurs on FortiGate when an interface is created and updated using the API in quick succession.

    Routing

    Bug ID

    Description

    769100

    Policy routes order is changed after updating the source/destination of SD-WAN rules.

    Security Fabric

    Bug ID

    Description

    614691

    Slow GUI performance in large Fabric topology with over 50 downstream devices.

    SSL VPN

    Bug ID

    Description

    710657

    The dstaddr/dstaddr6 of an SSL VPN policy can be set to all when split tunnel mode is enabled and only the default portal is set.

    730416

    Forward traffic log does not generate logs for HTTP and HTTPS services with SSL VPN web mode.

    852566

    User peer feature for one group to match to multiple user peers in the authentication rules is broken.

    856316

    Browser displays an Error, Feature is not available message if a file larger than 1 MB is uploaded from FTP or SMB using a web bookmark, even though the file is uploaded successfully. There are no issues with downloading files.

    System

    Bug ID

    Description

    555616

    When NTurbo is enabled, it is unexpectedly provided with the wrong traffic direction information (from server or from client) to decide the destination for the data. This causes the traffic to be sent back to the port where it came from.

    602141

    The extender daemon crashes on Low Encryption (LENC) FortiGates.

    648085

    Link status on peer device is not down when the admin port is down on the FG-500E.

    664856

    A VWP named .. can be created in the GUI, but it cannot be edited or deleted.

    666664

    Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

    669645

    VXLAN VNI interface cannot be used with a hardware switch.

    685674

    FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

    724085

    Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled.

    Workaround: set the auto-asic-offload option to disable in the firewall policy.

    751715

    Random LTE modem disconnections due to certain carriers getting unstable due to WWAN modem USB speed under super-speed.

    847077

    Can't find xitem. Drop the response. error appears for DHCPOFFER packets in the DHCP relay debug.

    850430

    DHCP relay does not work properly with two DHCP relay servers configured.

    850683

    Console keeps displaying bcm_nl.nr_request_drop ... after the FortiGate reboots because of the cfg-save revert setting under config system global. Affected platforms: FG-10xF and FG-20xF.

    850688

    FG-20xF system halts if setting cfg-save to revert under config system global and after the cfg-revert-timeout occurs.

    879769

    If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway.

    Upgrade

    Bug ID

    Description

    767808

    The asicdos option for enabling/disabling NP6XLite DoS offloading is missing after upgrading to 6.4.9. Affected platforms: NP6XLite.

    840921

    When upgrading from 6.0.15 to 6.4.11, an existing explicit flow-based web filter profile changes to proxy-based.

    User & Authentication

    Bug ID

    Description

    778521

    SCEP fails to renew if the local certificate name length is between 31 and 35 characters.

    823884

    When a search is performed on a user (User & Authentication > User Definition page), the search results highlight all the groups the user belongs to.

    853793

    FG-81F 802.1X MAC authentication bypass (MAB) failed to authenticate Cisco AP.

    VM

    Bug ID

    Description

    596742

    Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

    617046

    FG-VMX manager not showing all the nodes deployed.

    639258

    Autoscale GCP health check is not successful (port 8443 HTTPS).

    668625

    During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

    764392

    Incorrect VMDK file size in the OVF file for hw13 and hw15.

    Workaround: manually correct the hw13 and hw15 OVF file's ovf:size value.

    WiFi Controller

    Bug ID

    Description

    662714

    The security-redirect-url setting is missing when the portal-type is auth-mac.
    Previous
    Next