In NGFW policy mode, sessions are not re-validated when security policies are changed.

Workaround: clear the session after policy change.

FortiGate cannot get detailed information on FortiClient vulnerabilities from FortiAnalyzer.

Some FortiView graphs and drilldown views show empty data due to filtering issue. Affected graphs/views: Top System Events, Top Authentication Failures, Policy View, and Compromised Host View.

Some FortiView pages/widgets fail to query data from FortiAnalyzer Cloud if the local FortiAnalyzer is not enabled.

Affected pages/widgets: Compromised Hosts, FortiView Cloud Applications, FortiView VPN, FortiView Web Categories, Top Admin Logins, Top Endpoint Vulnerabilities, Top Failed Authentication, Top System Events, Top Threats, Top Threats - WAN, and Top Vulnerable Endpoint Devices.

Warning message is not displayed when a user configures an interface with a static IP address that is already in use.

Managed FortiSwitch and FortiSwitch Ports pages are slow to load when there are many managed FortiSwitches. This performance issue needs a fix on both FortiOS and FortiSwitch. A fix was provided in FortiOS 7.0.1 GA and FortiSwitch 7.0.1 GA.

When performed from the primary FortiGate, using the GUI to change a firewall policy action from accept to deny does not disable the IP pool setting, causing the HA cluster to be out of sync. Updating the policy via the CLI does not have this issue.

On the System > HA page, GUI tooltip for the reserved management interface incorrectly shows the connecting IP address instead of the configured IP address.

GUI incorrectly displays the warning, Botnet package update unavailable, AntiVirus subscription not found., when the antivirus entitlement is expiring within 30 days. The actual botnet package update still works within the active entitlement duration.

There is no way to add a line break when using the GUI to edit the replacement message for pre_admin-disclaimer-text. One must use the CLI with the Shift + Enter keys to insert a line break.

When multiple favorite menus are configured, the new features video pops up after each GUI login, even though user previously selected Don't show again.

When editing the Poll Active Directory Server page, the configured LDAP server saved in FSSO polling is not displayed. Users must use the CLI to modify the setting.

FortiGuard DDNS setting incorrectly displays truncated unique location and empty server selection after saving changes.

After performing a search on firewall Addresses, the matched count over total count displayed for each address type shows an incorrect total count number. The search functionality still works correctly.

When editing phase 2 configurations, clicking Complete Section results in a red highlight around the phase 2 configuration GUI box, and users cannot click OK to save configuration changes.

Script pushed from FortiManager 6.4.2 to FortiOS 6.4.2 to add address objects and an address group only pushes the address group.

The list of firewall schedules displays time based on the browser time, even though the global time preference is set to use the FortiGate system time. The Edit Schedule page does not have this issue.

On SSL-VPN Settings page, the option to send an SSL VPN configuration to a user for FortiClient provisioning does not support showing a domain name for the VPN gateway.

On Firewall Policy list, the tooltip for IP Pool incorrectly shows Port Block Allocation as being exhausted if there are expiring PBAs available to be reallocated.

GUI interface bandwidth widget does not show correct data for tunnel interface when ASIC offload is enabled on the firewall policy.

Firewall Address and Service pages cannot load on downstream FortiGate if Fabric Synchronization is enabled but the downstream FortiGate cannot reach the root FortiGate.

The Edit Web Filter Profile page incorrectly shows that a URL filter is configured (even though it is not) if the URL filter entry has the same name as the web filter profile in the CLI.

On some browser versions, the GUI displays a blank dialog when creating custom application or IPS signatures. Affected browsers: Firefox 85.0, Microsoft Edge 88.0, and Chrome 88.0.

When an administrator ends a session by closing the browser, the administrator timeout event is not logged until the next time the administrator logs in.

Incorrect direction and banned location by quarantine action for ICMP.Oversized.Packet signature in NGFW policy mode.

OCVPN spoke-to-spoke communication intermittently fails with mixed topology where some spokes have two ISPs and some have one, but the hubs have two.

Unable to route traffic to a spoke VPN site from the hub FortiGate when the dialup IPsec VPN interface is dual stacked (IPv4/IPv6).

Traffic logs not forwarded correctly to syslog server in CEF format.

Cyrillic characters not displayed properly in local reports.

FortiGate does not have log disk auto scan failure status log.

When searching for some rarely-found logs within a large volume of logs, there is a long period of time before the results are returned. During the waiting period, if any new requests arrive, the old search session cannot be cleared. There is then a risk that multiple processes exist together, which may cause performance issues.

StartTLS-SMTP traffic gets blocked by the firewall when certificate inspection (proxy mode) and the IPS sensor are enabled in a policy.

No WAD sessions displayed when running diagnose wad filter.

Memory leak when retrieving the thumbnailPhoto information from the LDAP server.

bgpd memory leak if running BGP on 6.2.7 and 6.4.4.

Workaround: enable SD-WAN to avoid BGP memory leaking.

In 6.4:

config system sdwan
    set status enable
end

In 6.2:

config system virtual-wan-link
    set status enable
end

Interface emac-vlan feature does not work on SoC4 platform.

Link status on peer device is not down when the admin port is down on the FG-500E.

The diagnose geoip geoip-query command fails when fortiguard-anycast is disabled.

FG-101F crashed and rebooted when adding vlan-protocol 8021ad VLAN.

Interface belonging to other VDOMs should be removed from interface list when configuring a GENEVE interface.

UDP 4500 inter-VDOM traffic not offloaded, causing BFD/IPsec to drop.

When provisioning FortiGate and FortiSwitch with enforced 6.4.2 firmware in FortiManager, the physical port for FortiLink is down and cannot connect to the FortiSwitch.

FortiGate did not restart after restoring the backup configuration via FortiManager after the following process: disable NPU offloading, change NGFW mode from profile-based to policy-based, retrieve configuration from FortiGate via FortiManager, and install the policy package via FortiManager.

Azure SDN connector replicates configuration from primary device to secondary device during configuration restore.

FG-VMX manager not showing all the nodes deployed.

Autoscale GCP health check is not successful (port 8443 HTTPS).

During every FortiGuard UTM update, there is high CPU usage because only one vCPU is available.

Dialup IPsec tunnel from Azure may not be re-established after HA failover.

The security-redirect-url setting is missing when the portal-type is auth-mac.