Secondary device blades occasionally report critical log event Scanunit initiated a virus engine/definitions update. Affected models: FG-5K, 6K, and 7K series.

500 internal error for some PDFs with AV applied.

Device goes into conserve mode due to large files.

Domain filter entries whose action is set to allow should not be logged.

Web proxy does not work properly to redirect Chrome browser to websites when disclaimer is enabled in proxy policy.

IP pool address in proxy policy is not used sometimes when enabling a security profile.

The unknown and BIN file types catch too many random files, which leads to inconsistent results for web traffic.

Samsung OEM internet browser cannot connect to FortiGate VS/VIP.

Any changes to the security policy table causes the hit count to reset.

In NGFW mode, IPS engine drops RPC data channel when IPS profile is applied to a security policy.

Timeout value is not reflected correctly to a new session when changing timeout value for system session-ttl on FortiGate-HV.

Internet service entry not detected due to some IP ranges being duplicated.

Sessions are marked as dirty when a route change happens, but the route still exists.

Updates causing conserve mode.

Firewall policy dstaddr does not show virtual server available based on virtual WAN link member.

DCE RPC helper cannot parse fragmented EPM packet.

Policy with Tor-Exit.Node as source is not blocking traffic coming from Tor.

Query string parameters omitted (HTTP redirect, SSL offloading).

When the data source is FortiGate Cloud, there is no paging to load sessions; only entries 1-499 are rendered.

FortiView > All Sessions should be supported as a standalone dashboard widget in navigation bar.

Top Countries/Regions by Bytes widget keeps trying to load.

User cannot log in to GUI when password change is required and has pre-login or post-login banner enabled or FIPS mode.

The following behaviors regarding security profiles have changed:

• Remove the Feature Visibility > Multiple Security Profiles option.
• All security profiles will allow multiple profiles by default.
• All security profile pages will be a list of profiles.

BGP configuration gets applied on the wrong VDOM if user switches VDOM selection in between operations (slow GUI).

Log viewer Forward Traffic does not support multiple filters for one field.

Inconsistency/confusion regarding Hostname field in FortiOS web filter log.

Saved SMS phone number is missing + for country code.

Dotted line shown between FortiGate and second tier switch in Managed FortiSwitch topology.

LED indications for FortiSwitch ports do not auto-reflect the changes made on PoE.

GUI shows Invalid LDAP server error while LDAP query successfully finished.

When sorting the interface list by the Name column, the ports are not always in the correct order (port10 appears before port2).

New service group for explicit proxy could not be saved from GUI.

After upgrading to 6.4.x from 6.2.5 and earlier, users must clear the browser cache for the best user experience with the new firmware.

Interface status is not displayed on faceplate when viewed from System > HA page.

When logging in to the dashboard after a factory reset, the dashboard displays The web page cannot be found.

GUI takes two minutes to load VPN > IPsec Tunnels for 1483 tunnels.

Send Logs to FortiCloud and Cloud Logging options not available in GUI for FG-900D.

Configured overlapped subnet on GUI still shows error message after enabling subnet overlap.

One-time schedules are not displayed correctly in Safari browser.

Firewall address keeps loading addresses with read-write permission.

GUI CMDB API to support case sensitive/insensitive filtering.

RADIUS test fails from the GUI as it does not use the configured Authentication method, and authentication fails; test passes on the CLI.

In Firefox, SAML SSO admin cannot create additional SSO admins or normal admins via the GUI.

DHCP relay IP address not showing on Network > Interfaces page for VLAN interface.

Option for TLS in Fortinet FSSO connector does not change port to CA TLS port 8001.

CLI parser error: shaper-profile default class with 0% bandwidth guarantee only possible in GUI.

GUI should not add speed to virtual switch member port (FG-101F).

Default gateway address of DHCP server setting does not follow the interface address when Same as Interface IP is selected.

IPS Filter Details column is empty when All is used.

Interface bandwidth widgets for WAN, PPPoE and VDOM link interfaces are not loading.

FortiGuard page does not open with custom read-write permission in the account profile (403 forbidden error).

On POE devices, several sections of the GUI take over 15 seconds to fully load.

CLI panel allows read-only managed device to be configured by read-only admin.

Software switch members and their VLANs are not visible in the GUI interfaces list.

Security Rating reports should not run as a dependent of Topology reports on downstream FortiGates.

Add a warning when Capture Packets is enabled in policy dialog.

GUI not displaying PoE total power budget on FOS 6.2.3.

GUI is not displaying DHCP configuration if the interface name includes the \ character.

User group not visible in GUI when editing the user with a single right-click.

In FortiGate SAML authentication with Microsoft Entra ID (formerly Azure AD), service provider configuration is grayed-out.

Ctrl + V does not paste command in GUI CLI console and Ctrl + C does not copy selected output in CLI console.

Firewall address group object (including interface subnet) is invisible in Accessible Networks.

SSO admin cannot open CLI console.

IPS and application control actions cannot be modified to Quarantine.

IPsec aggregate is not shown in Dashboard > Network > IPsec widget.

GUI does not show user group information on firewall user widget.

No historical sessions can be displayed when FortiView widget opens from Show in FortiView.

The Edit pane for PAC File Content on the Explicit Proxy page cannot be opened.

On Explicit Web Proxy Policy page, unable to change Outgoing Source IP option from IP Pools to Proxy Default or Original Source IP. CLI does not have this issue.

On some platforms (FG-60E-61E/81E), the CLI console in the GUI may not function immediately after bootup.

LCP-1250RJ3SR-K transceiver shows a warning in the GUI even though it is certified.

hasync process consuming 80-95% CPU.

Simultaneous reboot of both nodes in HA when gtp-enhance-mode enabled or disabled.

When HA primary device is down, a time synchronization with NTP servers will be disabled after failback.

After the HA peer node has been replaced, need a way to reset the HA health status back to OK.

HA is failing over due to cmdbsvr crashes.

FG-100D HA active-passive mode not syncing.

SCTP sessions are not fully synchronized between primary and secondary devices in version 5.6.11 on FG-3240C.

HA secondary device is reporting multiple events (DDNS update failed).

private-data-encryption causes cluster to be periodically out of sync due to customer certificates.

Both primary and secondary consoles keep printing get_ha_sync_obj_sig_4dir: stat /etc/cert/ca/5c44d531.0 error 2.

SSL VPN related auth login user event logs do not require HA to be in sync.

Inconsistent data from FFDB caused several confsyncd crashes.

traceroute not working in asymmetric FGSP environment.

HA pingsvr is in up state in spite of lnkmtd showing it as being in die state.

IPS traffic log and PCAP archive do not match.

SSL offloading randomly does not work when UTM (AV/IPS) is enabled in firewall policy.

Unable to open TCP application via IPsec tunnel when np-accel-mode is enabled.

RDP NLA authentication blocked by FortiGate when enabling IPS profile in the security group (central NAT).

Remove the IPsec global lock.

When an offloaded IPsec SA uses NP6 reserved space, it gets stuck and packets on the tunnel start to drop.

FortiGate does not send framed IPv6 address in RADIUS accounting records.

OCVPN errors showing in logs when OCVPN is disabled.

IKE daemon signal 6 crash when phase1 add-gw-route is enabled.

IKE crashes at ike_hasync__xauth.

Static route for site-to site VPN remains active even when the tunnel is down.

IPS sensor log-attack-context output truncated.

IPS logs are recorded twice with TCP offloading on virtual server.

Log searches being conducted in a FortiGate for logs stored on a FortiAnalyzer are only sent as case-sensitive.

miglogd crashes when the FortiGate does a weekly log purge.

rlogd signal 11 crashes.

FortiOS gives wrong time stamp when querying FortiGate Cloud log view.

Incomplete log field returned from CEF formatted syslog message.

PBA logs show only 0 or 1 duration in logs; cannot answer data requests from law enforcement.

WAD memory corruption.

Multiple WAD crashes with signal 11.

FTP-TP reaches high memory usage and triggers conserve mode.

WAD crashes when all of these conditions are met: policy is doing deep inspection, SNI in client hello is in the exempt list, server certificate CNAME is not in the exempt list.

WAD signal 11 crash logs SSL/TLS errors and disconnects with the OCSP stapling.

WAD crash observed, wad_http_pattern_match_response + 0x0045, on FG-80E-POE during regression testing.

FortiGate blocks traffic in transparent proxy policy, even if the traffic matches the proxy address.

The WAD process is crashing multiple times.

Web proxy WAD crash under WAN Opt auto-active mode.

The IMAP proxy crashes with signal 7 (SIGBUS).

Log traffic to remote servers does not follow SD-WAN rules.

NTP and FSSO not following SD-WAN rules.

DHCP relay does not match the SD-WAN policy route.

FortiGuard GeoIP queries (TCP/443) and FortiSandbox Cloud traffic do not follow policy route/SD-WAN rule.

Health check SLA status log shows configured bandwidth value instead of used bandwidth value.

DRother firewall in OSPFv3 generates neighbor state is less than Exchange log for the LSA update from a DCother neighbor.

BGP hold time and keepalive timers are not updated on spokes after changing on the hub side.

FortiGuard web filter traffic also needs to follow SD-WAN service.

Inconsistency in source IP-based ECMP for IPv6.

Kernel does not remove duplicate routes generated by SD-WAN health checks when hostname IP changes.

When BGP's recursive next hop can be resolved by multiple routes, the recursive distance is not taken into account when installing the routes. Multiple ECMP paths can be installed with different recursive distances to the next hop.

Automation stitch traffic is sent via mgmt with ha-direct to AWS Lambda after upgrading from 6.0.9 to 6.2.3

SSH as automation action is not working as expected.

FG-60F unable to join Security Fabric, unknown CA.

SDN dynamic address import is too slow, and HA sync may miss endpoints in high scale and stress conditions.

CSF root FortiGate cannot listen to loopback interface.

FortiMail appears as Unknown fabric device when multi-vdom is enabled.

User sees a Failed to send request error when generating access token for FortiMail under multi-VDOM FortiGate.

On IE 11, SSL VPN web portal displays blank page titled {{::data.portal.heading}} after authentication.

TX packet drops on SSL root interface.

SSL VPN tunnel is unexpectedly down sometimes when certificate bundle is updated.

Get 305 error when browsing website through SSL VPN web mode bookmark and sslvpnd crashes.

SMB/CIFS traffic via SSL VPN web mode not using correct SNAT IP (IP pool).

Important GUI pages in 6.4.0 are not rendered well by SSL VPN portal.

CLI command get vpn ssl monitor displays users from other VDOM.

SSL VPN disconnected when importing or renaming CA certificates.

Add memory protection for web mode SSL VPN child process (guacd).

Website pop-up error using SSL VPN web mode.

Memory corrupt in some DNS callback cases causes SSL VPN crash.

Customer has to manually add domain in SMB share login through SSL VPN portal.

Log entry for tunnel stats shows wrong tunnel ID when using RDP bookmark.

The company website is not shown properly in SSL VPN web mode.

Bookmark does not load though SSL VPN web mode.

SAP portal link is not working in SSL VPN web mode.

SSL VPN denies login after receiving FortiToken Cloud token and entering token.

SSL VPN web mode unable to load custom web application JavaScript parts.

Traffic cannot pass when SAML user logs in to SSL VPN portal with group match.

SSL VPN web mode gets redirected out of SSL VPN proxy.

Unable to load the SSL VPN bookmark internal website https://fi***.

Internal web application is not opened after the login.

Internal aixws7test2 portal is not loading in SSL VPN web mode.

After SSL VPN proxy, some JS files of hapi website could not work.

SAML login button is lost on SSL VPN portal.

Slides in website https://re***.nz are displayed in SSL VPN web mode.

ERR_EMPTY_RESPONSE while accessing internal portal's webpages in SSL VPN web mode.

Internal site http://va***.com not completely loading through SSL VPN web mode bookmark.

Website (https://uj***) is not accessible in SSL VPN web mode.

Some internal servers do not provide any content type or content length in response header; sslvpnd treats it as HTML file to handle and has problem to finish it.

Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops.

Cannot load local 1C application through web mode.

Cannot access internal website pl***.fr using SSL VPN web mode.

For guacd daemon generated for RDP session, it would sometimes be in an unknown state with 100% CPU and could not be released.

SSL VPN daemon crash due to limit-user-login.

Internal server error 500 while accessing contolavdip portal in SSL VPN web mode.

Map could not be displayed correctly in SSL VPN web mode.

SSL VPN not assigning IP from local IP pool when framed IP address is received with value 0xFFFFFFFE.

Map could not be displayed correctly in SSL VPN web mode.

The sa***.org website is not shown properly in SSL VPN web mode.

SharePoint portal URL links for Office documents are not redirected over SSL VPN web mode in Firefox.

AM*** website is not shown properly using SSL VPN web mode.

With SSL VPN proxy JIRA web application, get one wrong URL without proxy path.

Website (pr***.com) not loading properly in SSL VPN web mode.

After the upgrade to 6.0.10/6.2.4/6.4.0, SSL VPN portal mapping/remote authentication is matching user into the incorrect group.

The customer's website (https://vpn.***.org) is not shown properly using SSL VPN web mode.

Internal website hosted in bookmark https://in***.cat is not loading completely in SSL VPN web mode.

Three of the internal applications/portal bookmarks do not load/partially work with SSL VPN web mode.

Log in page loading with delays in web mode.

Apache Guacamole page is redirected to direct link in SSL VPN web mode.

The Run*** website is not displayed properly using SSL VPN web mode.

The IC*** internal website is not displayed properly using SSL VPN web mode.

Application is not working using SSL VPN web mode.

SSL VPN crashes when accessing a realm with an incorrect user, or when the correct user enters the wrong password.

Cannot authenticate to SSL VPN using 2FA if remote LDAP user and user within RADIUS group has same user name and password.

Sco*** internal portal webpage is not loading after logging in with web mode.

After SSL VPN web mode proxy, some JS files of sthlm04 SCA*** website have problems.

Update Telnet idle timeout setting and fix issue of Telnet not working.

SSL VPN web mode problem with https://de***.com.

DTLS tunnel performance improvements by allowing multiple packets to be read from the kernel driver, and redistributing the UDP packets to several worker processes in the kernel.

Some JS files of ji***.v** could not run in SSL VPN web mode.

Unable to use editor in Atlassian internal Confluence portal over SSL VPN web mode.

FortiSwitch port goes down and up too quickly when bounce-nac-port is enabled, and the device interface does not get the new DHCP IP.

FortiLink down with LACP mode set to active.

FortiOS get system interface cross-check command improvement.

DSL route not removed when interface is down.

CP9 VPN queue tasklet unable to handle kernel NULL pointer dereference at 0000000000000120 and device reboots.

The wan1, wan2, and dmz interfaces should not be configured as hardware switch members on the 60F series. The wan interface should not be configured as a hardware switch member on the 40F series.

SFP+ 1G speed should be supported on FG-1100E, FG-1800F, FG-2200E, and FG-3300E series.

NP-offloaded active TCP/UDP sessions established over IPsec VPN tunnels will timeout at session TTL expiry.

Potential memory leak triggered by FTP command in WAD.

Device has become unmanageable; receiving errno=Resource temporarily unavailable when trying to update objects.

FortiGate restarts FGFM tunnel every two minutes when FortiManager is defined as FQDN.

FG-600E stops sending out packets on its SPF and copper port on NP6.

When a LAG is created between 10 GE SFP+ slots and 25 GE SFP28/10 GE SFP+ slots, only about 50% of the sessions can be created. Affected models: FG-110xE, FG-220xE, and FG-330xE.

FortiOS is not sending out IPv6 router advertisements from the link-local addresses added on the fly.

ip6-extra-addr does not perform router advertisement after reboot in HA.

Incorrect IP/MAC address on ESXi hosts.

Traffic not showing statistics for VLAN interfaces based on hardware switch.

Fortinet_CA is missing in FG-3400E.

DHCP client cannot get IP address when NTP server option in DHCP server settings is set to Same as System NTP.

Fail to detect transceiver on all SFP28/QSFP ports. Affected platforms: FG-3300E and FG-3301E.

Request to blocked signature with SSL mirrored traffic capture causes FG-500E to reboot.

FG-101F should support the same WTP size (128) as the FG-100F.

HTTPSD signal 6 crash in cases of long application lists that are greater or equal to the maximum size of 16.

Cannot create hardware switch on FG-100F.

DHCP client sent invalid DHCP-REQUEST format during INIT state.

Issue when packets from same session are forwarded to each LACP member when NPx offload is enabled.

Auto-script output file size over 400 MB when configured output size is default 10 MB.

Virtual WAN link stops responding after 45 members.

Cannot delete VDOM due to ssl.vdom1 interface after changing mode from split-task VDOM to multi VDOM.

Frame size option in sniffer does not work.

DHCPv6 client's DUID generated on two different FortiGates match.

10G ports x1/x2 cannot be set as interfaces in firewall acl/acl6 policies.

Speed of 100G in get system interface cross-check shown incorrectly as 34464 for Fortinet-authorized FINISAR CORP FTLC9551REPM.

accprofile permission for config system link-monitor is not correct.

accprofile permission for execute ping is not correct.

factoryreset2 does not preserve all interfaces.

Unable to handle kernel NULL pointer dereference at 000000000000008f.

execute shutdown reboots instead of shutting down on SoC4 platforms.

SFP28 port group (ha1, ha2, port1 and port2) missing 1000full speed option. Affected platforms: FG-220xE, FG-330xE, FG-340xE, and FG-360xE.

In VDOM, config log syslogd xxx is not shown in show full-configuration.

Possible conflicts between software switch VLAN setting and its member interface VLAN setting.

FG-40F LAN interfaces are down after upgrading to 6.2.4 (build 5632).

FTLF8536P4BCV shows This transceiver is not certified by Fortinet, corrupt part number and serial number after HA cluster sync.

Interface forward-error-correction setting not honored after reboot.

Interface forward-error-correction setting not honored after reboot. Affected platforms: FG-1100E, FG-1101E, FG-2200E, FG-2201E, FG-3300E, FG-3301E, FG-3400E, and FG-3600E.

SNMP monitoring does not provide the SD-WAN member interface name.

After reboot, forward-error-correction value is not maintained as it should be.

VDOM with long name cannot be deleted.

FortiGate not responding to DHCP relay requests from clients behind a DHCP relay.

Sometimes when updating the FortiGate license, there is a certificate verification failure.

Sometimes FortiGate does not boot when restoring configuration using private data encryption.

In SSL VPN certificate authentication, add auth policies in base of LDAP group.

Device identification scanner crashes on receipt of SSDP search.

Two-factor authentication using FortiClient SSL VPN and FortiToken Cloud is not working due to push notification delay.

No response when using FTM-PUSH because unable to set source IP for FTM-PUSH.

Remote admin LDAP user login has authentication failure when the same LDAP user has local two-factor authentication.

Older FortiGate models do not have CA2 and will cause EMS server authentication to fail.

Peer users are matching every group instead of only groups based on the LDAP group membership.

In HA cluster, RADIUS accounting not working with use-management-vdom enable.

Inconsistent fnbamd LDAP group match result.

Certificate verification fails if any CA in a peer-provided certificate chain expires, but its cross-signed certificate is still valid in the system trust store.

ADVPN IKEv2 certificate authentication does not work with OCSP check when certificates do not contain OCSP path.

FG-VM64-KVM is unable to boot up properly when doing a hard reboot with the host.

Autoscale not syncing certificate among the cluster members.

Cross-zone HA breaks after upgrading to 6.4.0 because upgrade process does not add relevant items under vdom-exception.

Azure changes FPGA for Accelerated Networking live and VM loses SR-IOV interfaces.

By assigning port1 as the HA management port, the HA secondary unit node is now able to send system information to the Azure portal through waagent so that up-to-date information is displayed on the Azure dashboard.

If port1 is not used as the HA management port, the Azure display and Azure Security Center alerts will not reflect the correct state of the node, which may result in unnecessary alarms.

AWS VM stops processing traffic in some interfaces when running diagnose debug application ike -1.

Dynamic address objects are not resolved to all addresses using Azure SDN connector.

AWS FortiGate NIC gets swapped between port2 and port3 after FortiGate reboots.

In FG-VM64-HV, 802.1Q does not work on interfaces with DPDK enabled.

SSL VPN performance problem on OCI due to driver.

FortiGates in multi-Azure sync their SP addresses for SAML admin authentication.

Update urlfilteridx in traffic log to be webfilter.urlfilter.entry.id.

Clarify meaning of urlfilteridx=0 log field when proxy-based inspection is used.

Filtering Services Availability status is down on the GUI when HTTP/80 is used for web filtering rating service.

foauthd has signal 11 crashes when FortiGate does authentication for a web filter category.

Certain regex static URL entries stopped working in 6.2.3.

If the last line in a threat feed does not end with \n, it is not parsed and is not displayed in the GUI.

WiFi health monitor Client Count widget shows clients on the wrong band (on local standalone SSID).

FortiAP not coming online on FG-PPPoE interface.

Applications, Destinations, and Policies keep loading for WiFi Clients > Diagnostics and Tools drill-down.

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

• CVE-2020-12812

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

• CVE-2019-16151

FortiOS 6.4.2 running AV engine version 6.00145 or later is no longer vulnerable to the following CVE Reference:

• CVE-2020-9295

FortiOS 6.4.2 is no longer vulnerable to the following CVE Reference:

• CVE-2020-15937